Security Guide for Siebel eBusiness Applications > Security Adapter Authentication > Using the LDAP/ADSI Configuration Utility >

Procedure for Configuring LDAP/ADSI Security Adapters

The procedure for configuring LDAP or ADSI security adapters using the LDAP/ADSI Configuration Utility is presented below.

After you start the utility, a series of screens or prompts are displayed. Which items are presented, and how they are presented, depends on how you run the utility and on which selections you have made. As you enter information, choose Next to proceed to the next screen. Choose Previous to return to a previous screen.

To create a detailed log file when running the LDAP/ADSI Configuration Utility, run the utility with the flag -logevents all. The log file is named sw_cfg_util.log. For example, run the following command on Windows:

ssincfgw -l enu -f ...\admin\secadpt.scm -logevents all

NOTE:  Except for the Security Adapter Mode (SecAdptMode) and Security Adapter Name (SecAdptName) parameters, the configuration parameters mentioned in the procedure are defined for the applicable security adapter you are configuring.

To run the LDAP/ADSI Configuration Utility

1. On the Siebel Server machine, change to the SIEBSRVR_ROOT\bin directory, where SIEBSRVR_ROOT is the installation directory for the Siebel Server.
2. Depending on your Siebel Server platform, do one of the following:
   • In a Microsoft Windows implementation, choose Start > Run, then type:

   ssincfgw -l enu -f ..\admin\secadpt.scm

   • In a UNIX implementation, run the utility from the command line. Type:

   icfg -l enu -f ../admin/secadpt.scm

3. Choose Security Adapter Mode. Select the security adapter mode: LDAP or ADSI. The setting you make will provide a value for the Security Adapter Mode parameter.
   • For LDAP, Security Adapter Mode is set to LDAP.
   • For ADSI, Security Adapter Mode is set to ADSI.
4. Security Adapter Name. Specify the name of the security adapter. You can accept the default name, or specify a nondefault name. The setting you make will provide a value for the Security Adapter Name parameter.
   • For LDAP, Security Adapter Name defaults to LDAPSecAdpt.
   • For ADSI, Security Adapter Mode defaults to ADSISecAdpt.
5. Configure Dedicated Web Client? Specify whether you are configuring for Dedicated Web Clients.
   • If you check Yes, the utility appends relevant sections to the configuration file you specify (such as uagent.cfg for Siebel Call Center), or replaces existing sections. Go to Step 6.
   • If you do not check Yes, the utility defines configuration parameters in the Name Server instead (appropriate for Siebel Web Client deployments). You must specify how to apply the configuration settings, and specify server connectivity information. Go to Step 7.

     For more information, see About Configuration for Dedicated Web Clients and Security Adapters and Siebel Dedicated Web Client.

6. Select Configuration File. If you are configuring for Dedicated Web Clients, specify the name of the configuration file to modify to include the specified settings. Go to Step 11.

   CAUTION:  Before you specify an existing configuration file, make sure you have backed it up first. For details, see About Configuration for Dedicated Web Clients.

7. Specify At Which Level to Enable LDAP/ADSI Authentication. Specify at which level the LDAP/ADSI security adapter configuration should apply:
   • Enterprise. Configure the LDAP/ADSI security adapter for the Siebel Enterprise Server.
   • Siebel Server. Configure the LDAP/ADSI security adapter for the Siebel Server.
   • Components on Siebel Server. Configure the LDAP/ADSI security adapter for an individual AOM component, or for a Synchronization Manager component.
8. Enter server connectivity information:
   • Gateway Name Server Hostname. The name of the Siebel Gateway Name Server machine. If the Gateway Name Server uses a port other than the default (2320), then also include the port number (following a colon)—in the form machinename:portnumber.

     NOTE:  Do not use port number 2321 as an alternative port for the Gateway Name Server, because it is already used by the SCBroker component.

   • Enterprise Name. The name of the Siebel Enterprise Server.
   • If you specified to configure the Siebel Enterprise, go to Step 11.
   • If you specified to configure the Siebel Server, or configure components on the Siebel Server, go to Step 9.
9. Siebel Server Name. Select the Siebel Server you want to apply the security adapter configuration settings to.
   • If you specified to configure the Siebel Server, go to Step 11.
   • If you specified to configure components on the Siebel Server, go to Step 10.
10. Select Components. Select the individual AOM components or Synchronization Manager to which you want to apply the security adapter configuration settings.
11. Enter configuration information pertaining to directories:
    • Directory Server. Corresponds to the ServerName parameter.
      • For LDAP, this is the name of the directory server (for example, ldap.siebel.com). It is recommended to specify the fully qualified server name, including the domain name.
      • For ADSI, this is either the name of the directory server (for example, adsi.siebel.com) or the domain name only. It is recommended to specify the fully qualified server name, including the domain name. (For domains that contain more than one directory server, specifying a domain name may be useful for maintaining load balance across servers.)
    • Port Number. The port number used by the LDAP directory server (LDAP only). Use port 389 (the default) for standard transmission, or port 636 for secure transmission. (ADS ports are set as part of the directory installation, not as a configuration parameter.) Corresponds to the Port parameter.
12. Enter configuration information pertaining to attribute mapping:
    • Username Attribute. The Siebel user ID attribute used by the directory. An example entry for an LDAP directory is uid. An example entry for ADSI is sAMAccountName (maximum length 20 characters). If your directory uses a different attribute for the Siebel user ID, enter that attribute instead. Corresponds to the UsernameAttributeType parameter.
    • Password Attribute. The password for the Siebel user ID attribute used by the directory (LDAP only). Corresponds to the PasswordAttributeType parameter.
13. Enter additional configuration information pertaining to attribute mapping:
    • Database Account Attribute. The database credentials attribute type used by the directory. For LDAP and ADSI, an example entry is dbaccount. If your directory uses a different attribute for the database account, enter that attribute instead. Corresponds to the CredentialsAttributeType parameter. Configuring the shared database account, specified in Step 15, requires you to have defined the database account attribute.

      The shared database account is handled differently for LDAP and for ADSI environments. For more information, see Configuring the Shared Database Account.

    • Roles Attribute. The attribute type for roles stored in the directory. This setting is required only if you use roles in your directory. Corresponds to the RolesAttributeType parameter.

      For more information, see Configuring Roles Defined in Directory.

14. Configure the application user:
    • Application User Distinguished Name (DN). The full DN (distinguished name) for the application user stored in the directory. Include quotes when you specify the application user. Corresponds to the ApplicationUser parameter.

      In addition to defining the application user here, you must also create the application user in the LDAP/ADS directory. For more information, see Configuring the Application User.

    • Application Password. The password for the application user stored in the directory. Corresponds to the ApplicationPassword parameter. Confirm the password.
15. Shared Database Account Distinguished Name (DN). Specify the full DN for the shared database account stored in the directory. Include quotes when you specify the shared database account. Corresponds to the SharedCredentialsDN parameter.

    Configuring the shared database account also uses the database account attribute you defined in Step 13. For more information, see Configuring the Shared Database Account.

16. Enable Web Single Sign-On. Specify whether you want to configure Web Single Sign-On (Web SSO). Corresponds to the SingleSignOn parameter.
    • If you check Yes, then you must specify the shared secret. Go to Step 17.
    • If you do not check Yes, go to Step 18.

      For more information about configuring Web SSO, see Web Single Sign-On Authentication.

17. Shared Secret. Specify the trust token to use for Web SSO. Corresponds to the TrustToken parameter. The value also corresponds to the TrustToken parameter in the eapps.cfg file on the SWSE, which you must add to the file manually.
18. Propagate Change. Specify whether you want to configure the ability to propagate changes to the LDAP/ADS directory from a Siebel Dedicated Web Client. Corresponds to the PropagateChange parameter.

    NOTE:  If you specify this option, then you must also set the SecThickClientExtAuthent system preference to TRUE.

    For more information, see Security Adapters and Siebel Dedicated Web Client.

19. Checksum. Specify whether you want to use checksum validation for the security adapter DLL file. Corresponds to the CRC parameter.

    For more information, see Configuring Checksum Validation.

20. SSL Database. Specify the name of the SSL database you are using (LDAP only). Corresponds to the SslDatabase parameter.

    For more information, see Configuring Secure Communications for Security Adapter.

21. Hash Database Password. Specify whether you want to use password hashing for the database credentials password. Corresponds to the HashDBPwd parameter.

    For more information, see Configuring Password Hashing.

22. Hash User Password. Specify whether you want to use password hashing for user passwords. Corresponds to the HashUserPwd parameter.
    • If you checked Yes for either Hash User Password or Hash Database Password, then you must specify the hashing algorithm. Go to Step 23.
    • If you did not check Yes for either Hash User Password or Hash Database Password, go to Step 24.
23. Hash Algorithm. Specify the hashing algorithm to use for database credentials passwords or user passwords. Corresponds to the HashAlgorithm parameter.
    • Specify either RSASHA1 (RSA SHA-1) or SIEBELHASH. (RSA SHA-1 is required for new customers.)
24. Implement Adapter-Defined User Name. Specify whether you want to implement the adapter-defined user name. Corresponds to the UseAdapterUserName parameter. For more information, see Configuring Adapter-Defined User Name.
    • If you check Yes, then you must specify the Siebel User ID attribute. Go to Step 25.
    • If you do not check Yes, go to Step 26.
25. Siebel User ID Attribute. Specify the Siebel User ID attribute for the adapter-defined user name. Corresponds to the SiebelUsernameAttributeType parameter.
26. Base Distinguished Name (DN). Specify the base distinguished name (DN) in which you are storing your users. Corresponds to the BaseDN parameter.
27. Review the settings, and click Finish to apply them.