Security Guide for Siebel eBusiness Applications > Security Adapter Authentication > Using the LDAP/ADSI Configuration Utility >
Procedure for Configuring LDAP/ADSI Security Adapters
The procedure for configuring LDAP or ADSI security adapters using the LDAP/ADSI Configuration Utility is presented below. After you start the utility, a series of screens or prompts are displayed. Which items are presented, and how they are presented, depends on how you run the utility and on which selections you have made. As you enter information, choose Next to proceed to the next screen. Choose Previous to return to a previous screen. To create a detailed log file when running the LDAP/ADSI Configuration Utility, run the utility with the flag -logevents all. The log file is named sw_cfg_util.log. For example, run the following command on Windows: ssincfgw -l enu -f ...\admin\secadpt.scm -logevents all
NOTE: Except for the Security Adapter Mode (SecAdptMode ) and Security Adapter Name (SecAdptName ) parameters, the configuration parameters mentioned in the procedure are defined for the applicable security adapter you are configuring.
To run the LDAP/ADSI Configuration Utility
- On the Siebel Server machine, change to the SIEBSRVR_ROOT\bin directory, where SIEBSRVR_ROOT is the installation directory for the Siebel Server.
- Depending on your Siebel Server platform, do one of the following:
- In a Microsoft Windows implementation, choose Start > Run, then type:
ssincfgw -l enu -f ..\admin\secadpt.scm
- In a UNIX implementation, run the utility from the command line. Type:
icfg -l enu -f ../admin/secadpt.scm
- Choose Security Adapter Mode. Select the security adapter mode: LDAP or ADSI. The setting you make will provide a value for the
Security Adapter Mode parameter.
- For LDAP,
Security Adapter Mode is set to LDAP .
- For ADSI,
Security Adapter Mode is set to ADSI .
- Security Adapter Name. Specify the name of the security adapter. You can accept the default name, or specify a nondefault name. The setting you make will provide a value for the
Security Adapter Name parameter.
- For LDAP,
Security Adapter Name defaults to LDAPSecAdpt .
- For ADSI,
Security Adapter Mode defaults to ADSISecAdpt .
- Configure Dedicated Web Client? Specify whether you are configuring for Dedicated Web Clients.
- Select Configuration File. If you are configuring for Dedicated Web Clients, specify the name of the configuration file to modify to include the specified settings. Go to Step 11.
CAUTION: Before you specify an existing configuration file, make sure you have backed it up first. For details, see About Configuration for Dedicated Web Clients.
- Specify At Which Level to Enable LDAP/ADSI Authentication. Specify at which level the LDAP/ADSI security adapter configuration should apply:
- Enterprise. Configure the LDAP/ADSI security adapter for the Siebel Enterprise Server.
- Siebel Server. Configure the LDAP/ADSI security adapter for the Siebel Server.
- Components on Siebel Server. Configure the LDAP/ADSI security adapter for an individual AOM component, or for a Synchronization Manager component.
- Enter server connectivity information:
- Siebel Server Name. Select the Siebel Server you want to apply the security adapter configuration settings to.
- If you specified to configure the Siebel Server, go to Step 11.
- If you specified to configure components on the Siebel Server, go to Step 10.
- Select Components. Select the individual AOM components or Synchronization Manager to which you want to apply the security adapter configuration settings.
- Enter configuration information pertaining to directories:
- Directory Server. Corresponds to the
ServerName parameter.
- For LDAP, this is the name of the directory server (for example, ldap.siebel.com). It is recommended to specify the fully qualified server name, including the domain name.
- For ADSI, this is either the name of the directory server (for example, adsi.siebel.com) or the domain name only. It is recommended to specify the fully qualified server name, including the domain name. (For domains that contain more than one directory server, specifying a domain name may be useful for maintaining load balance across servers.)
- Port Number. The port number used by the LDAP directory server (LDAP only). Use port 389 (the default) for standard transmission, or port 636 for secure transmission. (ADS ports are set as part of the directory installation, not as a configuration parameter.) Corresponds to the
Port parameter.
- Enter configuration information pertaining to attribute mapping:
- Username Attribute. The Siebel user ID attribute used by the directory. An example entry for an LDAP directory is
uid . An example entry for ADSI is sAMAccountName (maximum length 20 characters). If your directory uses a different attribute for the Siebel user ID, enter that attribute instead. Corresponds to the UsernameAttributeType parameter.
- Password Attribute. The password for the Siebel user ID attribute used by the directory (LDAP only). Corresponds to the
PasswordAttributeType parameter.
- Enter additional configuration information pertaining to attribute mapping:
- Database Account Attribute. The database credentials attribute type used by the directory. For LDAP and ADSI, an example entry is
dbaccount . If your directory uses a different attribute for the database account, enter that attribute instead. Corresponds to the CredentialsAttributeType parameter. Configuring the shared database account, specified in Step 15, requires you to have defined the database account attribute.
The shared database account is handled differently for LDAP and for ADSI environments. For more information, see Configuring the Shared Database Account.
- Roles Attribute. The attribute type for roles stored in the directory. This setting is required only if you use roles in your directory. Corresponds to the
RolesAttributeType parameter.
For more information, see Configuring Roles Defined in Directory.
- Configure the application user:
- Shared Database Account Distinguished Name (DN). Specify the full DN for the shared database account stored in the directory. Include quotes when you specify the shared database account. Corresponds to the
SharedCredentialsDN parameter.
Configuring the shared database account also uses the database account attribute you defined in Step 13. For more information, see Configuring the Shared Database Account.
- Enable Web Single Sign-On. Specify whether you want to configure Web Single Sign-On (Web SSO). Corresponds to the
SingleSignOn parameter.
- Shared Secret. Specify the trust token to use for Web SSO. Corresponds to the
TrustToken parameter. The value also corresponds to the TrustToken parameter in the eapps.cfg file on the SWSE, which you must add to the file manually.
- Propagate Change. Specify whether you want to configure the ability to propagate changes to the LDAP/ADS directory from a Siebel Dedicated Web Client. Corresponds to the
PropagateChange parameter.
NOTE: If you specify this option, then you must also set the SecThickClientExtAuthent system preference to TRUE .
For more information, see Security Adapters and Siebel Dedicated Web Client.
- Checksum. Specify whether you want to use checksum validation for the security adapter DLL file. Corresponds to the
CRC parameter.
For more information, see Configuring Checksum Validation.
- SSL Database. Specify the name of the SSL database you are using (LDAP only). Corresponds to the
SslDatabase parameter.
For more information, see Configuring Secure Communications for Security Adapter.
- Hash Database Password. Specify whether you want to use password hashing for the database credentials password. Corresponds to the
HashDBPwd parameter.
For more information, see Configuring Password Hashing.
- Hash User Password. Specify whether you want to use password hashing for user passwords. Corresponds to the
HashUserPwd parameter.
- If you checked Yes for either Hash User Password or Hash Database Password, then you must specify the hashing algorithm. Go to Step 23.
- If you did not check Yes for either Hash User Password or Hash Database Password, go to Step 24.
- Hash Algorithm. Specify the hashing algorithm to use for database credentials passwords or user passwords. Corresponds to the
HashAlgorithm parameter.
- Specify either RSASHA1 (RSA SHA-1) or SIEBELHASH. (RSA SHA-1 is required for new customers.)
- Implement Adapter-Defined User Name. Specify whether you want to implement the adapter-defined user name. Corresponds to the
UseAdapterUserName parameter. For more information, see Configuring Adapter-Defined User Name.
- If you check Yes, then you must specify the Siebel User ID attribute. Go to Step 25.
- If you do not check Yes, go to Step 26.
- Siebel User ID Attribute. Specify the Siebel User ID attribute for the adapter-defined user name. Corresponds to the SiebelUsernameAttributeType parameter.
- Base Distinguished Name (DN). Specify the base distinguished name (DN) in which you are storing your users. Corresponds to the
BaseDN parameter.
- Review the settings, and click Finish to apply them.
|