Bookshelf v7.5: Using the LDAP/ADSI Configuration Utility

Security Guide for Siebel eBusiness Applications > Authentication Details >

Using the LDAP/ADSI Configuration Utility

Siebel Systems provides the LDAP/ADSI Configuration Utility to help you configure a directory service for your Siebel applications. The utility provides a graphical user interface (GUI) to update parameters in Siebel application configuration files.

The utility automatically runs as part of the Siebel Server installation, but you can also run the utility as a stand-alone program. Run the utility for each Siebel application you want to set up.

CAUTION: The LDAP/ADSI Configuration Utility overwrites rather than appends configuration files. To prevent losing important configuration information, use the utility to create a new file, then copy the results to the desired *.cfg file for your Siebel application.

To run the LDAP/ADSI Configuration Utility

Do one of the following:

In a Windows implementation, choose Start > Run, then type:

SIEBSRVR_ROOT\ADMIN\CONFIG\config.exe

In a UNIX implementation, run the utility from the command line. Type:

SIEBSRVR_ROOT/ADMIN/CONFIG/config

where SIEBSRVR_ROOT is the installation directory for the Siebel Server.

The utility works as a JVM (Java Virtual Machine) executable. There are no special setup requirements to run it.

NOTE: The utility works best if run locally rather than over the network. Therefore, it is recommended that you run the utility from the machine that hosts the Siebel application you want to configure.

A series of screens appears with a list of LDAP/ADSI configuration settings.

The following figure shows an example of an LDAP/ADSI configuration screen.

The number of screens that appear depends on the configuration options you have chosen. As you enter information, click Next to proceed to the next screen. Click Back to return to a previous screen.

NOTE: The utility sets directory configuration parameters for Siebel applications, but it does not make changes to the directory or directory server. Make sure the configuration information you enter is compatible with your directory server.

Enter configuration information pertaining to directories:

Protocol. The type of directory you are configuring: LDAP or ADSI

Directory Server. For LDAP, this is the name of the Directory Server (for example, ldap.siebel.com). For ADSI, you can specify a Domain Name in this field. (For domains that contain more than one directory server, specifying a domain name is useful for maintaining load balance across servers.)

Port Number. The port number used by the Directory Server. This setting applies to LDAP directories only. Use port 389 for standard transmission or port 636 for secure transmission. (ADS ports are set as part of the directory installation, not as a configuration parameter.)

Enter configuration information pertaining to attribute mapping:

Username Attribute. The Siebel user ID attribute (UserNameAttributeType) used by the directory. The suggested entry for an LDAP directory is uid. The suggested entry for ADSI is sAMAccountName (maximum length of 20 characters). If your directory uses a different attribute for the Siebel user ID, enter that attribute instead.

Database Account Attribute. The CredentialsAttributeType used by the directory. For LDAP and ADSI, the suggested entry is dbaccount. If your directory uses a different attribute for the database account, enter that attribute instead.

Roles Attribute. The attribute type for roles stored in the directory (RolesAttributeType). This setting is required only if you use roles in your directory. For more information on roles, see Roles.

When the Configuration Options screen appears, scroll to the bottom of the screen to select the options you want to configure. You can select one or more of the options.

The following figure shows configuration options you can choose for the LDAP/ADSI Configuration Utility.

After you select options, the number of screens that appear depends on which options you have chosen. The following table describes configuration options and the associated information required for each option.


Option	Description	Required Settings
Siebel Application User (SAU)	Allows you to specify a single directory account that the Siebel application uses to search, update or read directory entries. Creating an SAU account allows you to limit directory access by individual end users. For more information, see Application User.	This option requires a user name and password for the account: SAU Distinguished Name This is the full distinguished name of the Siebel Application User (ApplicationUser). Make sure you include the quotes in the name. SAU Password This is the password you specify for the Siebel Application User. If you create a Siebel Application User, make sure you also add this name and password to the directory.
Shared Database Account	This option simplifies directory administration by enabling multiple-user entries in a directory to share the same database account. Without this option, a database account must be created for each user entry in the directory. For more information, see Shared Database Account.	This option requires specifying the following information: Distinguished Name for the Shared Database Account This is the distinguished name (SharedCredentialsDN) for the directory entry that is used to share the database account. For example: "uid=SHAREDENTRY, ou=People, o=xzy.com" Shared Database Account Attribute This is the attribute (CredentialsAttributeType) used to store the database account in the directory (for example, `dbaccount`).
Username Mapping	This option allows users to be authenticated by something other than the Siebel user ID (for example, a social security number, phone number, or email address). As with Siebel user ID, this identifier must be unique. For more information, see Adapter-Defined User Name.	This option requires specifying: Username Attribute This is the name of the attribute used to authenticate users. The security adapter references this attribute instead of the Siebel user ID attribute (for example, `email_ID`). Username Field (in Siebel) This is the name of the field in the Siebel interface (`OM - Username BC Field Name`) that stores the Username Attribute (for example, `Email Address`). Siebel User ID Attribute This is the attribute `SiebelUsernameAttributeType` used by the security adapter to retrieve the Siebel user ID for an authenticated user (for example `uid`).
Single Sign-On	This option sets Web SSO. With Web SSO, users can access multiple applications from a single login page. When Web SSO is enabled, user credentials are verified by a third-party authentication service instead of the security adapter.	Selecting this option sets the `SingleSignOn` attribute to `TRUE`. This option also requires specifying: Shared Secret This is the value of the `TrustToken` attribute used by the security adapter and the Web server to prevent Siebel Web Engine spoofing attacks (for example, `HELLO`). The value you enter must match the `TrustToken` value used by the Web server.
Single Sign-On	Note: The LDAP/ADSI utility only sets the Web SSO parameters in a Siebel application configuration file. You must also set the parameters in your eapps.cfg file. For more information about setting up Web SSO, see Implementing Web SSO Authentication.
Propagate User Changes	This option displays instructions on how to enable Siebel applications to propagate user changes to the directory. When this option is enabled, the directory is updated automatically when users are added or passwords changed in a Siebel application.	To enable this option, use the Application Administration screen in your Siebel application to set the system preference SecExternalUserAdministration to `FALSE`. For more information, see System Preferences.
Dedicated Client Support	This option displays instructions on how to enable security adapter authentication for users who log in through the Siebel Dedicated Web Client.	To enable this option, use the Application Administration screen in your Siebel application to set the system preference SecThickClientExtAuthent to `TRUE`. For more information, see System Preferences.

When you have finished entering configuration information, a final screen appears. Use this screen to specify a file to store the information you have entered.

The following figure shows the screen you use to specify a file for storing configuration information.

CAUTION: The LDAP/ADSI Configuration Utility overwrites rather than appends the file you specify. To prevent losing important configuration information, designate a new, empty file, then copy the results to the *.cfg file for your Siebel application.

For more information on where configuration files are located for Siebel eBusiness Applications, see Siebel Application Configuration File Parameters.

Click Next to add configuration information to the file you specify.

The following list is an example of LDAP configuration information produced by the utility.

[LDAP]
DllName = sscfldap
ServerName = ldapserver.siebel.com
Port = 636
BaseDN = "ou=people, o=xyz.com"
SharedCredentialsDN =
UsernameAttributeType = uid
PasswordAttributeType = userPassword
CredentialsAttributeType = dbaccount
RolesAttributeType = roles
SharedCredentialsDn = "uid=HKIM, ou=people, o=Siebel.com"
SslDatabase = /suitespot/https-myhost/cert7.db
ApplicationUser = "uid=APPUSER, ou=people, o=xyz.com"
ApplicationPassword = teMPass
EncryptApplicationPassword = TRUE
EncryptCredentialsPassword = TRUE
SingleSignOn = TRUE
TrustToken = HELLO
UseAdapterUsername = TRUE
SiebelUsernameAttributeType = PHONE
UseRemoteConfig = \\myserver\vol\remconf\remote.cfg