Using an LDAP Server for Enterprise Manager User Management

You can configure Enterprise Manager to use an LDAP server for user management. This is a two-step process. First, you configure the LDAP server, and then you configure the Enterprise Manager server so it can locate the LDAP server and find the appropriate information (for example, the portion of the directory that contains users).

See the following topics for instructions on how to configure different types of LDAP directories:

• Configuring Oracle Virtual Directory for Enterprise Manager

• Configuring Oracle Internet Directory for Enterprise Manager

• Configuring Oracle Directory Server Enterprise Edition for Enterprise Manager

• Configuring Microsoft Active Directory Service for Enterprise Manager

• Configuring the OpenLDAP Directory Server for Enterprise Manager

Once you configure the LDAP directory, you need to configure the Enterprise Manager, as described in Configuring the Enterprise Manager Server.

Managing Java CAPS Users provides basic information about Enterprise Manager user management.

Configuring Oracle Virtual Directory for Enterprise Manager

Oracle Virtual Directory accesses information from multiple directories and databases, giving you a single entry point into the information stored in these directories. For more information about Oracle Virtual Directory, see Configuring Oracle Virtual Directory for the Repository.

To Configure LDAP Servers Connected to Oracle Virtual Directory

Perform the following general steps to create the user and roles for each LDAP directory that will connect to the Enterprise Manager through the Oracle Virtual Directory. More complete instructions are provided for specific LDAP directories in the following sections:

• Configuring Oracle Internet Directory for Enterprise Manager

• Configuring Oracle Directory Server Enterprise Edition for Enterprise Manager

• Configuring Microsoft Active Directory Service for Enterprise Manager

• Configuring the OpenLDAP Directory Server for Enterprise Manager

1. If you have not done so already, create the admin user and the Administrator user under the People directory.
2. Create the following roles under the top node:

   • Deployment

   • User Management

   • Read-Only Monitor

   • Controlling Monitor

   • JMS Read-Only Monitor

   • JMS Read-Write Monitor

   • Manager

3. Assign the roles that you created to the admin user and the Administrator user.

Configuring Oracle Internet Directory for Enterprise Manager

Oracle Internet Directory runs as an application on an Oracle database. For more information about Oracle Internet Directory, see Configuring Oracle Internet Directory for the Repository.

To Configure Oracle Internet Directory

You only need to perform steps 2 and 3 (creating the Java CAPS users and organizational unit for roles) if you did not already create them when configuring LDAP for the Repository. For more information, see Configuring Oracle Internet Directory for the Repository.

1. Connect to the Oracle Directory Services Manager (either through Oracle Fusion Middleware Control or directory through its URL).
2. If you have not done so already, create the admin user and the Administrator user in the directory containing the LDAP users.
3. If you have not done so already, create a new organizational unit for Java CAPS roles in your domain, and assign it a unique name (for example, CAPSRoles).
4. Under the new organizational unit, create the following groups:

   • Deployment

   • User Management

   • Read-Only Monitor

   • Controlling Monitor

   • JMS Read-Only Monitor

   • JMS Read-Write Monitor

   • Manager

5. Add the admin user and the Administrator user as unique members of all the groups that you created.
6. Go to Configuring the Enterprise Manager Server.

Configuring Oracle Directory Server Enterprise Edition for Enterprise Manager

Oracle Directory Server Enterprise Edition provides a console for you to perform administrative tasks. For more information about Oracle Directory Server Enterprise Edition, see Configuring Oracle Directory Server Enterprise Edition for the Repository.

To Configure the Oracle Directory Server Enterprise Edition

1. If you have not done so already, create the admin user and the Administrator user under the People directory.
2. Create the following roles under the top node:

   • Deployment

   • User Management

   • Read-Only Monitor

   • Controlling Monitor

   • JMS Read-Only Monitor

   • JMS Read-Write Monitor

   • Manager

3. Assign the roles that you created to the admin user and the Administrator user.
4. Go to Configuring the Enterprise Manager Server.

Configuring Microsoft Active Directory Service for Enterprise Manager

Active Directory is a key part of Windows 2000. It provides a wide variety of manageability, security, and interoperability features. The main administration tool is a snap-in called Active Directory Users and Computers.

Active Directory does not support the concept of roles. Therefore, you must simulate the Enterprise Manager roles in Active Directory using the concept of groups.

To Configure the Active Directory Service

1. Start the Active Directory Users and Computers administration tool.
2. Right-click the root node and select New > Organizational Unit.

   The New Object - Organization Unit dialog box appears.

3. In the Name field, enter a value (for example, EntMgrRoles).
4. Click OK.
5. Under the organizational unit, create the following groups:

   • Deployment

   • User Management

   • Read-Only Monitor

   • Controlling Monitor

   • JMS Read-Only Monitor

   • JMS Read-Write Monitor

   • Manager

   After you add the groups, they appear under the organizational unit.

6. Add the admin user and the Administrator user as members of all the groups that you created by double-clicking each group and selecting admin and Administrator from the dialog box.
7. Go to Configuring the Enterprise Manager Server.

Configuring the OpenLDAP Directory Server for Enterprise Manager

The OpenLDAP Project provides an open source implementation of the LDAP protocol. The LDAP server runs as a standalone daemon called slapd. The main configuration file is called slapd.conf. This file contains global information that is specific to the database and back end. You can use various approaches to add entries to the database, such as using the slapadd program. To search the database, use the ldapsearch program.

For more information, see http://www.openldap.org.

To Configure the OpenLDAP Directory Server

1. Create the admin user and the Administrator user under the node where the users are located.
2. If you do not have a node for roles in your schema, then create a node for the Enterprise Manager roles that you will create in the following step.
3. Create the following roles under the node where the roles are located:

   • Deployment

   • User Management

   • Read-Only Monitor

   • Controlling Monitor

   • JMS Read-Only Monitor

   • JMS Read-Write Monitor

   • Manager

4. Add the admin user and the Administrator user as unique members of each role.
5. Add other users to one or more roles, as necessary.
6. Go to Configuring the Enterprise Manager Server.

Configuring the Enterprise Manager Server

Once you have configured the LDAP server, you configure the Enterprise Manager server so that it can locate the LDAP server and find the appropriate information.

You must edit the following Enterprise Manager files: web.xml and ldap.properties.

To Configure the Enterprise Manager Server

1. Shut down the server component of Enterprise Manager.
2. Open the web.xml file in the JavaCAPS-install-dir/emanager/server/webapps/sentinel/WEB-INF directory.
3. Locate the following lines:

   <param-name>com.stc.emanager.sentinel.authHandler</param-name>
   <param-value>com.stc.cas.auth.provider.tomcat.TomcatPasswordHandler</param-value>

4. Change the parameter value to:

   <param-value>com.stc.cas.auth.provider.ldap.LDAPHandler</param-value>

5. Save the web.xml file.
6. Open the ldap.properties file in the JavaCAPS-install-dir/emanager/server/webapps/sentinel/WEB-INF/classes directory.
7. The following table describes all of the properties that appear in the ldap.properties file. Edit the properties in the section for your LDAP server, and ensure that the properties are not commented out.
   

   Property Description com.stc.sentinel.auth.ldap.serverType The type of LDAP server. com.stc.sentinel.auth.ldap.serverUrl The URL of the LDAP server. com.stc.sentinel.auth.ldap.searchFilter The name of the user ID attribute in user entries. com.stc.sentinel.auth.ldap.searchBase The root entry of the portion of the LDAP directory where Enterprise Manager will search for users. com.stc.sentinel.auth.ldap.searchScope This property is not currently used. com.stc.sentinel.auth.ldap.bindDN The security principal used for connecting to the LDAP server. com.stc.sentinel.auth.ldap.bindPassword The password of the security principal. com.stc.sentinel.auth.ldap.referral The LDAP referral policy. The default value is follow, which indicates that LDAP referrals will be automatically followed. Note that referrals must be enabled in the LDAP server. The other valid values are throw (for referral exceptions) and ignore. This property is optional. This property is not included for Oracle Directory Server Enterprise Edition. com.stc.sentinel.auth.ldap.roleAttribute The name of the role name attribute in user entries. com.stc.sentinel.auth.ldap.roleBaseDN The root entry of the portion of the LDAP directory where Enterprise Manager will search for roles. This property appears only in the OpenLDAP set of properties. com.stc.sentinel.auth.ldap.rolePattern Enables you to configure pattern matching for role names. You can place the Enterprise Manager users in a separate line of business from other users in the LDAP directory. This property appears only in the Active Directory set of properties.

8. Save the ldap.properties file.
9. Start the server component of Enterprise Manager.

Configuring Enterprise Manager for LDAP and SSL Support

By default, communications between Enterprise Manager and the LDAP server are unencrypted. To encrypt communications, make the following additions and modifications to the procedures described earlier in this topic.

Configuring SSL on the LDAP Server

Ensure that the LDAP server is configured to use the Secure Sockets Layer (SSL). For instructions, see the documentation provided with the LDAP server. In preparation for the next step, export the LDAP server’s certificate to a file.

Importing the LDAP Server’s Certificate

You must add the LDAP server’s certificate to the Enterprise Manager’s list of trusted certificates. The list is located in a file called cacerts, located in the JDK-install-dir/jre/lib/security directory. In the following procedure, you use the keytool program. This program is included with the Java SDK.

To Import the LDAP Server’s Certificate

1. Navigate to the Java_Home\jre\lib\security directory.

   Use the JDK that was specified during Java CAPS installation.

2. Run the following command:

   keytool -import -trustcacerts -alias alias_name -file certificate_filename 
   -keystore cacerts_filename

   • For the -alias option, assign any value.

   • For the -file option, specify the fully qualified name of the LDAP server’s certificate. For example:

     C:\mycertificate.cer

   • For the -keystore option, specify the fully qualified name of the cacerts file.

3. When prompted, enter the keystore password. The default password is changeit.
4. When prompted to trust this certificate, enter yes.

   The following message appears:

   Certificate was added to keystore

Modifying the LDAP Server URL

When you configured the LDAP properties for Enterprise Manager, as described in Configuring the Enterprise Manager Server, you specified the LDAP server URL. When using the SSL protocol, you need to modify that URL as described below.

To Modify the LDAP Server URL

1. Navigate to JavaCAPS_Home\emanager\server\webapps\sentinel\WEB-INF\classes.
2. Open ldap.properties in a text editor.
3. In the com.stc.sentinel.auth.ldap.serverUrl property, set the protocol to ldaps and set the port number to the port number that the LDAP server listens on for SSL requests.

   Typically, this number is 636. For example:

   com.stc.sentinel.auth.ldap.serverUrl=ldaps://MyLDAPServer:636

4. Save and close the file.