| Agile Product Lifecycle Management Administrator Guide Release 9.3.3 E39286-04 |
|
 Previous |
 Next |
| Agile Product Lifecycle Management Administrator Guide Release 9.3.3 E39286-04 |
|
Previous |
Next |
Many enterprises use the Lightweight Directory Access Protocol (LDAP) system, and a dedicated LDAP server, to create their user accounts. The Server Settings node folder now includes an LDAP node. When you open the LDAP node, the LDAP Configuration Editor appears. The administrator can change LDAP settings (especially the search filter), preview the results, and save the changes, all without having to restart the server.
The LDAP node may not be visible in your ready-to-use Administrator tree. If your company does not use an LDAP system, the node is not needed. The node is made visible through the AppliedTo capability; see "Administrator Privilege and the AppliedTo Capability."
|
Note: Agile PLM supports LDAP authentication through the Agile Directory Server Integration Module. You can integrate Agile with your existing directory server to manage your users in one place. This approach can be fully integrated into Agile PLM, for these supported directory servers: |
Oracle Internet Directory Server
Microsoft Active Directory Server
Sun Java System Directory Server
Microsoft Active Directory Lightweight Directory Services Server
Oracle Virtual Directory Server
If you chose to manage your user accounts through a directory server (instead of the database) during installation, then all new users are added, and certain user attributes are configured, only through the directory server.
Agile Administrator has the capability of integrating aspects of your PLM system with Single Sign-On (SSO) capability. With SSO configured and deployed for your PLM system, a user that has signed in to the system once (for instance, through the corporate portal) is not prompted again by a "login" dialog (see Appendix A, "Configuring Single Sign-On").
Oracle WebLogic Server requires WebLogic console configuration to support Authentication to Agile PLM by LDAP users, as detailed in the tasks below.
To configure WebLogic with an Oracle Internet Directory Server:
Open the Administration console page by typing the following URL:
http://localhost:<port_number>/console
In the left pane, choose Lock & Edit.
In the left pane, choose agileDomain > Security Realms > AgileRealm > Providers > Authentication.
Click New and enter a name, such as "OracleInternetDirectory" for the OID authenticator and select OracleInternetDirectoryAuthenticator and click OK.
Click the newly created OracleInternetDirectory authenticator and change the value of the Control Flag to SUFFICIENT and then click Save.
|
Important: The following is a sample of the values and settings needed for your own configuration. Be sure to use the applicable settings for your specific company's needs. |
Select provider specifics from the current page and fill in the following entries with your relevant values:
User Name Attribute: cn
Propagate Cause for Login Exception: Check the Box
Principal: cn=orcladmin
Host: <Machine Name where the OID running>
User Object Class: person
All Users Filter: (Specify the User Filter Name or leave blank objectclass=person)
User Search Scope: Subtree
All Groups Filter: <Specify the Group Filter Name or leave blank>
Static Member DN Attribute: uniquemember
Group from Name Filter: (& (cn=%g)(objectclass=groupofuniquenames))
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Use Retrieved User Name as Principal: (check the box)
Results Time Limit: 0
Cache TTL: 60
Dynamic Group Name Attribute: uniquemember
Credential: <Password given for OID login>
Confirm Credential: <Password given for OID login>
Group Search Scope: subtree
Group Base DN: cn=Groups,dc=agile,dc=agilesoft,dc=com
Dynamic Group Object class: (empty)
User from Name Filter: (&(cn=%u)(objectclass=person))
Cache Size: 32
Dynamic Member URL Attribute: (labeledurl)
SSLEnabled: (empty)
Cache Enabled: (check the box)
Connection Retry Limit: 1
Connect Timeout: 0
Parallel Connect Delay: 0
User Dynamic Group DN Attribute: cn
Static Group Name Attribute: cn
User Base DN: cn=Users,dc=agile,dc=agilesoft,dc=com
Follow Referrals: (check the box)
Port: 389
Ignore Duplicate Membership: (uncheck the box)
Static Group Object Class: groupofuniquenames
Group Membership Searching: unlimited
Max Group Membership Search Level: 0
Click Save.
On the left pane click the button Activate Changes to activate all the changes made.
Log out from the console, and restart the WebLogic server and, if installed in a cluster, all managed servers to successfully have all the changes activated.
To configure WebLogic with a Sun Java System Directory Server:
Open the WLS Administration console page by typing the following URL:
http://localhost:<port_number>/console
In the left pane, choose Lock & Edit.
In the left pane, choose agileDomain > Security Realms > AgileRealm > Providers > Authentication.
Click New and enter a name, such as "SunJavaDirectory" for the authenticator and select iPlanet Authenticator and click OK.
Click the newly created authenticator and change the value of the Control Flag to SUFFICIENT and then click Save.
The following is a sample of the values and settings needed for your own configuration. Be sure to use the applicable settings for your specific company's needs.
Select provider specific from the current page and fill in the following entries with the following values:
Host: <Machine Name where the LDAP running>
Port: <LDAP Port>
Principal: cn=Directory Manager
Credential: <Password given for LDAP login>
Confirm Credential: <Password given for LDAP login>
User Base DN: ou=Agile,dc=example,dc=com
All Users Filter: (objectclass=person) <Specify the users filter or leave it blank>
User from Name Filter: blank
User Object Class: person
User Name Attribute: uid
User Search Scope: Subtree
Us Retrieved User Name as Principal: (uncheck the box)
All Groups Filter: <specify the group filter or leave it blank>
Group from Name Filter: (& (cn=%g)(objectclass=groupofuniquenames))
Group Search Scope: subtree
Group Base DN: ou=Groups,dc=example,dc=com
Max Group Membership Search Level: 0
Group Membership Searching: unlimited
Ignore Duplicate Membership: (uncheck the box)
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Static Group Name Attribute: cn
Static Group Object Class: groupofuniquenames
Dynamic Group Name Attribute: cn
Dynamic Group Object class: groupofURLs
Dynamic Member URL Attribute: memberURL
User Dynamic Group DN Attribute:
Connect Timeout: 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
Follow Referrals: (check the box)
Propagate Cause for Login Exception: (check the box)
Cache Enabled: (check the box)
Cache Size: 32
Cache TTL: 60
SSLEnabled: (empty)
Click Save.
On the left pane click the button Activate Changes to activate all the changes made.
Log out from the console, and restart the WebLogic server and, if installed in a cluster, all managed servers to successfully have all the changes activated.
To configure WebLogic with Microsoft Active Directory Server:
Open the Administration console page by typing the following URL:
http://localhost:<port_number>/console
In the left pane, choose Lock & Edit.
In the left pane, choose agileDomain > Security Realms > AgileRealm > Providers > Authentication.
Click New and enter a name, such as "ActiveDirectoryServer" for the ADS authenticator and select ActiveDirectoryAuthenticator and click OK.
Click the newly created ActiveDirectoryServer authenticator and change the value of the Control Flag to SUFFICIENT and then click Save.
The following is a sample of the values and settings needed for your own configuration. Be sure to use the applicable settings for your specific company's needs.
Select provider specific from the current page and fill in the following entries with the following values:
User Name Attribute: sAMAccountName
Principal:Administrator@enterprise.uab.edu
Host: 10.176.138.35
All Users Filter: (objectclass=person)
User Search Scope: subtree
All Groups Filter: (Keep it Empty)
Static Member DN Attribute: member
Group from Name Filter: (Keep it Empty)
Bind Anonymously On Referrals (Uncheck this Box)
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
Results Time Limit: 0
Credential: < password given for the ADS to authenticate>
Confirm Credential: < password given for the ADS to authenticate>
Group Search Scope: subtree
Cache Size: 32
User from Name Filter: (keep it empty)
Dynamic Member URL Attribute: (keep it empty)
Connection Retry Limit: 1
Connect Timeout: 0
User Dynamic Group DN Attribute: (keep it empty)
Static Group Name Attribute: cn
User Base DN: OU=agile,DC=enterprise,DC=uab,DC=edu
This is operating with the assumption that all Agile users are found under this path.
Use Token Groups for Group Membership Lookup (Uncheck this Box)
Port: 389
Follow Referrals (check this Box)
Propagate Cause for Login Exception (Uncheck this box)
User Object Class: user
Cache TTL: 60
Use Retrieved User Name as Principal (uncheck the box)
Dynamic Group Name Attribute: (keep the field empty)
Group Base DN: OU=agile,DC=enterprise,DC=uab,DC=edu
This is operating with the assumption that all Agile user groups are found under this path.
Dynamic Group Object Class: (keep the field empty)
SSLEnabled: (uncheck the box)
Cache Enabled (check this box)
Parallel Connect Delay: 0
Ignore Duplicate Membership: (uncheck this box)
Static Group Object Class: group
Group Membership Searching: unlimited
Max Group Membership Search Level: 0
Click Save.
On the left pane click the button Activate Changes to activate all the changes made.
Log out from the console, and restart the WebLogic server and, if installed in a cluster, all managed servers to successfully have all the changes activated.
To configure WebLogic with Microsoft Active Directory Lightweight Services Server:
Open the Administration console page by typing the following URL:
http://localhost:<port_number>/console
In the left pane, choose Lock & Edit.
In the left pane, choose agileDomain > Security Realms.
In the right pane, select AgileRealm > Providers.
In the Authentication Provider list, click New and enter a name, such as "ActiveDirectory-LDSServer" for the authenticator and select LDAPAuthenticator and click OK.
Click the newly created ActiveDirectory-LDSServer authenticator and change the value of the Control Flag to SUFFICIENT and then click Save.
The following is a sample of the values and settings needed for your own configuration. Be sure to use the applicable settings for your specific company's needs.
Select provider specific from the current page and fill in the following entries with the following values:
User Name Attribute: uid
Principal: CN=Administrator,OU=Agile,O=Microsoft,C=US
Host: <AD-LDS Server>
All Users Filter: (objectclass=person)
User Search Scope: subtree
All Groups Filter: (keep it empty)
Static Member DN Attribute: member
Group from Name Filter: (keep it empty)
Bind Anonymously On Referrals (uncheck this box)
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
Results Time Limit: 0
Credential: < password given for the ADS-LDS to authenticate>
Confirm Credential: < password given for the ADS to authenticate>
Group Search Scope: subtree
Cache Size: 32
User from Name Filter: (keep it empty)
Dynamic Member URL Attribute: (keep it empty)
Connection Retry Limit: 1
Connect Timeout: 0
User Dynamic Group DN Attribute: (keep it empty)
Static Group Name Attribute: cn
User Base DN: OU=Users,OU=Agile,O=Microsoft,C=US
Use Token Groups for Group Membership Lookup (uncheck this box)
Port: 389
Follow Referrals (check this box)
Propagate Cause for Login Exception (uncheck this box)
User Object Class: user
Cache TTL: 60
Use Retrieved User Name as Principal (uncheck the box)
Dynamic Group Name Attribute: (keep the field empty)
Group Base DN: Agile,O=Microsoft,C=US
Dynamic Group Object Class: (keep the field empty)
SSLEnabled: (uncheck the box)
Cache Enabled (check this box)
Parallel Connect Delay: 0
Ignore Duplicate Membership: (uncheck this box)
Static Group Object Class: group
Group Membership Searching: unlimited
Max Group Membership Search Level: 0
Click Save.
On the left pane click the button Activate Changes to activate all the changes made.
Log out from the console, and restart the WebLogic server and, if installed in a cluster, all managed servers to successfully have all the changes activated.
To configure WebLogic with Oracle Virtual Directory Server:
Open the WLS Administration console page by typing the following URL:
http://localhost:<port_number>/console
In the left pane, choose Lock & Edit.
In the left pane, choose agileDomain > Security Realms > AgileRealm > Providers > Authentification.
Click New and enter a name, such as "OracleVirtualDirectory" for the authenticator and select OracleVirtualDirectory Authenticator and click OK.
Click the newly created authenticator and change the value of the Control Flag to SUFFICIENT and then click Save.
The following is a sample of the values and settings needed for your own configuration. Be sure to use the applicable settings for your specific company's needs.
Select provider specific from the current page and fill in the following entries with the following values:
|
Note: The values below should be specified as per the LDAP Server used to fetch the data into OVD Server. (The sample values below are specified as per OID.) |
Host: <OVD Server>
Port: <OVD Port>
Principal: <LDAP Server Principal>
Credential: < password given for the LDAP to authenticate>
Confirm Credential: < password given for the LDAP to authenticate>
User Base DN: cn=Users,dc=idc,dc=oracle,dc=com
All Users Filter: (objectclass=person)
User from Name Filter: (&(cn=%u)(objectclass=person))
User Object Class: person
User Name Attribute: cn
User Search Scope: Subtree
Us Retrieved User Name as Principal: (check the box)
All Groups Filter: &(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=groupofurls)))
Group from Name Filter: (& (cn=%g)(objectclass=groupofuniquenames))
Group Search Scope: subtree
Group Base DN: cn=Groups, dc=idc,dc=oracle,dc=com
Max Group Membership Search Level: 0
Group Membership Searching: unlimited
Ignore Duplicate Membership: (uncheck the box)
Static Member DN Attribute: uniquemember
Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))
Static Group Name Attribute: cn
Static Group Object Class: groupofuniquenames
Dynamic Group Name Attribute: uniquemember
Dynamic Group Object class: (empty)
Dynamic Member URL Attribute: (empty) or labeledurl(cannot be empty if using dynamics group)
User Dynamic Group DN Attribute: cn
Connect Timeout: 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
Follow Referrals: (check the box)
Propagate Cause for Login Exception: Check the Box
Cache Enabled: (check the box)
Cache Size: 32
Cache TTL: 60
SSLEnabled: (empty)
Click Save.
On the left pane click the button Activate Changes to activate all the changes made.
Log out from the console, and restart the WebLogic server and, if installed in a cluster, all managed servers to successfully have all the changes activated.
You have the following options for creating Agile PLM users:
Create all users in Agile PLM – this can be done even if your company uses LDAP for its non-Agile applications.
Create all user objects using the corporate LDAP system – the basic user data (for instance, user ID, first and last name, password, email address) are imported to Agile PLM, where each user's profile is completed.
Combine the two approaches – your company may use LDAP for its employees that are assigned to use Agile PLM, but create non-employees within the Agile PLM system. In this case, the LDAP accounts are imported and validated, and there is no risk reconciling user data within Agile PLM.
|
Note: You cannot create regular Agile PLM users (that is, Power or Concurrent users) both in Agile PLM and in LDAP. The only way to combine the two approaches is to use Agile PLM to create Restricted users only.More specifically, you should not create multiple users with the same User ID (username), especially in the WebSphere environment. WebSphere uses an embedded LDAP adapter to authenticate users, and that adapter does not allow multiple users with the same ID. |
|
Important: Users created in Agile PLM with the Supplier user roles can also be authenticated through LDAP. |
You can configure multiple LDAP user repositories for the security domain by repeating the configuration steps for the specific directory server.
Do not delete the AgileAuthenticator authentication provider: it is used to authenticate users against the Agile database. The Control Flag for the AgileAuthenticator must remain Optional. AgileAuthenticator must be the first authentication provider in the list if there are additional authentication providers, such as Sun Java System, Oracle Internet Directory, or Microsoft Active Directory.
To modify LDAP information:
Under Server Settings, double-click LDAP node. The LDAP Configuration Editor window appears.
On the LDAP Configuration tab, double-click the row that names the LDAP server you want to populate. This is also where you can create a new LDAP server configuration.
The Edit LDAP dialog presents the contents of the LDAP server you selected for your modification.
When you have completed entering modifications, click OK.
With the row selected (for the LDAP server you modified), click the Preview button. The Preview Results tab lets you preview the results of your LDAP query.
When you click Preview, the server validates the LDAP configuration. If there are errors—such as inconsistent data across LDAP servers in a cluster, or duplicated users on multiple servers, or syntax errors—the server passes an exception back to the client, and you will see a popup window displaying the errors.
If the LDAP configuration contains clustered LDAP servers, the preview shows data from only one of the LDAP servers, since the data is identical across the cluster.
If the LDAP configuration contains multiple LDAP servers, the preview shows the union of data from all LDAP servers.
Click Save to save changes to the LDAP configuration. Again, the server validates the LDAP configuration. If any errors are detected, an error message displays and the exception prevents the Save operation from completing.
In Java Client, the Refresh Users from LDAP button on the Users node toolbar window integrates LDAP-originated users into the Agile PLM system. In Web Client, if you use LDAP, the Refresh from Directory Server button is enabled in the Users node under the More button menu options (under Tools and Settings > Address Book > Users) for the same purpose.
Refer to your LDAP documentation to import user accounts to Agile PLM.
After clicking Refresh (or Refresh from Directory Server) to automatically update the accounts for use in Agile PLM, complete each user object by populating Agile PLM user properties as required.
Synchronization of Agile PLM users with LDAP-created user accounts depends on the Agile PLM users' Login ID being equivalent to the LDAP user-accounts' Login ID. During an upgrade of Agile PLM systems, it assumes user authentication through the Agile PLM database.
There is another way to synchronize users between LDAP and Agile PLM: a script is included in the Bin directory called migrateUserToDB.bat/sh that you can run manually or on a scheduled basis. This script serves the same purpose as the Refresh (or Refresh from Directory Server) button in Java and Web clients, respectively.
|
Note: Be sure to restart the application server after executing the script. |
If your company is using LDAP for user accounts, the following properties will always be managed by LDAP. By default, these values cannot be edited in Agile PLM.
However, in the agile.properties file you can set the configuration to make first name, last name, and email editable.
UserID
First Name
Last Name
Password
Email Address
Title
Work Phone
Mobile Phone
Fax Number
If an LDAP directory is used to create and manage Agile PLM users, by default users do not require a separate approval password. However, you can uncheck the Use Login Password for Approval Password property for a user and enter an approval password.
You can set up Account Policy functionality on the LDAP server. For more information, see your LDAP system documentation.
The LDAP Configuration Editor (Server Settings > LDAP node) is used to configure your integration between Agile PLM and your company's LDAP system.
Click the New LDAP icon and fill in the properties (defined below). You can double-click an existing configuration (row in the table) to display the Edit LDAP dialog. You can remove an existing configuration by selecting its row, clicking the Delete LDAP icon, and following the prompt.
You can define multiple sets of parameters to configure integration with multiple directory servers.
|
Note: Verify all settings in LDAP Configuration Editor with your LDAP administrator. |
Connection parameters include the host name, port, protocol, account name and filter. The account name is used to connect to the directory server during synchronization, so it must have the appropriate privileges. The filter is used to select only a subset of the users defined in the directory server as Agile users.
The properties in the LDAP configuration page are described in the table below:
Table 33-1 LDAP Configuration Properties
| Field Name | Description |
|---|---|
|
ID |
Unique string identifying the LDAP server. The string must be less than 30 characters and cannot be changed once in use. |
|
Description |
Information about the server configuration |
|
Agent |
The Directory Server used for authentication; valid values are SunONEDirectory or ActiveDirectory |
|
URL |
The URL for the authentication agent |
|
Domain |
The authentication string when using Active Directory Server in the format of <username>@<auth.domain.name> |
|
Username |
Username (does not need to be the LDAP Administrator) |
|
Password |
Encrypted password of the user |
|
User Path |
Tree under which all Agile users can be found; this property should be set to the node closest to the root of the Directory Tree structure; any user that is not found under the subtree starting at this node should not be on the Agile system. |
|
Search Scope |
Scope of search for Agile users under the user-path node; valid values are ONE_LEVEL or SUB_TREE; this property should be set to ONE_LEVEL only if all users in the organization are directly under the User Path node |
|
Search Filter |
Search filter for Agile users under the <user-path> node; this must be a valid LDAP search filter that matches all Agile users under the scope defined by <auth.ldap.user.path> and <auth.ldap.user.search.scope>; users not matching this filter are considered invalid users on the Agile system; a valid LDAP search filter must be enclosed in parentheses. |
|
Mechanism |
Authentication mechanism supported by the directory server; valid values are "simple" or "strong" |
|
Group Path |
This property should be set to the node closest to root of the Directory Tree structure; it's the path in which group search starts |
|
Group Scope |
Valid values: ONE_LEVEL, SUB_TREE; similar to <search-scope> |
|
Group Filter |
This must be a valid LDAP search filter that matches the LDAP groups where all expected users to be used in Agile are contained. When using the Group Filter to synchronize all users and user groups from the LDAP server, the <user-path> and <search-scope> must be set for the Search Filter. With User Group Sync function enabled. You cannot remove/ add users for LDAP Synched User group on User's Tab |
|
Group Membership |
Used for authentication to check if the current user belongs to the specified group (defined in group-filter); using "%M" to designate current login user DN. |
|
Dynamic Group Filter |
This must be a valid LDAP search filter that matches the LDAP Dynamic groups that contain all expected users to be used in Agile |
|
Failover Links |
Links that point to alternate LDAP servers that the system tries to access, in listed order, when the primary LDAP server fails |
|
Fail Attempts |
Specifies the maximum number of attempts to access other servers that the system can make when the LDAP server fails |
|
Disable Agile User If Not Found In LDAP |
Valid values: TRUE or FALSE When set to TRUE and the administrator runs the "migrateUsersToDB -p" command, the Agile active users (migrated from LDAP and made active) who are either removed from LDAP or not in the current LDAP search path are disabled. |
To map an Agile attribute to an LDAP-system attribute:
In the User-LDAP Attributes Mapping or Usergroup-LDAP Attributes Mapping field, click Add to create a new entry.
From the New Attribute Mapping dialog, choose an Agile ID (that is, attribute) from the drop-down list.
In the LDAP ID field, type the name of an attribute from your LDAP system that you want mapped to the selected Agile attribute.
For example, "Date09" might map to an attribute called "End Date".
In order to integrate with other LDAP-compliant directory servers which are not supported by a directory-server-specific agent, Generic LDAP agent with its customizable script is provided. Support for OVD and any other desirable LDAP directory servers (including those such as Active Directory and Sun Java System Directory Server that are already supported via directory-server-specific agent) is accomplished through Generic LDAP agent.
The only difference between Generic LDAP agent and directory-server-specific agents is the customizable Groovy script, which provides LDAP server metadata and LDAP server specific logic.
Four functions should be defined in the Groovy script. See details in comments in Script for Active Directory Server.
getServerSettings – returns a map contains LDAP server specific configuration values, which will be used when connecting a LDAP server. This function is not required if there is no LDAP server specific settings.
getSchemaInfo – returns a map contains LDAP server schema information. For example, the object classes of users, user groups, or the attributes of distinguished name, common name. This function is required.
isAccountDisabled – returns true or false to indicate if a user account is disabled or enabled based on the parameter passed in. This function is required.
getEntryDN – returns the distinguished name(DN) of the parameter passed in. This function is required.
The following are script examples for all LDAP servers supported by directory-server-specific agents, which demonstrate the use of customizable script. All examples are based on the default schemas of these LDAP servers. There is no example for Oracle Virtual Directory Server (OVD) because the script should be prepared for OVD's target LDAP server.
Script for Active Directory Server
import javax.naming.directory.*
/**
* @return a HashMap whose values will be added to the Hashtable
* used to create InitialContext
*/
def getServerSettings() {
["java.naming.ldap.attributes.binary": "objectGUID"]
}
/**
* @return a HashMap contains information of LDAP schema, which includes:
* (1) object class of user, user group and dynamic group if used.
* (2) attribute of distinguished name, common name, GUID, userID, first name,
* last name, title, email, workphone, fax, mobile, create timestamp,
* modify timestamp, user account control, group member, dynamic group member.
* (3) date format used in LDAP server
* (4) the size limit of LDAP server, which is used as page size for pagination
* operation if a LDAP server supports controls: simple paged results,
* virtual list view, or server side sorting.
*
*/
def getSchemaInfo() {
[
classUser: "person",
classGroup: "group",
classDynamicGroup: "groupOfURLs",
entryDN: "distinguishedName",
entryCN: "cn",
entryGUID: "objectGUID",
userID: "sAMAccountName",
firstName: "givenName",
lastName: "sn",
title: "title",
email: "mail",
workphone: "telephoneNumber",
fax: "facsimileTelephoneNumber",
mobile: "mobile",
createTimestamp: "createTimestamp",
modifyTimestamp: "modifyTimestamp",
userAccountControl: "userAccountControl",
groupMember: "member",
dynamicGroupMemberURL: "memberURL",
dateFormat: "yyyyMMddHHmmss.0'Z'",
sizeLimit: 1000
]
}
/**
* @param attributes contain all attributes of an entry
* @return true if user account is disabled, otherwise false
*/
def isAccountDisabled(Attributes attributes) {
Attribute attr = attributes.get("userAccountControl");
String accountControlInfo = (String) attr.get();
if (accountControlInfo == null || accountControlInfo.trim().length() <= 0)
return false;
int value = Integer.parseInt(accountControlInfo);
//why is 2? please refer to url:
//http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_useraccountcontrol.asp
return Integer.toHexString(value).endsWith("2");
}
/**
* @param entry is an entry of LDAP search result
* @return the distinguished name(DN) of the entry
*/
def getEntryDN(SearchResult entry) {
Attributes attrs = entry.getAttributes()
Attribute dnAttr = attrs.get("distinguishedName")
return (String) dnAttr.get()
}
Script for Active Directory Lightweight Directory Services
import javax.naming.directory.*
def getServerSettings() {
["java.naming.ldap.attributes.binary": "objectGUID"]
}
def getSchemaInfo() {
[
classUser: "person",
classGroup: "group",
classDynamicGroup: "groupOfURLs",
entryDN: "distinguishedName",
entryCN: "cn",
entryGUID: "objectGUID",
userID: "uid",
firstName: "givenName",
lastName: "sn",
title: "title",
email: "mail",
workphone: "telephoneNumber",
fax: "facsimileTelephoneNumber",
mobile: "mobile",
createTimestamp: "createTimestamp",
modifyTimestamp: "modifyTimestamp",
userAccountControl: "msDS-UserAccountDisabled",
groupMember: "member",
dynamicGroupMemberURL: "memberURL",
dateFormat: "yyyyMMddHHmmss.0'Z'",
sizeLimit: 1000
]
}
def isAccountDisabled(Attributes attributes) {
attr = attributes.get("msDS-UserAccountDisabled")
if (attr == null) {
return false
}
accountControlInfo = attr.get()
if (accountControlInfo == null || accountControlInfo.trim().length() <= 0) {
return false
}
return accountControlInfo.trim().equalsIgnoreCase("true")
}
def getEntryDN(SearchResult entry) {
Attributes attrs = entry.getAttributes()
Attribute dnAttr = attrs.get("distinguishedName")
return dnAttr.get()
}
Script for Oracle Internet Directory Server
import javax.naming.directory.*
def getServerSettings() {
[:]
}
def getSchemaInfo() {
[
classUser: "person",
classGroup: "groupOfUniqueNames",
classDynamicGroup: "orclDynamicGroup",
entryDN: "dn",
entryCN: "cn",
entryGUID: "orclGUID",
userID: "cn",
firstName: "givenName",
lastName: "sn",
title: "title",
email: "mail",
workphone: "telephoneNumber",
fax: "facsimileTelephoneNumber",
mobile: "mobile",
createTimestamp: "createTimestamp",
modifyTimestamp: "modifyTimestamp",
userAccountControl: "orclisenabled",
groupMember: "uniqueMember",
dynamicGroupMemberURL: "labeledURI",
dateFormat: "yyyyMMddHHmmss'z'",
sizeLimit: 1000
]
}
def isAccountDisabled(Attributes attributes) {
attr = attributes.get("orclisenabled")
if (attr == null) {
return false
}
accountControlInfo = attr.get()
if (accountControlInfo == null || accountControlInfo.trim().length() <= 0) {
return false
}
return accountControlInfo.trim().equalsIgnoreCase("disabled")
}
def getEntryDN(SearchResult entry) {
return entry.getNameInNamespace()
}
Script for Sun Java System Directory Server
import javax.naming.directory.*
def getSchemaInfo() {
[
classUser: "person",
classGroup: "groupOfUniqueNames",
classDynamicGroup: "groupOfURLs",
entryDN: "entrydn",
entryCN: "cn",
entryGUID: "nsUniqueId",
userID: "uid",
firstName: "givenName",
lastName: "sn",
title: "title",
email: "mail",
workPhone: "telephoneNumber",
fax: "facsimileTelephoneNumber",
mobile: "mobile",
createTimestamp: "createTimestamp",
modifyTimestamp: "modifyTimestamp",
userAccountControl: "nsAccountLock",
groupMember: "uniqueMember",
dynamicGroupMemberURL: "memberURL",
dateFormat: "yyyyMMddHHmmss'Z'",
sizeLimit: 1000
]
}
def isAccountDisabled(Attributes attributes) {
attr = attributes.get("nsAccountLock")
if (attr == null) {
return false
}
accountControlInfo = attr.get()
if (accountControlInfo == null || accountControlInfo.trim().length() <= 0) {
return false
}
return accountControlInfo.trim().equalsIgnoreCase("true")
}
def getEntryDN(SearchResult entry) {
Attributes attrs = entry.getAttributes()
Attribute dnAttr = attrs.get("entrydn")
return dnAttr.get()
}
It is possible to indicate multiple directory servers. This is useful if you have users in multiple domains that need access to Agile, or if you have backup directory servers to provide fail-over support.
On the Edit LDAP page, create one or more nodes depending on how many directories need to be supported; click the Preview Result tab: it will display all the users on the first node or server. Now, if you stop the services of this server, then the Preview Result will display the users from the backup or secondary server. (Remember to restore services to the primary server.)
If a backup or secondary directory server is configured, the integration module tries the backup server if access to the primary server fails.
One directory server can be configured during the Agile installation. Additional directory servers can be configured manually after installation. Agile provides scripts to enable configuration after installation. These scripts are located in the agile_home\agileDomain\bin directory:
encryptpwd – ldapconfig.xml needs an encrypted password for the directory server user; this script generates an encrypted password based on the existing user password
checkLDAPConfig – use for checking LDAP configurations; all errors should be fixed, if encountered
migrateUserstoDB – use to migrate a user from LDAP to the Agile database; this script permits you to update existing users and to create new users in the database.
This feature applies to the Sun Java System Directory Server, Oracle Virtual Directory Server, Oracle Internet Directory, Microsoft Active Directory Lightweight Directory Services Server, and Microsoft Active Directory servers.
LDAP user groups and group members can be synchronized into the Agile system using <group-filter> to "synch" the static users in the user group, and <dynamic-group-filter> to "synch" dynamic group users. To enable this function, ensure that auth.ldap.group is enabled (set to True) in agile.properties file.
With User Group "synch" function enabled, you cannot remove or add users on a user group's Users tab that have been synchronized (that is, where users have been added to a user group through LDAP).
