| Agile Product Lifecycle Management Capacity Planning Guide Release 9.3.6 E71149-01 |
|
 Previous |
 Next |
| Agile Product Lifecycle Management Capacity Planning Guide Release 9.3.6 E71149-01 |
|
Previous |
Next |
In an effort to support industry standard authentication schemes and enable central management of user information, Agile PLM 9.3.6 supports integration with the industry leading directory server and LDAP-based authentication for the Agile solution suite.
Directory server integration enables you to seamlessly integrate the Agile solution suite with your existing directory servers, so users can be managed in one place.
This chapter describes the architecture of the Agile PLM 9.3.6 Directory Server Integration Module, implementation details, configuration, and contains an FAQ section to help you gain a better understanding of how this solution works.
The figure below illustrates the high-level architecture of the Agile PLM 9.3.6 Directory Server Integration Module. As shown in the diagram, all components in the Agile solution use the Directory Server Integration Module platform component of the core Agile Application Server. This module provides three main services to the Agile solution:
Authentication
Obtaining up-to-date user listings (synchronize users)
Synchronizing user profiles
The Directory Service Integration Module is an interface that describes the contract between the module and the Agile PLM 9.3.6 platform. The interface does not make any assumptions about how the implementation provides these services. This interface driven design de-couples the Agile PLM 9.3.6 platform from user management and authentication, allowing new implementations to be easily added in the future for expanded support.
User information that is managed through the Directory Server Integration Module must be maintained by the source. If a directory server is selected to manage user accounts, then user accounts must be managed through the directory server, not through Agile.
New users must be added to the directory server and specific user attributes such as user ID, password, email, phone, and so on, must be managed through the directory server. Only if the Agile database is used, all user information can be managed through the Agile Java Client. There is one exception to this rule; all supplier users must be managed through Agile, regardless of whether directory server integration is chosen.
Three implementations of this interface are provided in Agile PLM 9.3.6. These implementations are depicted as Adaptors in Figure 5-1. An adaptor provides an implementation of the interface that is specific to a particular external service, typically, a directory server. For example, the ADS Adaptor provides an implementation specifically designed to work with Microsoft Active Directory Server. The Directory Server Integration Module enables you to outsource, from Agile, the functionality of managing user accounts and authenticating users through their choice of directory server.
Directory servers vary greatly in terms of the features they offer and the information they provide. Therefore, the Agile Directory Server Integration Module makes minimum assumptions about the services offered by the directory servers and complies with industry standards. At a minimum, the directory server must follow the LDAP standards and support attributes mandated by InetOrgPerson schema from the LDAP standard. The following table shows these attributes, as reflected in the Agile User Profile:
| LDAP Attribute | Agile Database Column | Example |
|---|---|---|
| sn | AGILEUSER.LAST_NAME | Smith |
| givenName | AGILEUSER.FIRST_NAME | Joe |
| title | AGILEUSER.TITLE | Manager, Product Development |
| uid | AGILEUSER.LOGINID | Jsmith |
| AGILEUSER.EMAIL | jsmith@company.com | |
| telephoneNumber | AGILEUSER.WORK_PHONE | +1 408 555 1862 |
| facsimileTelephoneNumber | AGILEUSER.FAX | +1 408 555 1992 |
| mobile | AGILEUSER.MOBILE | +1 408 555 1941 |
The Agile PLM 9.3.6 database still contains the full list of users and other vital user information needed by the application. However, if a directory server is used, the previously listed attributes, and the password, are managed by the source only and displayed in Agile as read-only attributes.
You can configure the Directory Server Integration Module at install time or later. Configuration settings are found in the Agile Java Client. The following section discusses each configuration option and how it affects the system.
The Directory Server Integration Module is intended to be flexible, yet simple to use. The module provides the following configuration parameters to control system behavior.
Connection parameters include the hostname, port, protocol, account name and filter. The account name is used to connect to the directory server during synchronization; therefore, it must have the appropriate privileges. The filter is used to select only a subset of the users defined in the directory server as Agile users.
It is possible to define multiple sets of connection parameters to configure integration with multiple directory servers. This may be useful if you have users in multiple domains that need access to Agile or if you have backup directory servers to provide fail over support. It may be necessary to configure a separate directory server to manage Agile users who are not employees. If a backup or secondary directory server is configured, the authentication module tries the backup server if access to the primary server fails.
The time interval to synchronize users with Agile is set in the Task Configuration node on the Admin tab of the Agile Java Client. During synchronization, any newly created users are added to Agile and any modified user attributes are synchronized. All newly created users are disabled in the Agile database until they are enabled through the Agile Java Client.
The upgrade script, migrateUsersToDB, is a command line script used to migrate all users from a directory server to the Agile database. The script applies the same rules that are applied when synchronizing. User records that are not matched remain active in the database. They are not deleted or disabled, but those accounts cannot be used for authentication.
You can configue one directory server during the Agile installation. You can configure additional directory servers manually after installation. Agile provides two scripts to enable configuration after installation:
encryptpwd - Ldapconfig.xml needs an encrypted password for the directory server administrator user. This script generates it based on the existing administrator password.
checkLDAPConfig - Use for checking LDAP configurations. All errors should be fixed, if encountered.
The following is a list of frequently asked questions and their corresponding answers.
The user is not automatically deleted from the directory server. On the other hand, the user is not able to log in to Agile. Within Agile, the user appears on the Deleted Users page and can be undeleted from there.
The user is not automatically deleted from Agile. On the other hand, the user is not able to log in to Agile. When synchronizing user profiles, currently only updates and creates are considered.
Agile allows login ID changes only for integrations with directory servers. You must change the user ID in the directory server and synchronize the user within the Agile server.
|
Note: Supplier user's user ID cannot be modified because they are only managed in Agile. |
This does not, in any way, affect the enable/disable functionality within Agile. If a user has been "Inactivated" in the directory server or disabled in Agile, they cannot log in to the Agile system.
This can be done through on-demand synchronization. On-demand synchronization immediately synchronizes with the directory server. Newly created users are disabled by default. You must assign proper roles and privileges, then enable the user before they can log in.
