Configuring LDAP > Switching from OpenLDAP to Another LDAP Service
  
Version 10.3.00P13
Switching from OpenLDAP to Another LDAP Service
By default, APTARE IT Analytics uses OpenLDAP to manage user login authentication. If your company uses a different LDAP service, such as Active Directory, you have the option to configure APTARE IT Analytics to use that solution, though if you’re not intimately familiar with Active Directory, you’ll find that you’ll save lots of time if you use OpenLDAP. See also, About User Authentication and User Administration Using an External Authentication Service.
Note: Only a single LDAP search base is supported.
To use your enterprise LDAP
1. Update the default Administrator login.
The Portal Installation Wizard created a user account in the form admin@yourdomain.com in the Reporting Database. You must update this user record in the Reporting Database to match an existing user account in your Enterprise Authentication directory. Otherwise, you will not be able to log in to the Portal.
2. Determine and record the login attribute and login attribute value of your Enterprise LDAP directory, which is used for authentication to your company’s other enterprise systems.
This attribute might be employee ID or user name. In Step 8 you will update the loginAttribute in the Portal LDAP configuration with this value.
3. Do one of the following:
In a Linux environment, log in to the Oracle database server as user aptare. If you already are logged in as root, use: su - aptare
In a Windows environment, log in to the Oracle database server as a user who is a member of the ORA_DBA group.
4. Identify your system’s admin account user_id and corresponding ldap_id using:
select ldap_id, user_id from ptl_user where user_id=100000
5. On the Oracle database server, update the existing record where, for example, the login attribute is user_name and the actual value is Admin.
sqlplus portal/portal password
UPDATE ptl_user SET ldap_id = 'Admin'
WHERE user_id = 100000;
commit;
This is the user name that you would use to log in to the external directory. Do not use the name, aptare. The user account, aptare (user_id=100), is an internal bootstrap user required to maintain referential integrity among database tables and therefore the name should not be changed or used for external LDAP integration.
Note: user_id = 100000 is always the default user_id for the super user account.
6. Back up the /opt/aptare/portalconf/portal.properties file, which contains the Portal’s OpenLDAP configuration settings. You need to change these settings in Step 8.
7. If you require SSL support, run the following command to generate the keystore file:
/usr/java/bin/keytool -import -file certificate_file -alias alias_name -keystore keystore_file
Note that for Windows Portals, the keytool executable is located in: C:\opt\jre\bin
certificate_file is the path and file name for the X.500 CA certificate.
alias_name explicitly assign an alias to the certificate (choose a unique name) to ensure that there are no conflicts with existing aliases. This is an essential parameter when importing multiple certificates.
keystore_file is the target path and filename for the keystore file being generated.
Example of Keystore Generation
/usr/java/bin/keytool -import -file HQLDAP.crt -alias HQCertAlias -keystore /opt/aptare/portalconf/portal.keystore
8. On the Portal Server, change the following configuration settings in the /opt/aptare/portalconf/portal.properties file.
By default the /opt/aptare/portalconf/portal.properties file, contains the following entries:
#LDAP
ldap.external=false
ldap.context=com.sun.jndi.ldap.LdapCtxFactory
ldap.searchBase=dc=localhost
ldap.url=ldap://localhost:389
ldap.dn=cn=Manager, dc=localhost
ldap.password=
ldap.password.encrypted=t2Hrjn38M+ubi5tklqTd3Q==
ldap.loginAttribute=uid
ldap.keystore=c:\\opt\\aptare\\portalconf\\portal.keystore
Note: If you set ldap.external to true, either comment out the ldap.keystore parameter or set it to a valid keystore.
 
Table 1 Definitions of Portal LDAP Configuration Settings
ldap_url
Set to the host and port of your external authentication service. Note that this url value has a prefix of: ldap: If using SSL, change the prefix to ldaps
If you are using Active Directory for your external LDAP configuration, you may want to use the global catalog port of 3268 instead of port 389. If using SSL, you may to use the secure global catalog port of 3269 or 636 for standard ldaps. For information on the global catalog, see http://technet.microsoft.com/en-us/library/cc978012.aspx.
ldap.dn
ldap.password
ldap.password.encrypted
Set to the id and password of a user who has permission to search the SEARCHBASE. This user must be able to search all LDAP directory servers.
APTARE IT Analytics requires a user that has privileges to search under the Base DN (Distinguished Name) within the Active Directory structure. This needs to be an account that has administrative privileges, typically Administrator. It can be the Administrator account that was created when Active Directory was installed or it can be an account that was created and either was given administrative privileges, or was placed into a group with administrative privileges.
If you use Active Directory, specify this setting because Active Directory services do not allow anonymous binds. Microsoft Active Directory requires the username and password of a user that has sufficient privileges to search the LDAP directory.
ldap.searchBase
Location from which the search will be performed to locate users in the authentication directory.
Often referred to as the Active Directory (AD) Search Base, this is the starting point in the Active Directory tree for searching for LDAP users. This search base, in LDAP distinguished name format, contains a fully qualified domain name. APTARE IT Analytics supports only one Search Base.
The distinguished name is derived from a company’s DNS domain. This naming structure has the following format:
cn specifies the Common Name or Relative Distinguished Name. This is the User’s given name plus surname, for example, a User would be specified as: cn=Ellen Doe
dc specifies the Domain Controller or Domain Component
So, for example, aptare.com would have the following DN format:
dc=aptare, dc=com
Note that a Common Name (cn) is not required for the Base DN.
ldap.external
Set to TRUE because you want to use an external Enterprise LDAP, not OpenLDAP.
If you set ldap.external to true, either comment out the ldap.keystore parameter or set it to a valid keystore.
ldap.loginAttribute
The login attribute used for login authentication. This is the column in Active Directory that specifies the user name. The default value, uid, seldom needs to be customized.
ldap.keystore
Keystore file location, if the external authentication service uses SSL. The APTARE-provided default seldom needs to be customized.
9. Do one of the following to restart the APTARE Portal Tomcat service:
In a Linux environment, run the following command:
# /opt/aptare/bin/tomcat-portal restart
In a Windows environment, using the Windows Services Console, locate and restart the APTARE Portal Tomcat service.
10. Log in to Portal using the Admin user account that you set up in Step 1, then add new user accounts to the Portal.