Switching from OpenLDAP to Another LDAP Service
By default, APTARE StorageConsole uses OpenLDAP to manage user login authentication. If your company uses a different LDAP service, such as Active Directory, you have the option to configure APTARE StorageConsole to use that solution, though if you’re not intimately familiar with Active Directory, you’ll find that you’ll save lots of time if you use OpenLDAP.
Note: Only a single LDAP search base is supported.
To use your enterprise LDAP
1. Update the default Administrator login.
The Portal Installation Wizard created a user account in the form admin@yourdomain.com in the Reporting Database. You must update this user record in the Reporting Database to match an existing user account in your Enterprise Authentication directory. Otherwise, you will not be able to log in to the Portal.
2. Determine and record the login attribute and login attribute value of your Enterprise LDAP directory, which is used for authentication to your company’s other enterprise systems.
This attribute might be employee ID or user name. In
Step 4 you will update the
LOGIN_ATTRIBUTE Portal LDAP configuration setting with this value.
3. Do one of the following:
• In a Linux environment, log on to the Oracle database server as user aptare. If you already are logged in as root, use: su - aptare
• In a Windows environment, log on to the Oracle database server as a user who is a member of the ORA_DBA group.
4. On the Oracle database server, update the existing record where, for example, the login attribute is user_name and the actual value is 0888.
This is the user_name that you would use to log in to the external directory. Do not use the name APTARE.
sqlplus portal/portal password UPDATE ptl_user SET ldap_id = '0888' WHERE user_id = 100000; commit; |
Note: user_id = 100000 is always the default domain.
5. Back up the
/opt/aptare/portalconf/portal.properties file, which contains the Portal’s OpenLDAP configuration settings. You need to change these settings in
Step 6.
By default the /opt/aptare/portalconf/portal.properties file, contains the following entries:
#LDAP
ldap.external=false
ldap.context=com.sun.jndi.ldap.LdapCtxFactory
ldap.searchBase=dc=localhost
ldap.url=ldap://localhost:389
ldap.dn=cn=Manager, dc=localhost
ldap.password=
ldap.password.encrypted=t2Hrjn38M+ubi5tklqTd3Q==
ldap.loginAttribute=uid
ldap.keystore=c:\\opt\\aptare\\portalconf\\portal.keystore
SSL Support
If you require SSL support, run the following command to generate the keystore file:
/usr/java/bin/keytool -import -file certificate_file -keystore keystore_file |
Where certificate_file is the path filename for the X.500 CA certificate and where keystore_file is the target path and filename for the keystore file being generated.
6. On the Portal Server, change the following configuration settings in the /opt/aptare/portalconf/portal.properties file:
Table 12.1 Definitions of Portal LDAP Configuration Settings
ldap_url | • Set to the host and port of your external authentication service. Note that this url value has a prefix of: ldap: • If you are using Active Directory for your external LDAP configuration, you may want to use the global catalog port of 3268 instead of port 389. For information on the global catalog, see http://technet.microsoft.com/en-us/library/cc978012.aspx. |
ldap.dn ldap.password ldap.password.encrypted | Set to the id and password of a user who has permission to search the SEARCHBASE. This user must be able to search all LDAP directory servers. APTARE StorageConsole requires a user that has privileges to search under the Base DN (Distinguished Name) within the Active Directory structure. This needs to be an account that has administrative privileges, typically Administrator. It can be the Administrator account that was created when Active Directory was installed or it can be an account that was created and either was given administrative privileges, or was placed into a group with administrative privileges. If you use Active Directory, specify this setting because Active Directory services do not allow anonymous binds. Microsoft Active Directory requires the username and password of a user that has sufficient privileges to search the LDAP directory. |
ldap.searchBase | Location from which the search will be performed to locate users in the authentication directory. Often referred to as the Active Directory (AD) Search Base, this is the starting point in the Active Directory tree for searching for LDAP users. This search base, in LDAP distinguished name format, contains a fully qualified domain name. APTARE StorageConsole supports only one Search Base. The distinguished name is derived from a company’s DNS domain. This naming structure has the following format: cn specifies the Common Name or Relative Distinguished Name. This is the User’s given name plus surname, for example, a User would be specified as: cn=Ellen Doe dc specifies the Domain Controller or Domain Component So, for example, aptare.com would have the following DN format: dc=aptare, dc=com Note that a Common Name (cn) is not required for the Base DN. |
ldap.external | Set to TRUE because you want to use an external Enterprise LDAP, not OpenLDAP. |
ldap.loginAttribute | The login attribute used for login authentication. This is the column in Active Directory that specifies the user name. The default value, uid, seldom needs to be customized. |
ldap.keystore | Keystore file location, if the external authentication service uses SSL. The APTARE-provided default seldom needs to be customized. |
7. Do one of the following to restart the APTARE Portal Tomcat service:
• In a Linux environment, run the following command:
# /opt/aptare/bin/tomcat-portal restart |
• In a Windows environment, using the Windows Services Console, locate and restart the APTARE Portal Tomcat service.
8. Log in to Portal using the Admin user account that you set up in
Step 1, then add new user accounts to the Portal.