Creating an LDAP Configuration
You can create one or more LDAP configurations to enable user accounts and user groups that you import from LDAP directory services to authenticate with an Informatica domain.
You create and manage LDAP users and groups in the LDAP directory service. You set up a connection to the LDAP directory server and use search filters to specify the users and groups that you want to have access to the Informatica domain. You then import the user accounts into an LDAP security domain. If the LDAP server uses the SSL protocol, you must also specify the location of the SSL certificate.
After you import users into an LDAP security domain, you can assign roles, privileges, and permissions to the users. You can assign LDAP user accounts to native groups to organize the accounts based on their roles in the Informatica domain.
You cannot use the Administrator tool to create, edit, or delete users and groups in an LDAP security domain. You must make changes to LDAP users and groups in the LDAP directory service, and then synchronize the LDAP security domain with the LDAP directory service.
Use the LDAP Configuration dialog box to set up the connection to the LDAP directory service and create the LDAP security domain into which to import user accounts. You can also use the LDAP Configuration dialog box to set up a synchronization schedule.
To create an LDAP configuration, perform the following steps:
- 1. Configure the connection to the LDAP server that contains the directory service from which you want to import user accounts and groups.
- 2. Create an LDAP security domain for each set of user accounts and groups you want to import from the LDAP directory service.
- 3. Set up a schedule for the Service Manager to update the LDAP security domains with new or changed users and groups in the LDAP directory service.
Create the LDAP Configuration and Configure the LDAP Server Connection
Create the LDAP configuration and configure the connection to the LDAP server that contains the directory service from which you want to import the user accounts.
When you configure the connection to the LDAP server, indicate that the Service Manager must ignore the case sensitivity of the distinguished name attributes of the LDAP user accounts when it assigns users to groups in the Informatica domain. If the Service Manager does not ignore case sensitivity, the Service Manager might not assign all the users that belong to a group.
If the LDAP server uses SSL, you must import the certificate used by each domain node into the
cacerts truststore file on a gateway node domain. You then copy the
cacerts file that contains the imported certificates to the same directory on every node in the domain. For more information, see
Using a Self-Signed SSL Certificate.
To set up a connection to the LDAP directory service, perform the following tasks:
1. In the Administrator tool, click the Security tab.
2. Click the LDAP Configuration tab.
3. Click the Actions menu, and then and select Create LDAP Configuration.
4. In the Create LDAP Configuration dialog box, click the LDAP Connectivity tab.
5. Configure the connection properties for the LDAP server.
You might need to consult the LDAP administrator to get the information needed to connect to the LDAP server.
The following table describes the LDAP server configuration properties:
Property | Description |
|---|
LDAP Configuration Name | Name of the LDAP configuration. |
Server Name | Host name or IP address of the machine hosting the LDAP directory service. |
Port | Listening port for the LDAP server. This is the port number to communicate with the LDAP directory service. Typically, the LDAP server port number is 389. If the LDAP server uses SSL, the LDAP server port number is 636. The maximum port number is 65535. |
LDAP Directory Service | Type of LDAP directory service. Note: If you use Kerberos authentication, you must select Microsoft Active Directory Service. |
Name | Distinguished name (DN) for the principal user. The user name often consists of a common name (CN), an organization (O), and a country (C). The principal user name is an administrative user with access to the directory. Specify a user that has permission to read other user entries in the LDAP directory service. To connect to Azure Active Directory, specify the User Principal Name (UPN) for the principal user. |
Password | Password for the principal user. Leave blank for anonymous log in. |
Use SSL Certificate | Indicates that the LDAP server uses the Secure Socket Layer (SSL) protocol. |
Trust LDAP Certificate | Determines whether the Service Manager can trust the SSL certificate of the LDAP server. If selected, the Service Manager connects to the LDAP server without verifying the SSL certificate. If not selected, the Service Manager verifies that the SSL certificate is signed by a certificate authority before connecting to the LDAP server. |
Not Case Sensitive | Indicates that the Service Manager must ignore case sensitivity for distinguished name attributes when assigning users to groups. |
Group Membership Attribute | Name of the attribute that contains group membership information for a user. This is the attribute in the LDAP group object that contains the DNs of the users or groups who are members of a group. For example, member or memberof. |
Maximum Size | Maximum number of user accounts to import into a security domain. For example, if the value is set to 100, you can import a maximum of 100 user accounts into the security domain. If the number of user to be imported exceeds the value for this property, the Service Manager generates an error message and does not import any user. Set this property to a higher value if you have many users to import. Default is 1000. |
6. Click Test Connection to verify that the connection to the LDAP server is valid.
7. Click OK to save the LDAP configuration.
Configure the Security Domain
Create an LDAP security domain for each set of user accounts and groups you want to import from the LDAP directory service. Set up search bases and filters to define the set of user accounts and groups to include in a security domain.
The names of users and groups to be imported from the LDAP directory service must conform to the same rules as the names of native users and groups. The Service Manager does not import LDAP users or groups if names do not conform to the rules of native user and group names. Note that unlike native user names, LDAP user names can be case sensitive.
The Service Manager uses the user search bases and filters to import user accounts and the group search bases and filters to import groups. The Service Manager uses the filters to imports groups and the list of users that belong to each group.
If you modify the LDAP connection properties to connect to a different LDAP server, the Service Manager does not delete the existing security domains. You must ensure that the LDAP security domains are correct for the new LDAP server. Modify the user and group filters in the security domains or create additional security domains so that the Service Manager correctly imports the users and groups that you want to use in the Informatica domain.
To configure an LDAP security domain, perform the following steps:
1. In the Administrator tool, click the Security tab.
2. Click the Actions menu, and then select LDAP Configuration.
3. In the LDAP Configuration dialog box, click the Security Domains tab.
4. Click Add.
The following table describes the filter properties that you can set for a security domain:
Property | Description |
|---|
Security Domain | Name of the LDAP security domain. The name is not case sensitive and must be unique within the domain. The string cannot exceed 128 characters or contain the following special characters: , + / < > @ ; \ % ? The name can contain an ASCII space character except for the first and last character. All other space characters are not allowed. |
User search base | Distinguished name (DN) of the entry that serves as the starting point to search for user names in the LDAP directory service. The search finds an object in the directory according to the path in the distinguished name of the object. For example, in Microsoft Active Directory, the distinguished name of a user object might be cn=UserName,ou=OrganizationalUnit,dc=DomainName, where the series of relative distinguished names denoted by dc=DomainName identifies the DNS domain of the object. |
User filter | An LDAP query string that specifies the criteria for searching for users in the directory service. The filter can specify attribute types, assertion values, and matching criteria. For example: (objectclass=*) searches all objects. (&(objectClass=user)(!(cn=susan))) searches all user objects except “susan”. For more information about search filters, see the documentation for the LDAP directory service. |
Group search base | Distinguished name (DN) of the entry that serves as the starting point to search for group names in the LDAP directory service. |
Group filter | An LDAP query string that specifies the criteria for searching for groups in the directory service. |
5. Click Preview to view a subset of the list of users and groups that fall within the filter parameters.
If the preview does not display the correct set of users and groups, modify the user and group filters and search bases to get the correct users and groups.
6. To immediately synchronize the users and groups in the security domains with the users and groups in the LDAP directory service, click Synchronize Now.
The Service Manager synchronizes the users in all the LDAP security domains with the users in the LDAP directory service. The time it takes for the synchronization process to complete depends on the number of users and groups to be imported.
7. Click OK to save the security domain.
Configure the Synchronization Schedule
You can set up a daily schedule for the Service Manager to update the LDAP security domains with new or changed users and groups in the LDAP directory service.
When the Service Manager synchronizes the LDAP security domains with the LDAP directory service, it imports all users that match the user filter settings from the LDAP directory service into the security domain. The Service Manager then imports all groups that match the group filter settings, and associates users with their corresponding groups. The Service Manager also deletes any user or group not found in the LDAP directory service from the security domain.
By default, the Service Manager is not scheduled time to synchronize with the LDAP directory service. To ensure that the list of users and groups in the LDAP security domains is accurate, schedule when the Service Manager synchronizes the LDAP security domains with the LDAP directory service. The Service Manager synchronizes the LDAP security domains with the LDAP directory service every day at the times you set.
To ensure that synchronization succeeds, consider the following recommendations before set up the synchronization schedule:
- Verify that the /etc/hosts file contains an entry for the LDAP server.
- Verify that the /etc/hosts file on each node gateway in the domain contains an entry with the host name and IP address of the LDAP server. If the Service Manager cannot resolve the host name for the LDAP server, synchronization can fail.
- Enable paging in LDAP if you are synchronizing more than 100 users or groups.
- Enable paging on the LDAP directory service before you synchronize more than 100 users or groups. If you do not enable paging on the LDAP directory service, synchronization can fail.
- Synchronize security domains during times when most users are not logged in to Informatica applications.
- During synchronization, the Service Manager locks each user account it synchronizes. Users might not be able to log in to the Informatica application clients during synchronization. Users logged in to an application client when synchronization starts might not be able to perform certain tasks.
To set up a schedule that synchronizes LDAP security domains with the LDAP directory service, perform the following steps:
1. In the Administrator tool, click the Security tab.
2. Click the Actions menu and select LDAP Configuration.
3. In the LDAP Configuration dialog box, click the Schedule tab.
4. Click the Add button (+) to add a time.
The synchronization schedule uses a 24-hour time format.
5. To immediately synchronize the users and groups in the LDAP security domains with the users and groups in the LDAP directory service, click Synchronize Now.
6. Click OK to save the synchronization schedule.
Note: Wait until the Service Manager synchronizes with the LDAP directory service before restarting the Informatica domain to avoid losing the synchronization times that you set in the schedule.
Using Nested Groups in the LDAP Directory Service
An LDAP security domain can contain nested LDAP groups. The Service Manager can import nested groups that are created in the following manner:
- •Create the groups under the same organizational units (OU).
- •Set the relationship between the groups.
For example, you want to create a nested grouping where GroupB is a member of GroupA and GroupD is a member of GroupC.
- 1. Create GroupA, GroupB, GroupC, and GroupD within the same OU.
- 2. Edit GroupA, and add GroupB as a member.
- 3. Edit GroupC, and add GroupD as a member.
You cannot import nested LDAP groups into an LDAP security domain that are created in a different way.
Using a Self-Signed SSL Certificate
You can connect to an LDAP server that uses an SSL certificate signed by a certificate authority (CA). By default, the Service Manager does not connect to an LDAP server that uses a self-signed certificate.
To connect to an LDAP server that uses an SSL certificate, use the Java keytool key and certificate management utility to import the certificates used by all domain nodes into the Java cacerts truststore file on a single gateway node in the domain. You then copy the cacerts keystore file that contains the imported certificates to the other nodes in the domain.
The cacerts truststore file is in the following directory on each node:
<Informatica installation directory>\java\jre\lib\security
The keytool utility is available in the following directory on each node:
<Informatica installation directory>\java\bin
Restart the node after you import the certificate.