Security Guide > Kerberos Authentication > Enabling User Accounts to Use Kerberos Authentication
  

Enabling User Accounts to Use Kerberos Authentication

After you enable Kerberos authentication in the domain, import Informatica user accounts from Active Directory into the LDAP security domain that contains Kerberos user accounts. You must also migrate the groups, roles, privileges, and permissions from the native security domain to the corresponding Active Directory user accounts in the LDAP security domain that contains Kerberos user accounts.

Import User Accounts from Active Directory into LDAP Security Domains

Import user accounts from Active Directory into LDAP security domains.
When you enable Kerberos authentication in the domain, Informatica creates an empty LDAP security domain with the same name as the Kerberos realm. You can import user accounts from Active Directory into this LDAP security domain, or you can import the user accounts into a different LDAP security domain.
You use the Administrator tool to import the user accounts that use Kerberos authentication from Active Directory into an LDAP security domain.
To configure Kerberos cross realm authentication, connect to the Active Directory global catalog. When you connect to the global catalog, you import users from the Active Directory server used by each Kerberos realm.
    1. Start the domain and all Informatica services.
    2. Log in to Windows with the administrator account you specified when you enabled Kerberos authentication in the domain.
    3. Log in to the Administrator tool. Select _infaInternalNamespace as the security domain.
    4. In the Administrator tool, click the Security tab.
    5. Click the Actions menu and select LDAP Configuration.
    6. In the LDAP Configuration dialog box, click the LDAP Connectivity tab.
    7. Configure the connection properties for the Active Directory.
    You might need to consult the LDAP administrator to get the information needed to connect to the LDAP server.
    The following table describes the LDAP server configuration properties:
    Property
    Description
    Server name
    Host name or IP address of the Active Directory server.
    To configure Kerberos cross realm authentication, connect to the Active Directory global catalog host. Specify the fully qualified hostname. For example:
    host.company.local
    Port
    Listening port for the Active Directory server.
    The default is 389. The default SSL port is 636.
    To configure Kerberos cross realm authentication, connect to the Active Directory global catalog port. The default is 3268. The default SSL port is 3269.
    LDAP Directory Service
    Select Microsoft Active Directory Service.
    Name
    Specify the bind user account you created in Active Directory to synchronize accounts in Active Directory with the LDAP security domain.
    Because the domain is enabled for Kerberos authentication, you do not have the option to provide a password for the account.
    If the domain uses Kerberos cross realm authentication, include the name of the realm to which the Active Directory principal database belongs.
    Use SSL Certificate
    Indicates that the LDAP server uses the Secure Socket Layer (SSL) protocol.
    Trust LDAP Certificate
    Determines whether the Service Manager can trust the SSL certificate of the LDAP server. If selected, the Service Manager connects to the LDAP server without verifying the SSL certificate. If not selected, the Service Manager verifies that the SSL certificate is signed by a certificate authority before connecting to the LDAP server.
    Not Case Sensitive
    Indicates that the Service Manager must ignore case sensitivity for distinguished name attributes when assigning users to groups.
    Group Membership Attribute
    Name of the attribute that contains group membership information for a user. This is the attribute in the LDAP group object that contains the DNs of the users or groups who are members of a group. For example, member or memberof.
    Maximum Size
    Maximum number of user accounts to import into a security domain. For example, if the value is set to 100, you can import a maximum of 100 user accounts into the security domain.
    If the number of user to be imported exceeds the value for this property, the Service Manager generates an error message and does not import any user. Set this property to a higher value if you have many users to import.
    Default is 1000.
    8. In the LDAP Configuration dialog box, click the Security Domains tab.
    9. Click Add.
    The following table describes the filter properties that you can set for a security domain:
    Property
    Description
    Security Domain
    Name of the LDAP security domain into which you want to import user accounts from Active Directory.
    User search base
    Distinguished name (DN) of the entry that serves as the starting point to search for user names in Active Directory. The search finds an object in the directory according to the path in the distinguished name of the object.
    For example, to search the USERS container that contains Informatica user accounts in the example.com Windows domain, specify CN=USERS,DC=EXAMPLE,DC=COM.
    User filter
    An LDAP query string that specifies the criteria for searching for users in the directory service. The filter can specify attribute types, assertion values, and matching criteria.
    For example: (objectclass=*) searches all objects. (&(objectClass=user)(!(cn=susan))) searches all user objects except “susan”. For more information about search filters, see the documentation for the LDAP directory service.
    Group search base
    Distinguished name (DN) of the entry that serves as the starting point to search for group names in the LDAP directory service.
    Group filter
    An LDAP query string that specifies the criteria for searching for groups in the directory service.
    The following image shows the information required to import LDAP users from Active Directory into the LDAP security domain created when you enabled Kerberos in the domain:
    The Security Domains dialog box shows the details for the COMPANY.COM LDAP security domain.
    10. Click Synchronize Now.
    The Service Manager synchronizes the users in all the LDAP security domains with the users in the LDAP directory service. The time it takes for the synchronization process to complete depends on the number of users and groups to be imported.
    11. Click OK to save the LDAP security domain.

Migrate Native User Privileges and Permissions to the Kerberos Security Domain

If the Informatica domain has user accounts in the native security domain, the corresponding Active Directory user accounts in the Kerberos security domain must have the same groups, roles, privileges, and permissions. Migrate the groups, roles, privileges, and permissions of the native users to the corresponding user accounts in the Kerberos LDAP security domain.
    1. Review the list of native user accounts and determine the accounts that you want to migrate to the LDAP security domain for Kerberos authentication.
    To list the user accounts in the Informatica domain, run the following command:
    infacmd isp ListAllUsers
    Each native user account that you want to migrate to the Kerberos security domain must have a corresponding account in the Active Directory service that you use for Kerberos authentication.
    2. Create the user migration file.
    The user migration file is a plain text file that contains the list of native users and the corresponding Kerberos users that require the same groups, roles, privileges, and permissions.
    Use the following format to list entries in the user migration file:
    Native/<source user name>,<LDAP security domain>/<target user name>
    The following example shows a user migration file containing the following list of users to migrate to the COMPANY.COM security domain:
    Native/User1,COMPANY.COM/User1
    Native/User2,COMPANY.COM/User2
    Native/User3,COMPANY.COM/User3
    3. Run the infacmd isp migrateUsers command to migrate account privileges and permissions in the native security domain to the accounts in the Kerberos security domain.
    To migrate the groups, roles, privileges, and permissions for users, run the following command:
    infacmd isp migrateUsers -dn <domain name> -un <administrator user name> -pd <administrator password> -sdn <security domain> -umf <user migration file>
    The following table describes the options for the command:
    Option
    Description
    -DomainName
    -dn
    Name of the Informatica domain.
    -UserName
    -un
    User name to connect to the domain.
    Specify the user name of the administrator account you specified in the infasetup switchToKerberosMode command.
    -Password
    -pd
    Password for the administrator account.
    -SecurityDomain
    -sdn
    LDAP security domain of the administrator account used to connect to the domain.
    Specify _infaInternalNamespace.
    -UserMigrationFile
    -umf
    Path and file name of the user migration file.
    The command skips entries with a duplicate source user name or target user name.
    The following example migrates the groups, roles, privileges, and permissions for users based on the um_s.txt user migration file:
    infacmd isp migrateUsers -dn InfaDomain -un nodeuser01 -pd password -sdn _infaInternalNamespace -umf C:\Infa\um_s.txt
    The command overwrites the connection object permissions assigned to the LDAP user with the connection object permissions for the native user. The command merges the groups, roles, privileges, and domain object permissions for native users and corresponding LDAP users.
    The migrateUsers command creates a detailed log file named infacmd_umt_<date>_<time>.txt in the directory where you run the command.