Setting Up an LDAP Security Domain
You can create an LDAP security domain for user accounts that you import from an LDAP directory service. To organize different groups of users, you can create multiple LDAP security domains.
You create and manage LDAP users and groups in the LDAP directory service. Set up a connection to the LDAP server and use search filters to specify the users and groups that can have access to the Informatica domain. Then import the user accounts into LDAP security domains. If the LDAP server uses the SSL protocol, you must also specify the location of the SSL certificate.
You can import users from the following LDAP directory services:
- •Microsoft Active Directory Service
Note: If you use Kerberos authentication, you can import users only from a Microsoft Active Directory (AD) directory service.
- •Sun Java System Directory Service
- •Novell e-Directory Service
- •IBM Tivoli Directory Service
- •Open LDAP Directory Service
After you import users into an LDAP security domain, you can assign roles, privileges, and permissions to the users. You can assign LDAP user accounts to native groups to organize them based on their roles in the Informatica domain. You cannot use the Administrator tool to create, edit, or delete users and groups in an LDAP security domain.
Use the LDAP Configuration dialog box to set up the connection to the LDAP directory service and create the LDAP security domain. You can also use the LDAP Configuration dialog box to set up a synchronization schedule.
To set up the LDAP security domain, perform the following steps:
- 1. Set up the connection to the LDAP directory service.
- 2. Configure a security domain.
- 3. Schedule the synchronization times.
Step 1. Set Up the Connection to the LDAP Server
Configure the connection to the LDAP server that contains the directory service from which you want to import the user accounts for the Informatica domain.
When you configure the connection to the LDAP server, indicate that the Service Manager must ignore the case-sensitivity of the distinguished name attributes of the LDAP user accounts when it assigns users to groups in the Informatica domain. If the Service Manager does not ignore case sensitivity, the Service Manager might not assign all the users that belong to a group.
If you modify the LDAP connection properties to connect to a different LDAP directory service, ensure that the user and group filters in the LDAP security domains are correct for the new LDAP directory service. Verify that the filters include the users and groups that you want to use in the Informatica domain.
To set up a connection to the LDAP directory service, perform the following tasks:
1. In the Administrator tool, click the Security tab.
2. Click the Actions menu and select LDAP Configuration.
3. In the LDAP Configuration dialog box, click the LDAP Connectivity tab.
4. Configure the connection properties for the LDAP server.
You might need to consult the LDAP administrator to get the information about the LDAP server.
The following table describes the LDAP server configuration properties:
Property | Description |
|---|
Server name | Name of the machine hosting the LDAP directory service. |
Port | Listening port for the LDAP server. This is the port number to communicate with the LDAP directory service. Typically, the LDAP server port number is 389. If the LDAP server uses SSL, the LDAP server port number is 636. The maximum port number is 65535. |
LDAP Directory Service | Type of LDAP directory service. Select from the following directory services: - - Microsoft Active Directory Service
- - Sun Java System Directory Service
- - Novell e-Directory Service
- - IBM Tivoli Directory Service
- - Open LDAP Directory Service
Note: If you use Kerberos authentication, you must select Microsoft Active Directory Service. |
Name | Distinguished name (DN) for the principal user. The user name often consists of a common name (CN), an organization (O), and a country (C). The principal user name is an administrative user with access to the directory. Specify a user that has permission to read other user entries in the LDAP directory service. Leave blank for anonymous login. For more information, see the documentation for the LDAP directory service. |
Password | Password for the principal user. Leave blank for anonymous login. Not available if you use Kerberos authentication. |
Use SSL Certificate | Indicates that the LDAP server uses the Secure Socket Layer (SSL) protocol. |
Trust LDAP Certificate | Determines whether the Service Manager can trust the SSL certificate of the LDAP server. If selected, the Service Manager connects to the LDAP server without verifying the SSL certificate. If not selected, the Service Manager verifies that the SSL certificate is signed by a certificate authority before connecting to the LDAP server. To enable the Service Manager to recognize a self-signed certificate as valid, specify the truststore file and password to use. |
Not Case Sensitive | Indicates that the Service Manager must ignore case-sensitivity for distinguished name attributes when assigning users to groups. Enable this option. |
Group Membership Attribute | Name of the attribute that contains group membership information for a user. This is the attribute in the LDAP group object that contains the DNs of the users or groups who are members of a group. For example, member or memberof. |
Maximum Size | Maximum number of user accounts to import into a security domain. For example, if the value is set to 100, you can import a maximum of100 user accounts into the security domain. If the number of user to be imported exceeds the value for this property, the Service Manager generates an error message and does not import any user. Set this property to a higher value if you have many users to import. Default is 1000. |
5. Click Test Connection to verify that the connection to the LDAP server is valid.
Step 2. Configure Security Domains (LDM)
Create a security domain for each set of user accounts and groups you want to import from the LDAP directory service. Set up search bases and filters to define the set of user accounts and groups to include in a security domain. The Service Manager uses the user search bases and filters to import user accounts and the group search bases and filters to import groups. The Service Manager imports groups and the list of users that belong to the groups. It imports the groups that are included in the group filter and the user accounts that are included in the user filter.
The names of users and groups to be imported from the LDAP directory service must conform to the same rules as the names of native users and groups. The Service Manager does not import LDAP users or groups if names do not conform to the rules of native user and group names.
Note: Unlike native user names, LDAP user names can be case-sensitive.
When you set up the LDAP directory service, you can use different attributes for the unique ID (UID). The Service Manager requires a particular UID to identify users in each LDAP directory service. Before you configure the security domain, verify that the LDAP directory service uses the required UID.
The following table lists the required UID for each LDAP directory service:
LDAP Directory Service | UID |
|---|
IBMTivoliDirectory | uid |
Microsoft Active Directory | sAMAccountName |
NovellE | uid |
OpenLDAP | uid |
SunJavaSystemDirectory | uid |
The Service Manager does not import the LDAP attribute that indicates that a user account is enabled or disabled. You must enable or disable an LDAP user account in the Administrator tool. The status of the user account in the LDAP directory service affects user authentication in application clients. For example, a user account is enabled in the Informatica domain but disabled in the LDAP directory service. If the LDAP directory service allows disabled user accounts to log in, then the user can log in to application clients. If the LDAP directory service does not allow disabled user accounts to log in, then the user cannot log in to application clients.
Note: If you modify the LDAP connection properties to connect to a different LDAP server, the Service Manager does not delete the existing security domains. You must ensure that the LDAP security domains are correct for the new LDAP server. Modify the user and group filters in the security domains or create additional security domains so that the Service Manager correctly imports the users and groups that you want to use in the Informatica domain.
To configure an LDAP security domain, perform the following steps:
1. In the Administrator tool, click the Security tab.
2. Click the Actions menu and select LDAP Configuration.
3. In the LDAP Configuration dialog box, click the Security Domains tab.
4. Click Add.
5. Use LDAP query syntax to create filters to specify the users and groups to be included in the security domain you are creating.
You might need to consult the LDAP administrator to get the information about the users and groups available in the LDAP directory service.
The following table describes the filter properties that you can set for a security domain:
Property | Description |
|---|
Security Domain | Name of the LDAP security domain. The name is not case sensitive and must be unique within the domain. It cannot exceed 128 characters or contain the following special characters: , + / < > @ ; \ % ? The name can contain an ASCII space character except for the first and last character. All other space characters are not allowed. |
User search base | Distinguished name (DN) of the entry that serves as the starting point to search for user names in the LDAP directory service. The search finds an object in the directory according to the path in the distinguished name of the object. For example, in Microsoft Active Directory, the distinguished name of a user object might be cn=UserName,ou=OrganizationalUnit,dc=DomainName, where the series of relative distinguished names denoted by dc=DomainName identifies the DNS domain of the object. |
User filter | An LDAP query string that specifies the criteria for searching for users in the directory service. The filter can specify attribute types, assertion values, and matching criteria. For example: (objectclass=*) searches all objects. (&(objectClass=user)(!(cn=susan))) searches all user objects except “susan.” For more information about search filters, see the documentation for the LDAP directory service. |
Group search base | Distinguished name (DN) of the entry that serves as the starting point to search for group names in the LDAP directory service. |
Group filter | An LDAP query string that specifies the criteria for searching for groups in the directory service. |
6. Click Preview to view a subset of the list of users and groups that fall within the filter parameters.
If the preview does not display the correct set of users and groups, modify the user and group filters and search bases to get the correct users and groups.
7. To add another LDAP security domain, repeat steps 1 through 6.
8. To immediately synchronize the users and groups in the security domains with the users and groups in the LDAP directory service, click Synchronize Now.
The Service Manager synchronizes the users in all the LDAP security domains with the users in the LDAP directory service. The time it takes for the synchronization process to complete depends on the number of users and groups to be imported.
9. Click OK to save the security domains.
Step 3. Schedule the Synchronization Times
You can set up a schedule for the Service Manager to periodically synchronize the list of users and groups in the LDAP security domain with the list of users and groups in the LDAP directory service.
Important: Before you start the synchronization process, verify that the /etc/hosts file contains an entry for the host name of the LDAP server. If the Service Manager cannot resolve the host name for the LDAP server, the user synchronization can fail.
During synchronization, the Service Manager imports users and groups from the LDAP directory service. The Service Manager deletes any user or group from the LDAP security domain that is no longer included in the search filters used for the import.
By default, the Service Manager does not have a scheduled time to synchronize with the LDAP directory service. To ensure that the list of users and groups in the LDAP security domains is accurate, you can schedule the times during the day when the Service Manager synchronizes the LDAP security domains. The Service Manager synchronizes the LDAP security domains with the LDAP directory service every day at the times you set.
Note: During synchronization, the Service Manager locks the user account that it synchronizes. When the user account is locked, the Service Manager cannot authenticate the user account. Users might not be able to log in to application clients. If users are logged in to application clients when synchronization starts, the users might not be able to perform tasks. The duration of the synchronization process depends on the number of users and groups to be synchronized. To avoid usage disruption, synchronize the security domains during times when most users are not logged in.
To synchronize more than 100 users or groups, enable paging on the LDAP directory service before you run the synchronization. If you do not enable paging on the LDAP directory service, the synchronization can fail.
To set up a schedule to synchronize the LDAP security domains with the LDAP directory service, perform the following steps:
1. In the Administrator tool, click the Security tab.
2. Click the Actions menu and select LDAP Configuration.
3. In the LDAP Configuration dialog box, click the Schedule tab.
4. Click the Add button (+) to add a time.
The synchronization schedule uses a 24-hour time format.
You can add as many synchronization times in the day as you require. If the list of users and groups in the LDAP directory service changes often, you can schedule the Service Manager to synchronize multiple times a day.
5. To immediately synchronize the users and groups in the security domains with the users and groups in the LDAP directory service, click Synchronize Now.
6. Click OK to save the synchronization schedule.
Note: If you restart the Informatica domain before the Service Manager synchronizes with the LDAP directory service, the synchronization times that you added are lost.
Using Nested Groups in the LDAP Directory Service
An LDAP security domain can contain nested LDAP groups. The Service Manager can import nested groups that are created in the following manner:
- •Create the groups under the same organizational units (OU).
- •Set the relationship between the groups.
For example, you want to create a nested grouping where GroupB is a member of GroupA and GroupD is a member of GroupC.
- 1. Create GroupA, GroupB, GroupC, and GroupD within the same OU.
- 2. Edit GroupA, and add GroupB as a member.
- 3. Edit GroupC, and add GroupD as a member.
You cannot import nested LDAP groups into an LDAP security domain that are created in a different way.
Using a Self-Signed SSL Certificate
You can connect to an LDAP server that uses an SSL certificate signed by a certificate authority (CA). By default, the Service Manager does not connect to an LDAP server that uses a self-signed certificate.
To use a self-signed certificate, import the self-signed certificate into a truststore file and use the INFA_JAVA_OPTS environment variable to specify the truststore file and password:
setenv INFA_JAVA_OPTS -Djavax.net.ssl.trustStore=<TrustStoreFile>
-Djavax.net.ssl.trustStorePassword=<TrustStorePassword>
On Windows, configure INFA_JAVA_OPTS as a system variable.
Restart the node for the change to take effect. The Service Manager uses the truststore file to verify the SSL certificate.
keytool is a key and certificate management utility that allows you to generate and administer keys and certificates for use with the SSL security protocol. You can use keytool to create a truststore file or to import a certificate to an existing truststore file. You can find the keytool utility in the following directory:
<PowerCenterClientDir>\CMD_Utilities\PC\java\bin
For more information about using keytool, see the documentation on the following web site:
http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html.
The software available for download at the referenced links belongs to a third party or third parties, not Informatica. The download links are subject to the possibility of errors, omissions or change. Informatica assumes no responsibility for such links and/or such software, disclaims all warranties, either express or implied, including but not limited to, implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and disclaims all liability relating thereto.
Deleting an LDAP Security Domain
To permanently prohibit users in an LDAP security domain from accessing application clients, you can delete the LDAP security domain. When you delete an LDAP security domain, the Service Manager deletes all user accounts and groups in the LDAP security domain from the domain configuration database.
1. In the LDAP Configuration dialog box, click the Security Domains tab.
The LDAP Configuration dialog box displays the list of security domains.
2. To ensure that you are deleting the correct security domain, click the security domain name to view the filter used to import the users and groups and verify that it is the security domain you want to delete.
3. Click the Delete button next to a security domain to delete the security domain.
4. Click OK to confirm that you want to delete the security domain.