|
Metrics is a new component of Connections 4.0, and the deployment of Metrics need the LDAP server configuration in Cognos side, this article will introduce the steps to set up the LDAP namespace for Active Directory Server for Metrics.
|
About this task
Configure the IBM® Cognos® Business Intelligence server to support the use of same Active Directory LDAP server that IBM Connections uses for authentication.
Procedure
1. Launch Cognos Configuration tool on Cognos server by following the guide 'Configuring support for LDAP authentication for Cognos Business Intelligence' on the IBM Connections 4.0 info center.
2. Expand Local Configuration > Security > Authentication.
3. Click New resource > Namespace.
4. In the window opened, input the value of 'Name' (Suggest to use the value of the cognos.namespace value sppecified in the cognos-setup.properties file during the installation ), select 'LDAP' from the 'Type' list, then click 'OK'.
5. Fill in the properties for your LDAP directory, use the following tables as a guideline. After have this done, follow the rest of the steps in the guide mentioned in step1 to complete the LDAP configuration.
Table 1 LDAP properties list
FIELD | Example value | Comments |
Namespace ID | IBMConnections | Type the value of the cognos.namespace value sppecified in the cognos-setup.properties file (this property must match that value). |
Host and port | ldap.example.com:389 | Type the fully qualified host name and port of the LDAP server. |
Base distinguished name | ou=Sales,o=Example | Type the base DN where LDAP searches will originate. |
User lookup | (sAMAccountName=${userID}) | Type the expression to use when constructing the fully qualified DN of the user for authentication. |
Use external identity? | true | Set to true to enable Single Sign-On with WebSphere Application Server. |
External identity mapping | (sAMAccountName=${environment("REMOTE_USER")}) | Type the expression to be for constructing the fully qualified DN of the user for authentication when SSO is enabled (that is, when Use external identity? is set to true). The variable REMOTE_USER passes the information from WebSphere Application Server. |
Bind user DN and password | cn=binduser,ou=Sales,o=Example
password | Type the credentials used for binding to the LDAP and for performing user lookups.
If no values are specified, the LDAP authentication provider binds as anonymous.
If External identity mapping is enabled, the Bind user DN and Password are used for all LDAP access. Otherwise, these credentials are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are executed under the authentication context of the end user.
|
Unique identifier | objectGUID | Specifies the value used to uniquely identify objects stored in the LDAP directory server.
Specify either an attribute name or the value of 'dn' to use as the unique identifier. If an attribute is used, it must exist for all objects, such as users, groups, folders. If the 'dn' is used, more resources are used as you search deeper in the LDAP directory server hierarchy and policies may be affected if the 'dn' is renamed.
|
Table 2 LDAP advanced mapping values for use with Active Directory Server objects
Mappings | LDAP property | LDAP value |
Folder | Object class | organizationalUnit,organization,container |
Description | description |
Name | ou,o,cn |
Group | Object class | group |
Description | description |
Member | member |
Name | cn |
Account | Object class | user |
Business phone | telephonenumber |
Content locale | (leave blank) |
Description | description |
Email | mail |
Fax/Phone | facsimiletelephonenumber |
Given name | givenname |
Home phone | homephone |
Mobile phone | mobile |
Name | displayName |
Pager phone | pager |
Password | unicodePwd |
Postal address | postaladdress |
Product locale | (leave blank) |
Surname | sn |
Username | sAMAccountName |
Note:
These mapping properties represent changes based on a default Active Directory Server installation. If you have modified the schema, you may have to make additional mapping changes.
LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.
Here is an example of Active Directory LDAP configuration:
|