About this task
Configure the IBM® Cognos® Business Intelligence server to support the use of same Lotus Domino LDAP server that IBM Connections uses for authentication.
Procedure
1. Launch Cognos Configuration tool on Cognos server by following the guide 'Configuring support for LDAP authentication for Cognos Business Intelligence' on the IBM Connections 4.0 info center.
2. Expand Local Configuration > Security > Authentication.
3. Click New resource > Namespace.
4. In the window opened, input the value of 'Name', select 'LDAP' from the 'Type' list, then click 'OK'.
5. Fill in the properties for your LDAP directory, use the following tables as a guideline. After have this done, follow the rest of the steps in the guide mentioned in step1 to complete the LDAP configuration.
Table 1. LDAP property settings
|
Field
|
Example value
|
Comments
|
|
Namespace ID |
IBMConnections |
Type the value of the cognos.namespace value specified in the cognos-setup.properties file (this property must match that value). |
|
Host and Port |
ldap.example.com:389 |
Type the fully qualified host name and port of the LDAP server. |
|
Base distinguished name |
ou=Sales,o=Example |
Type the base DN where LDAP searches will originate.
|
|
User lookup |
(uid=${userID}) |
Type the expression to use when constructing the fully qualified DN of the user for authentication. |
|
Use external identity? |
true |
Set to true to enable Single Sign-On with WebSphere0…3 Application Server. |
|
External identity mapping |
(uid=${environment("REMOTE_USER")}) |
Type the expression to be for constructing the fully qualified DN of the user for authentication when SSO is enabled (that is, when Use external identity? is set to true). The variable REMOTE_USER passes the information from WebSphere Application Server. |
|
Bind user DN and Password |
cn=binduser,ou=Sales,o=Example password |
Type the credentials used for binding to the LDAP and for performing user lookups. If no values are specified, the LDAP authentication provider binds as anonymous. If External identity mapping is enabled, the Bind user DN and Password are used for all LDAP access. Otherwise, these credentials are used only when a search filter is specified for the User lookup. In that case, when the user DN is established, subsequent requests to the LDAP server are executed under the authentication context of the end user. |
|
Size Limit |
0 |
Recommended but optional |
|
Time out in Seconds |
0 |
Recommended but optional |
Table 2. LDAP advanced mapping values for use with Lotus Domino Server objects. Make sure the following are set to the following.
|
Mappings
|
LDAP property
|
LDAP value
|
|
Folder Mappings |
Object Class |
dominoOrganization |
|
Group Mappings |
Object Class |
dominoGroup |
|
Member |
member |
|
name |
mail |
|
Account mappings |
object class |
dominoPerson |
|
Name |
uid |
So when all is set and done the configuration should look like this.
When you configure the IBMConnectionsMetricsAdmin role on Cognos(http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.0+documentation#action=openDocument&res_title=Configuring_the_IBMConnectionsMetricsAdmin_role_on_Cognos_ic40&content=pdcontent) using Lotus Domino LDAP, if a group is under root, not under an organization which was specified in the base DN(like "ou=Sales,o=Example" ), it won't be displayed in the users list, you can't search and add it as a member while adding the group to a role( like IBMConnectionsMetrics) on Cognos Administrator console. To deal with this issue, should add the org ( like "ou=Sales,o=Example" ) to the end of the group name.
About the author:
Chun Ling Li is the lead and scrum master in IBM Connections Metrics team.