Need help setting up LDAP authentication
Moderators: chulett, rschirm, roy
Need help setting up LDAP authentication
Hello,
I've installed IIS 8.5 Server edition on RHEL 6 (64-bit) and I can get Internal Registry and OS authentication to work. This is the first time I'm trying to get LDAP authentication to work. We use Microsoft Active Directory (AD).
Please validate/guide me on the following:
1) I assume RHEL must be set up to accept AD username & password. Is this right?
2) Is setting up PAM on RHEL a must or is it optional?
3) I have installed IIS 8.5 using local root. Local user dsadm (belonging to dstage group) exists. But dstage group doesn't exist on AD. I'm just concerned about the file permissions when many users are logged in using their AD credentials and start creating files by running DataStage jobs. How do I go about this?
(i) Do I create a new group on the AD, say AD_GROUP, and add DataStage users (AD users) to it and make AD_GROUP as their primary group?
(ii) If 'yes' to above then what would happen to files, if any, created by dsadm:dstage? FYI: This is a fresh install and no jobs have been imported/run yet.
Any other useful/good practices pointers deeply appreciated.
Thanks
Mav
I've installed IIS 8.5 Server edition on RHEL 6 (64-bit) and I can get Internal Registry and OS authentication to work. This is the first time I'm trying to get LDAP authentication to work. We use Microsoft Active Directory (AD).
Please validate/guide me on the following:
1) I assume RHEL must be set up to accept AD username & password. Is this right?
2) Is setting up PAM on RHEL a must or is it optional?
3) I have installed IIS 8.5 using local root. Local user dsadm (belonging to dstage group) exists. But dstage group doesn't exist on AD. I'm just concerned about the file permissions when many users are logged in using their AD credentials and start creating files by running DataStage jobs. How do I go about this?
(i) Do I create a new group on the AD, say AD_GROUP, and add DataStage users (AD users) to it and make AD_GROUP as their primary group?
(ii) If 'yes' to above then what would happen to files, if any, created by dsadm:dstage? FYI: This is a fresh install and no jobs have been imported/run yet.
Any other useful/good practices pointers deeply appreciated.
Thanks
Mav
-
- Participant
- Posts: 437
- Joined: Fri Oct 21, 2005 10:00 pm
It appears that you are using two different authentication mechanisms, I would not recommend that approach. When I looked at LDAP and Linux integration sometime ago, it was possible to have the Linux user and the LDAP user with different passwords and permissions. When the passwords were different the user was unable to login to all of the Information Server tiers.
There are products that will tie LDAP into the Linux environment, if you are using one of those. Then setting up PAM is a must. You will need to go into the Websphere console and set up the intregration with Active Directory.
There are products that will tie LDAP into the Linux environment, if you are using one of those. Then setting up PAM is a must. You will need to go into the Websphere console and set up the intregration with Active Directory.
Keith Williams
keith@peacefieldinc.com
keith@peacefieldinc.com
Here is what I did:
Install IIS 8.5 as root (sudo). Supplied dsadm as local OS user during the installation process. dsadm belongs to local group dstage in the OS. I see several files/directories in /opt/IBM owned by dsadm or root.
Here is my concern:
Let's assume I'm successful in getting Information Server and DS Engine to validate against Microsoft Active Directory (AD). My concern is there is no dstage group on the Active Directory and AD users have different primary AD group on the AD. When different AD users login to DataStage and start running jobs that create files, the files wouldn't belong to a common group. So a file created by user AD_user1 may not be accessible to user AD_user2. How do I go about solving this?
Secondly, would AD users be in a situation where they (or the jobs they create) need to access files created by dsadm?
Thank
Install IIS 8.5 as root (sudo). Supplied dsadm as local OS user during the installation process. dsadm belongs to local group dstage in the OS. I see several files/directories in /opt/IBM owned by dsadm or root.
Here is my concern:
Let's assume I'm successful in getting Information Server and DS Engine to validate against Microsoft Active Directory (AD). My concern is there is no dstage group on the Active Directory and AD users have different primary AD group on the AD. When different AD users login to DataStage and start running jobs that create files, the files wouldn't belong to a common group. So a file created by user AD_user1 may not be accessible to user AD_user2. How do I go about solving this?
Secondly, would AD users be in a situation where they (or the jobs they create) need to access files created by dsadm?
Thank
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
AD is used to authenticate username/password and to return a list of AD groups to which the user belongs. IIS roles (suite roles and suite component roles) are assigned to AD users/groups.
AD users are mapped on to one or more operating system users for access to file system on the DataStage engine. This is done using the Engine Credentials dialog under Domain Management in Web Console.
AD users are mapped on to one or more operating system users for access to file system on the DataStage engine. This is done using the Engine Credentials dialog under Domain Management in Web Console.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
I think I am successful in setting up LDAP for user authentication using SSL. The reason I say I think is I don't get any errors in WAS console however I'm not sure if the passwords are encrypted before being sent to LDAP. Are there logs in IS directory that I can look at and verify if SSL/encrypted passwords are used?
Just FYI: I'm using SSL (enabled) port for the LDAP server and I've checked Require SSL communications in WAS Web Console.
Thanks
Just FYI: I'm using SSL (enabled) port for the LDAP server and I've checked Require SSL communications in WAS Web Console.
Thanks
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact: