Need help setting up LDAP authentication

A forum for discussing DataStage<sup>®</sup> basics. If you're not sure where your question goes, start here.

Moderators: chulett, rschirm, roy

Post Reply
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Need help setting up LDAP authentication

Post by mavrick21 »

Hello,

I've installed IIS 8.5 Server edition on RHEL 6 (64-bit) and I can get Internal Registry and OS authentication to work. This is the first time I'm trying to get LDAP authentication to work. We use Microsoft Active Directory (AD).

Please validate/guide me on the following:
1) I assume RHEL must be set up to accept AD username & password. Is this right?
2) Is setting up PAM on RHEL a must or is it optional?
3) I have installed IIS 8.5 using local root. Local user dsadm (belonging to dstage group) exists. But dstage group doesn't exist on AD. I'm just concerned about the file permissions when many users are logged in using their AD credentials and start creating files by running DataStage jobs. How do I go about this?
(i) Do I create a new group on the AD, say AD_GROUP, and add DataStage users (AD users) to it and make AD_GROUP as their primary group?
(ii) If 'yes' to above then what would happen to files, if any, created by dsadm:dstage? FYI: This is a fresh install and no jobs have been imported/run yet.

Any other useful/good practices pointers deeply appreciated.

Thanks
Mav
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

Just now I verified there are a lot of files owned by dsadm:dstage in the installed IBM IS folder. I don't know if something needs to be done about these files.
kwwilliams
Participant
Posts: 437
Joined: Fri Oct 21, 2005 10:00 pm

Post by kwwilliams »

It appears that you are using two different authentication mechanisms, I would not recommend that approach. When I looked at LDAP and Linux integration sometime ago, it was possible to have the Linux user and the LDAP user with different passwords and permissions. When the passwords were different the user was unable to login to all of the Information Server tiers.

There are products that will tie LDAP into the Linux environment, if you are using one of those. Then setting up PAM is a must. You will need to go into the Websphere console and set up the intregration with Active Directory.
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

Keith,

Thanks for your quick response. I want to use just the LDAP authentication. Sorry if my previous post is confusing.

Should I have the AD group (dstage) and AD user (dsadm) set up first and then do a clean install? Or is there a way to do it without re-installing?

Thanks
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

Here is what I did:
Install IIS 8.5 as root (sudo). Supplied dsadm as local OS user during the installation process. dsadm belongs to local group dstage in the OS. I see several files/directories in /opt/IBM owned by dsadm or root.

Here is my concern:
Let's assume I'm successful in getting Information Server and DS Engine to validate against Microsoft Active Directory (AD). My concern is there is no dstage group on the Active Directory and AD users have different primary AD group on the AD. When different AD users login to DataStage and start running jobs that create files, the files wouldn't belong to a common group. So a file created by user AD_user1 may not be accessible to user AD_user2. How do I go about solving this?
Secondly, would AD users be in a situation where they (or the jobs they create) need to access files created by dsadm?

Thank
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

AD is used to authenticate username/password and to return a list of AD groups to which the user belongs. IIS roles (suite roles and suite component roles) are assigned to AD users/groups.

AD users are mapped on to one or more operating system users for access to file system on the DataStage engine. This is done using the Engine Credentials dialog under Domain Management in Web Console.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

Thanks Ray. Your answer resolves all my concerns. :)
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

I think I am successful in setting up LDAP for user authentication using SSL. The reason I say I think is I don't get any errors in WAS console however I'm not sure if the passwords are encrypted before being sent to LDAP. Are there logs in IS directory that I can look at and verify if SSL/encrypted passwords are used?

Just FYI: I'm using SSL (enabled) port for the LDAP server and I've checked Require SSL communications in WAS Web Console.

Thanks
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

Gurus - any thoughts?
ray.wurlod
Participant
Posts: 54607
Joined: Wed Oct 23, 2002 10:52 pm
Location: Sydney, Australia
Contact:

Post by ray.wurlod »

If you're using SSL everything is encrypted.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
mavrick21
Premium Member
Premium Member
Posts: 335
Joined: Sun Apr 23, 2006 11:25 pm

Post by mavrick21 »

Thanks Ray!
Post Reply