Description:
This document describes how to integrate Microsoft Active Directory as a User Data Store for the CA SSO Server. It demonstrates the procedure step-by-step utilising the built in automatism available in CR5 and later.
Note that even now with Microsoft Active Directory Store (ADS) as the user data store the CA SSO Server still maintains SSO-specific user information, such as application or logon information in the embedded CA Directory.
CA SSO just retrieves user information from the ADS without modifying it in any way.
Solution:
Note:
The following procedure assumes that the ADS computer (Domain Controler, DC) host name is "ADServer1", your domain name is "acmecorp", and that you have an employee named Prani Patil who works in the Help Desk department. Replace this information with information specific for your organization.
Prani Patil is used by SSO Server to connect to AD to authorise SSO Client login requests.
(There is no need for Prani Patil to be an administrative user but it must not be limited in read access to the entire AD tree.)
Follow these steps:
- Log in to the Policy Manager to any SSO farm member server
The tabs for your user privileges appear.
- Click Resources, Single Sign-On Resources, User Resources, Datastores
The Datastores pane appears.
- Right-click in the Datastores pane and select New
The Create New USER_DIR Resource dialog appears.
- Complete the fields in the General dialog
The following fields are not self-explanatory:
Name
Specifies the name of the new user data store on the CA SSO Server.
Example: ad-acmecorp
Data Store Type
Specifies the data store type. Select AD.
Owner
Specifies the owner of the data store. To create an Active Directory user data store, leave the option blank.
Base Path
Specifies the user data store base path.
Example: dc=acmecorp,dc=com
Comment
Specifies an additional description about the data store.
Example: Active Directory data store.
Host
Specifies the hostname of the CA SSO Policy Server. Enter localhost.
Port
Specifies the port of the CA Directory. Enter the port as 13389.
<Please see attached file for image>

- Click the Directory Configuration icon
The Directory Configuration pane appears.
- Complete the fields in the directory configuration dialog:
Hostname
Specifies the host name value of the Active Directory domain controller.
Example: ADServer1
Admin
Specifies the name of a permanent user. The user need not be an administrator.
Example: Admin: cn=Prani Patil, ou=Help_Desk, DC=acmecorp, DC=com
Password
Specifies the password of the user.
Confirm Password
Specifies the password of the user.
<Please see attached file for image>

- Click Advanced
The Advanced Data Store Properties dialog appears.
- Modify the following fields in the Advanced Data Store Properties dialog:
Container Classes : container,organization,organizationalUnit,builtinDomain,country
Note: The Containers Classes field determines the classes the Policy Manager interprets as containers. Any typographical error causes problems when viewed in the Policy Manager.
Login Info Container DN : ou=ad-acmecorp,ou=LoginInfos,o=PS
Note: Remove the angle brackets "<" and ">" that appear in the LoginInfoContainerDN field. They indicate that you must enter text.
<Please see attached file for image>

- Click OK twice
The Active Directory user data store is created.
- Stop and Start the following services:
- CA SSO Server Service
- CA Directory - PS ACMECORP and CA Directory PSTD ACMECORP Services
Note: For more information about restarting CA SSO and CA Directory services, see Chapter 14: Maintenance in the CA SSO Administration Guide.
- Using Windows Explorer, go to the following directory:
%dxhome%\config\knowledge
- Verify that the router file e.g. "AD-ACMECORP_Router.dxc" has been created
This file creates a router DSA named AD_ACMECORP_Router on SSOServer1; it points to the Active Directory AcmeCorp on ADServer1.
Its contents should look like:set dsa AD_ad-acmecorp_Router = { prefix = <dc "com"><dc "acmecorp"> native-prefix = <dc "com"><dc "acmecorp"> dsa-name = <o AD_ad-acmecorp ><cn AD_ad-acmecorp_Router> dsa-password = "secret" address = tcp "ADServer1" port 389 auth-levels = clear-password, ssl-auth dsa-flags = read-only trust-flags = allow-check-password, no-server-credentials link-flags = dsp-ldap, ms-ad }; set transparent-routing = true ;
- Verify that the PS_Servers.dxg file is sourcing the newly created Router config file
source "../knowledge/PS_ACMESSO121.dxc"; source "../knowledge/PSTD_ACMESSO121.dxc"; source "../knowledge/ad-acmecorp_Router.dxc";
- Verify that the PS_Access.dxc file has been amended to grant the relevant access rights
Using Windows Explorer, go to the following directory:
%dxhome%\config\access
and review the added sections to the file
Note:
This steps only need to be done once for the full SSO Server farm (no need to repeat the steps at other farm members), the configuration changes are propagated to all farm member servers
For SSL configuration of the ADS integration please see
How to set up SSL Between the SSO Server (with embedded CA DIR r12 SP2 and newer) and Microsoft Active Directory Datastore?