Description:

This document describes how to integrate Microsoft Active Directory as a User Data Store for the CA SSO Server. It demonstrates the procedure step-by-step utilising the built in automatism available in CR5 and later.

Note that even now with Microsoft Active Directory Store (ADS) as the user data store the CA SSO Server still maintains SSO-specific user information, such as application or logon information in the embedded CA Directory.

CA SSO just retrieves user information from the ADS without modifying it in any way.

Solution:

Note:

The following procedure assumes that the ADS computer (Domain Controler, DC) host name is "ADServer1", your domain name is "acmecorp", and that you have an employee named Prani Patil who works in the Help Desk department. Replace this information with information specific for your organization.

Prani Patil is used by SSO Server to connect to AD to authorise SSO Client login requests.

(There is no need for Prani Patil to be an administrative user but it must not be limited in read access to the entire AD tree.)

Follow these steps:

1. Log in to the Policy Manager to any SSO farm member server
   
   The tabs for your user privileges appear.
   
   
2. Click Resources, Single Sign-On Resources, User Resources, Datastores
   
   The Datastores pane appears.
   
   
3. Right-click in the Datastores pane and select New
   
   The Create New USER_DIR Resource dialog appears.
   
   
4. Complete the fields in the General dialog
   
   The following fields are not self-explanatory:
   
   Name
   
   Specifies the name of the new user data store on the CA SSO Server.
   
   Example: ad-acmecorp
   
   Data Store Type
   
   Specifies the data store type. Select AD.
   
   Owner
   
   Specifies the owner of the data store. To create an Active Directory user data store, leave the option blank.
   
   Base Path
   
   Specifies the user data store base path.
   
   Example: dc=acmecorp,dc=com
   
   Comment
   
   Specifies an additional description about the data store.
   
   Example: Active Directory data store.
   
   Host
   
   Specifies the hostname of the CA SSO Policy Server. Enter localhost.
   
   Port
   
   Specifies the port of the CA Directory. Enter the port as 13389.
   
   

   <Please see attached file for image>

   
   
   
5. Click the Directory Configuration icon
   
   The Directory Configuration pane appears.
   
   
6. Complete the fields in the directory configuration dialog:
   
   Hostname
   
   Specifies the host name value of the Active Directory domain controller.
   
   Example: ADServer1
   
   Admin
   
   Specifies the name of a permanent user. The user need not be an administrator.
   
   Example: Admin: cn=Prani Patil, ou=Help_Desk, DC=acmecorp, DC=com
   
   Password
   
   Specifies the password of the user.
   
   Confirm Password
   
   Specifies the password of the user.
   
   

   <Please see attached file for image>

   
   
   
7. Click Advanced
   
   The Advanced Data Store Properties dialog appears.
   
   
8. Modify the following fields in the Advanced Data Store Properties dialog:
   
   Container Classes : container,organization,organizationalUnit,builtinDomain,country
   
   Note: The Containers Classes field determines the classes the Policy Manager interprets as containers. Any typographical error causes problems when viewed in the Policy Manager.
   
   Login Info Container DN : ou=ad-acmecorp,ou=LoginInfos,o=PS
   
   Note: Remove the angle brackets "<" and ">" that appear in the LoginInfoContainerDN field. They indicate that you must enter text.
   
   

   <Please see attached file for image>

   
   
   
9. Click OK twice
   
   The Active Directory user data store is created.
   
   
10. Stop and Start the following services:
    
    
    • CA SSO Server Service
      
      
    • CA Directory - PS ACMECORP and CA Directory PSTD ACMECORP Services
      
      Note: For more information about restarting CA SSO and CA Directory services, see Chapter 14: Maintenance in the CA SSO Administration Guide.
      
      
11. Using Windows Explorer, go to the following directory:
    
    %dxhome%\config\knowledge
    
    
12. Verify that the router file e.g. "AD-ACMECORP_Router.dxc" has been created
    
    This file creates a router DSA named AD_ACMECORP_Router on SSOServer1; it points to the Active Directory AcmeCorp on ADServer1.
    
    Its contents should look like:

    set dsa AD_ad-acmecorp_Router = 	{ 	prefix = <dc "com"><dc "acmecorp"> 	native-prefix = <dc "com"><dc "acmecorp"> 	dsa-name = <o AD_ad-acmecorp ><cn AD_ad-acmecorp_Router> 	dsa-password = "secret" 	address = tcp "ADServer1" port 389 	auth-levels = clear-password, ssl-auth 	dsa-flags = read-only 	trust-flags = allow-check-password, no-server-credentials 	link-flags = dsp-ldap, ms-ad 	}; 	set transparent-routing = true ; 

    
    
13. Verify that the PS_Servers.dxg file is sourcing the newly created Router config file

     	source "../knowledge/PS_ACMESSO121.dxc"; 	 	source "../knowledge/PSTD_ACMESSO121.dxc"; 	 	source "../knowledge/ad-acmecorp_Router.dxc"; 

    
    
14. Verify that the PS_Access.dxc file has been amended to grant the relevant access rights
    
    Using Windows Explorer, go to the following directory:
    
    %dxhome%\config\access
    
    and review the added sections to the file
    
    Note:
    
    This steps only need to be done once for the full SSO Server farm (no need to repeat the steps at other farm members), the configuration changes are propagated to all farm member servers
    
    For SSL configuration of the ADS integration please see
    
    How to set up SSL Between the SSO Server (with embedded CA DIR r12 SP2 and newer) and Microsoft Active Directory Datastore?