Description:

Most companies have an LDAP implementation (such as Active Directory) where they store their user information. You can integrate EEM with LDAP but there are some steps that must be followed to allow the user to login to ITPAM.

Solution:

NOTE: Before pointing EEM to your LDAP server you must register the ITPAM application with EEM. Registering the application with EEM must be done while EEM is still pointing to the internal data store and not to your LDAP server. This doc assumes that the ITPAM application has already been registered with EEM.

Begin by logging into EEM to the "Global" application as the EiamAdmin user.

<Please see attached file for image>

On the Manage Identities tab, you will see that the PAMAdmin and PAMUser that were installed when you registered ITPAM with EEM.

<Please see attached file for image>

Click on the Configure tab and then on the EEM Server link and Global Users/Global Groups:

<Please see attached file for image>

Notice that EEM is currently storing users in the EEM internal datastore. We are going to select "Reference from an external directory"

<Please see attached file for image>

Selecting "Reference from an external directory" enables fields that can be set to point to your external directory server. Fill these fields in accordingly. If you do not know what values to fill in, talk to your company LDAP administrator for details.

<Please see attached file for image>

Once you have completed the fields, scroll to the right and at the top of the screen click Save.

<Please see attached file for image>

You should then see a success message:

<Please see attached file for image>

At the bottom of this screen you will see the following:

<Please see attached file for image>

Click the "Refresh status" link periodically until you see this:

<Please see attached file for image>

EEM is now successfully connected to your External Directory. Now we need to find any users that you want to log into ITPAM and add them to the correct groups. To do this, log out of EEM and log back into the ITPAM (Process Automation) application group as the EiamAdmin user:

<Please see attached file for image>

Click on Manage Identities and search for the username that you would like to have permissions to log into ITPAM and then click on that user to display the user details on the right.

<Please see attached file for image>

Scroll over to the far right at the top and click on the "Add Application user Details" button.

<Please see attached file for image>

That will show the following Application Group Membership details. Select the group or groups that you want this user to be a member of and click Save on the far right at the bottom of the screen.

<Please see attached file for image>

Now that user will be able to login to ITPAM and have permissions according to the group or groups you added that user to.

NOTE: The PAMAdmin and PAMUser that are set up when you register the ITPAM application with EEM are stored in the EEM internal datastore. When you point EEM at your LDAP directory server as we did above, the PAMAdmin and PAMUser are no longer accessible and will not be able to login to ITPAM. If you want to use these users with EEM pointed at your LDAP directory server you will need to add these users to your LDAP directory server.

LDAP Groups will also be imported if you select to import groups. With Active Directory, only "domain.local" groups and not "global" groups will be imported.

Above steps