Description:

This document explains the steps involved in configuring CA Business Intelligence (CABI) R3 for LDAP authentication. It also describes the changes required within CA Service Desk Manager (CA SDM) to integrate with CABI using LDAP authentication.

Solution:

Steps to configure LDAP authentication within CABI

1. Login to the CABI Central Management Console (CABI) with an Administrator account.
2. On the home screen, select AUTHENTICATION.
   
   

   <Please see attached file for image>

   
   
   
3. In the Authentication window, double-click on LDAP.
   
   

   <Please see attached file for image>

   
   
   
4. Click on the 'Start LDAP Configuration Wizard' button.
   
   

   <Please see attached file for image>

   
   
   
5. In the 'Add LDAP host' field, add the LDAP hostname with the port number of the LDAP server as LDAP_hostname:port_number and click on the ADD button and click NEXT.
   
   

   <Please see attached file for image>

   
   
   
6. Select the LDAP Server Type from the drop down. In this example, Microsoft Active Directory Application server is used.
   
   

   <Please see attached file for image>

   
   
   All LDAP environments and configurations are different in one way or another so you may have to change the attribute mappings. If unsure about the attribute mappings, please consult with your LDAP Administrator for the exact attribute settings to be used.
   
   If you click 'Show Attribute Mappings' you will have the ability to change the LDAP attribute mappings.
   
   

   <Please see attached file for image>

   
   
   Typical Microsoft Active Directory Mappings would look like this.
   
   Note: Notice that if you change any of the Attribute Mappings, the LDAP Server Type will change to CUSTOM - this is expected.
   
   

   <Please see attached file for image>

   
   
   
7. Click NEXT.
8. In the Base LDAP Distinguished Name field, enter the Search Base (i.e O=Myorg,DC=MyDomain) and click on NEXT.
   
   

   <Please see attached file for image>

   
   
   
9. In the Distinguished Name field enter, the LDAP DN of the user who has access to the LDAP server. In the Password field, enter the password for the user entered. LDAP Referral Credentials should be provided only if all the following apply (usually not required:
   
   • The primary LDAP host has been configured to refer to another directory server that handles queries for entries under a specified base
   • The LDAP host being referred to has been configured to not allow anonymous binding
   • A group from the LDAP host being referred to will be mapped to CABI
   
   Click NEXT to continue.
   
   

   <Please see attached file for image>

   
   
   
10. Select Basic (no SSL) in the Type of SSL authentication drop-down field and click NEXT.
    
    

    <Please see attached file for image>

    
    
    
11. Slect Basic (No SSO) in the Authentication drop-down field and click NEXT.
    
    

    <Please see attached file for image>

    
    
    
12. In the LDAP Aliases Configuration screen, it is recommended to use the following settings:
    
    

    <Please see attached file for image>

    
    
    Click NEXT to continue.
    
    
13. Click FINISH to save the LDAP settings entered.
    
    

    <Please see attached file for image>

    
    
    
    
14. In the Mapped LDAP Members Groups section, specify the LDAP group(s) which contains the LDAP users who will need access to CABI Reports. You can enter either the CN or the DN of the LDAP group and then click on the ADD button.
    
    

    <Please see attached file for image>

    
    
    
    
15. Click the UPDATE button at the bottom of the page. At the top, you should see the message LDAP Authentication Updated.
    
    

    <Please see attached file for image>

    
    
    
16. Click on the HOME

    <Please see attached file for image>

    button to return to the home page of the Central Management Console.
17. Click USERS AND GROUPS and then select USERS LIST. From the list of users, you should now see CABI accounts for the LDAP users that are in the LDAP group(s) you specified in step #14.
18. Click on GROUP LIST. You should see the LDAP group(s) entered in step #14 listed. Depending on the CABI report rights you wish to assign to the LDAP users, add the LDAP group to one of the out of box CABI CA Report groups - CA Report Admin, CA Report Author or CA Report Viewer.

Note: At a minimum, CABI users must be at least a member of the CA Report Viewer CABI group in order to view/run CABI reports.

Steps to configure CABI options in CA SDM for LDAP authentication

1. Login to CA SDM with an account that has Administrator privileges
2. Navigate to ADMINISTRATION-> OPTIONS MANAGER-> WEB REPORT
3. Change the BO_SERVER_AUTH option to secLDAP
   
   Note: This document presumes that the other necessary steps to integrate CABI with CA SDM have already been performed. If not, please refer to the 'Integrate CA Business Intelligence with CA SDM' section of the CA SDM Implementation Guide for further details.
   
   Note: As long as the BO_SERVER_AUTH option is "Installed", it does not matter what value it is set to (ex: secExternal or secLDAP etc.,) Just Installing the option is good enough for CA SDM.
   
   
4. Recycle the CA SDM service for the change to take effect.
5. Login to CA SDM with a user that has a LDAP CABI account and click on the REPORTS tab. The CABI reports are displayed after the user is authenticated by both the LDAP server and CABI.