Description

This document explains how to add a DXlink (connection to a third party LDAP server) connection using r12.0SP1 DXmanager.

The items required for a successful DXlink connection are:

1. A new namespace to be configured.
2. Hostname or IP address details and TCP port of the third party LDAP server - This host will need to be created within DXmanager.
3. A set of credentials that exist within the third party LDAP server.

Once you have the above information, please find the configuration procedure below.

Solution

Step 1: Start DXmanager

Start an Internet Explorer browser and type in your DXmanager URL. For windows, the URL is:

https://hostname:8443/dxmanager

Once the DXmanager login screen is displayed, login using the "DXmanager" set of credentials.

When the DXmanager UI has loaded, click the "Maps" tab and select the "namespace" map. This will present you with the currently configured DXmanager configuration.

<Please see attached file for image>

In the existing DXmanager configuration, there is a null prefix router and a data DSA known as "o=Democorp,c=au" configured. We will be adding to this existing configuration.

Step 2: Edit the configuration

Left click the arrow of the "Configuration" button which is in the top right corner of the screen and select the "Edit" option.

<Please see attached file for image>

Once DXmanager has entered edit mode, you will see a confirmation message displayed at the top of the DXmanager UI that reads:

<Please see attached file for image>

Step 3: Create a new namespace

In order for the DIT structure from the third party LDAP server to be displayed within the CA Directory DIT structure, a new namespace has to be created for it. This namespace serves as an anchor point within the CA Directory DIT for the third party LDAP server.

To create a new namespace follow the steps below:

1. Switch the map to namespace mode (if it's not already).
2. Move the mouse over the "c=AU" namespace and then click the right mouse button. Select the "Add a new partition" option.
3. The "New Namespace Partition" configuration screen is displayed.

Please fill out the configuration options as per the table below:

General Tab:

<Please see attached file for image>

Connections Tab:

<Please see attached file for image>

Console Tab:

<Please see attached file for image>

Monitoring Tab:

<Please see attached file for image>

Once you have configured the details of your third party LDAP server, please click the OK button to update the configuration. When the configuration has been successfully updated, the following confirmation message will be displayed.

<Please see attached file for image>

Once the configuration is updated, you will see the following namespace design:

<Please see attached file for image>

Please note: The reason why the "o=AD1,c=au" namespace is greyed out is due to the namespace not being instantiated on any host machine.

Step 4: Create the host LDAP server

The next step is to create the host server within the DXmanager "Topology" map. This provides the physical host details where the LDAP server is running.

To create the host LDAP server, follow the steps below:

1. Switch to the "Topology" map.

Please note: For this techdoc, the assumption is that the LDAP server is housed within the "DataCentre" site. If the LDAP server is housed in a location that is not yet part of the DXmanager map, then it may be required to create a new site.

2. Right click on the "DataCentre" site and select the "Add a new host to the site" option. This will present you with the "New Host" configurtaion screen.

<Please see attached file for image>

Configure the options as per the table below:

General Tab:

<Please see attached file for image>

Connections Tab:

Type in the IP address of the third party LDAP server into the Network Address field, and click the "Add" button. Once you have configured this screen, click the "OK" button to update the configuration. Once the configuration has been updated, you will see that the DSA Topology screen will be updated with the new configuration:

<Please see attached file for image>

Step 5: Instantiate the DXlink DSA upon the LDAP server host

The last step in the configuration process is to instantiate a DXlink DSA. This DXlink DSA is a CA Directory reference to the third party LDAP server instance running on the host created in step 4.

To instantiate the DXlink DSA follow the steps below:

1. Right click the host "ThirdPartyLDAPHost" and select the "Instantiate a new partition on this host", then "LDAP", and then "MS Active Directory Server" options. If your LDAP server is not an Active Directory server, then choose the most suitable third party LDAP server definition available.

<Please see attached file for image>

• The configuration screen titled "New DSA" will be displayed. This screen contains a pulldown list of the available namespaces for you to choose from. Click the pull down list and select "ActiveDirectory1".

<Please see attached file for image>

• Click the "Next" button.

Please fill out the details as per the following table:

General Tab:

Setting	Value
Display Name	AD1 (This is a placeholder value which can be anything, but make it descriptive)
Native Prefix	O=CA, c=AU (This is level in the third party LDAP server's DIT structure which CA Directory is going to map to)

<Please see attached file for image>

Connections Tab:

<Please see attached file for image>

• Click the "Finish" button.

The LDAP proxy credentials are only used under the following circumstances:

1. It is used when either a user's credentials are outside the LDAP server OR
2. If the requests have multiple hops before getting to the LDAP server.

Even though you've provided a set of credentials in the above screen, we will be using "pass-through" authentication in order to perform our bind in the following test. Click "Finish" to conclude the configuration process. Once the configuration is updated, there will be a confirmation message displayed that reads:

<Please see attached file for image>



Also, the Topology map will be updated to reflect that the third party LDAP server DSA has been instantiated.

<Please see attached file for image>



Step 6: Deploying the new DXmanager configuration

Now that the new DXmanager configuration has been created, it's now time to deploy the configuration. The process of deploying the configuration updates all CA Directory hosts with the new configuration.

Follow the steps below to deploy the new configuration:

1. With your mouse, left click the arrow of the "Configuration" button which is in the top right corner of the screen and select the "Deploy" option.

<Please see attached file for image>

• The deployment of a DXmanager configuration is performed in two parts. Firstly DXmanager saves the whole configuration. The "Save Configuration" dialogue requires you to type in a specific comment that is used to describe this version of the configuration being saved.

<Please see attached file for image>

Once you've typed in a suitable comment, click the "OK" button to save the configuration.

• The deployment of the DXmanager configuration is then automatic. Once the configuration has been deployed you will see a confirmation message displayed at the top of the GUI that reads:

<Please see attached file for image>

Also, the Topology will be updated with the runtime monitoring icons which indicate that you have exited "edit" mode and entered "monitoring" mode.

<Please see attached file for image>

The icons for the third party LDAP server will indicate that it's unknown (question marks), as the status of the third party LDAP server cannot be determined by DXmanager as there is no process running on it capable of reporting it's status to DXmanager.

Step 7: Testing connectivity to the LDAP server

Now that the configuration has been deployed, connectivity to the LDAP server should be performed in order to confirm that the DXmanager configuration has been defined and deployed correctly.

To test connectivity, please follow the steps below:

1. Launch the JXweb web browser or other LDAP browser and use the connection details below to bind to the directory.

The reason why you need to change the beginning of the bind DN, is that CA Directory is only able to reference the anchor point in the DIT that references the AD DIT structure. In this example the native prefix is "o=CA,c=AU" and the CA Directory namespace is "o=AD1,c=AU".

When binding to the CA Directory as a bind DN that exists in the LDAP server, use the following process:

In this example the set of bind credentials that exist within the Active Directory server is: cn=Chris Hanlen,ou=Staff,ou=R&D,o=CA,c=AU. In order to bind as this use to the CA Directory, you need to replace the "native-prefix (o=CA,c=AU) with the CA Directory prefix (o=AD1, c=AU). This means that the bind DN that should be used to bind to the CA Directory is: cn=Chris Hanlen,ou=Staff,ou=R&D,o=AD1,c=AU.

Below is an example connection dialogue using the above settings:

<Please see attached file for image>

When the connection dialogue has been completed, click the "Connect" button to establish connection with the CA Directory.
To confirm that the CA Directory DXlink DSA is accessing the third party LDAP server, open up a browser to the third party LDAP server directly, and one to CA Directory.

Please note: That the native prefix of the LDAP server (o=CA,c=AU) has been "prefix mapped" to the CA Directory namespace of "o=AD1, c=AU".

Native LDAP Server DIT Example

<Please see attached file for image>

CA Directory DIT Example

<Please see attached file for image>