How to determine the correct settings for LDAP authentication in BE/RMS

Products	Versions
TIBCO BusinessEvents Enterprise Edition	6.1 and later

Description

We need to configure BE/RMS to use ldap authentication. How can we determine the appropriate configuration settings for our ldap server?

Issue/Introduction

Outlines general steps to determine/discover the appropriate LDAP auth-related settings for BE/RMS.

Resolution

A successful LDAP auth configuration requires the following:

The ldap host name and port.
The full distinguished name (DN) and password for an existing LDAP user (a.k.a. principal) who will serve as the administrative user for BE/RMS ldap authentication.
A known set of LDAP groups which can be mapped to roles in BE/RMS. These roles provide access to specific project resources, as defined in your Access Control files (*.ac).

First, determine the ldap host name and port. You can obtain this information from your IT team, but you can also try determining the correct values using Windows Powershell:

> nslookup -type=srv _ldap._tcp.yourdomain.com | findstr "Server: "
Server: ldap1.yourdomain.com

In the above example, the server name is ldap1.yourdomain.com. NOTE: If the returned value does not appear to be correct after your first configuration/deployment attempt, try instead using the base DN value obtained earlier (e.g. region.yourdomain.com).

To find the port, run..

> nslookup -type=srv _ldap._tcp.tibco.com | Select-String -Pattern "ldap1.yourdomain.com" -Context 1,0

> Server:  ldap1.yourdomain.com
          port           = 389
>         svr hostname   = ldap1.yourdomain.com

Here, the ldap port is 389.

Next, determine which ldap user will be specified as the administrative user for your BE/RMS ldap auth configuration. These user credentials should be obtained from your IT team.

Next, determine the ldap groups which will be mapped to roles in BE/RMS. Again, these group names may be obtained from your IT team. Choose one or more of these group names, and use them to configure roles in your access control files. If you're running the RMS out-of-the-box sample project, those *.ac files are located (by default) under $BE_HOME/rms/config/security/. In your *.ac files, replace the default Administrator role with one of the LDAP groups. For example..

<entries>
  <entry>
    <role name="CN=Product Support,OU=Groups,OU,DC=region,DC=yourdomain,DC=com"/>
      <permissions>
      ...

Finally, edit the LDAP section in your RMS.cdd under $BE_HOME/rms/bin/ as follows:

<property-group comment="" name="LDAP">
                <property name="be.auth.type" type="string" value="ldap"/>
                <property name="be.auth.ldap.host" value="ldap1.yourdomain.com"/>
                <property name="be.auth.ldap.port" value="389"/>
                <property name="be.auth.ldap.adminDN" value="CN=James Joyce,OU=Dublin,OU=Users,DC=region,DC=yourdomain,DC=com"/>
                <property name="be.auth.ldap.adminPassword" value="*****"/>
                <property name="be.auth.ldap.baseDN" value="DC=region,DC=yourdomain,DC=com"/>
                <property name="be.auth.ldap.roleAttr" value="member"/>
                <property name="be.auth.ldap.uidattr" value="cn"/>
                <property name="be.auth.ldap.objectClass" value="*"/>
                <property name="be.auth.ldap.useRoleDN" value="true"/>
</property-group>

This will allow you to login to your local RMS server (http://localhost:8090/WebStudio/resources/#/dashboard) using your LDAP Common Name value (which is the CN= portion of your full distinguished name). In the above example, the Common Name for the Admin user is: James Joyce.

Additional Information

For more details on LDAP auth, please refer to the Administration guide under the sub-heading "LDAP Authentication Properties for the CDD File".

Welcome to "KB Articles"