Re-configure tibco-admin user from internal to external LDAP in BPM Enterprise 4.x
Article ID: KB0071230
Updated On:
| Products | Versions |
|---|---|
| TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | 4.2.0, 4.3.0, 4.3.1, 4.3.2 |
Description
During installation, a BPM Server can be configured with an internal or an external LDAP. When an internal LDAP is chosen, the internal LDAP with a few users is deployed on the first BPM Node. The installation process also creates the tibco-admin user, which is a user on the internal LDAP. Note: - This internal LDAP cannot be distributed to additional nodes. - The internal LDAP is not supported in a distributed BPM environment The resolution section of this article provides steps to re-configure tibco-admin to use external LDAP and remove internal LDAP.
Issue/Introduction
Environment
Resolution
- Identify an account on the external LDAP to be used for tibco-admin
- Create LDAP Authentication and Connection resource templates (RTs)
i.) Create RT for LDAP Authentication:
a.) Goto Admin UI → Shared Object → Resource Template.
b.) Click on the new button and select the LDAP Authentication in the drop-down for type.
c.) name of the RT must be in the format of amx.bpm.auth.<LDAPAlias>. And the scope of the RT must be on the ‘amx.bpm.app’ level.
d.) Provide the details and save.
e.) Create and install the resource instance (RI) on the BPMNode(s).
You may refer to the below screenshot for the details:
ii.) Create RT for LDAP Connection:
a.) Goto Admin UI → Shared Object → Resource Template.
b.) Click on the new button and select the LDAP Authentication in the drop-down for type.
c.) Name of the RT must be in the format of ldap/de/<LDAPAlias>. And the scope of the RT must be on the ‘amx.bpm.app’ level.
d.) Provide the details and save.
e.) Create and install the RI on the BPMNode(s).
You may refer to the below screenshot for details:
3. Change the de.properties.
i.) In the de.properties file, change the following properties:
a.) AdminLdapAlias:
provide the Alias name of your external LDAP server. It has to be the same that you provide while creating the RT name. (example: amx.bpm.auth.<LDAPAlias>).
AdminLdapAlias=Ompatil
b.) AdminLdapDn:You need to provide the DN of the user whom you want to make an admin user in the BPM.
You will use the username ‘tibco-admin’ and password of this user to log in as the admin user in the workspace/openspace.
You also need to provide the delimiter after the ‘=’ sign in the DN name.
example:
AdminLdapDn=uid\=ompatil,ou\=People,dc\=example,dc\=com
If you want to change the username of tibco-admin you can change that by updating the property AdminLdapName.
Once the login with external LDAP is working, the below steps can be used to remove the Internal LDAP :
1. Navigate to Admin UI --> Shared Object --> Resource Template and Uninstall and Delete the resource instances used for the internal LDAP. By default, below are the resource instances that are configured for internal LDAP. Please verify before performing any action.
b.) amx.bpm.auth.system
c.) ldap/de/easyAs
d.) ldap/de/system
3. Goto Applications --> expand folder amx.bpm.shared.sysapps --> undeploy application "amx.bpm.apacheds" application.
4. Click on the application "amx.bpm.apacheds" --> Substitution. Variable --> Copy the value of the variable workingDirectory.
5. Go to the working directory path on the BPMNode server and delete the folder apacheds. This is because the undeploy of the apacheds application will not remove this directory.
6. Delete the amx.bpm.apacheds application from Administrator
Additional Information
https://docs.tibco.com/pub/amx-bpm/4.3.0/doc/html/bpmhelp/GUID-03BA1E02-51CE-4724-BCEB-27C5DE898C73.html
https://docs.tibco.com/pub/amx-bpm/4.3.0/doc/html/bpmhelp/GUID-B677C97F-F976-4116-929D-FD4BFFAB166D.html
https://docs.tibco.com/pub/amx-bpm/4.3.0/doc/html/bpmhelp/GUID-70A4DD73-D6FD-4105-AD0F-B432CDD45959.html
Feedback
