Cool Solutions for LDAP and AR System - · PDF file– Novell eDirectories ... the Login Name, ... • Provides a method of searching multiple Base DNs without creating multiple

9/2/2006

Cool Solutions for LDAP and AR System

9/2/2006 ©2006 BMC Software2

Introduction

› IT organizations often maintain systems containing data that can be useful in conjunction with BMC Remedy packaged applications

– Active Directories– Novell eDirectories– SunONE Directory Server– Open LDAP

› This data can be used for authentication, populating menus, filling in related data for users and assets, and many other purposes

› When that data is accessible through the LDAP protocol, it can be integrated into your BMC Remedy applications

› At the same time, corporate policies require tighter control over login processes and user account maintenance

› The goal of this session is to provide some innovative, or ‘cool’, solutions for leveraging this IT information

9/2/2006 ©2006 BMC Software3

Session Overview

› Overview of LDAP Integration functionality› Authenticating with LDAP

– Obtaining User Login Information– AREA LDAP Login Methodology

› Configuring AREA LDAP– Group Mapping– Authentication Chaining– AREA HUB

› Using AREA LDAP– Scenarios

› Configuring ARDBC LDAP Vendor Forms– ARDBC LDAP Configuration Form – ARDBC LDAP Vendor Form Properties

› Using ARDBC LDAP Vendor Forms– Populating Internal Forms from LDAP data

9/2/2006 ©2006 BMC Software4

Functionality Overview

› AREA LDAP– Validating passwords against an LDAP Server

• Cross-Reference-Blank-Password• User Exists in User form with Blank Password• All user information is stored within the AR System• LDAP is only used to validate the password

– Authenticating a user that exists only in an LDAP Server• Authenticate Unregistered Users• User does not exist in User form• All user information is obtained from LDAP

9/2/2006 ©2006 BMC Software5

Functionality Overview

› ARDBC LDAP– Directly querying external LDAP data via vendor forms

• Provides access to the LDAP Search URL to provide greater control• BaseDN can be provided on-the-fly to allow greater flexibility• Multiple types of objects and multiple hosts can be queried by creating separate

vendor forms– Joins are not allowed with Vendor forms

– Populating internal forms from LDAP data• Use ‘Push Fields’ action to update and create data in a regular form• Escalations can be used to automate the ‘push’• Server-side table looping can help make this more efficient

– Driving menus and picklists from external LDAP data

9/2/2006 ©2006 BMC Software6

Authenticating With LDAP

› Obtaining User Login information – ControlStruct

• Every API call includes:– Login name– Password– Authentication string (optional)

• User Tool– Login prompt– Do Not Prompt for Login (registry)– ARSSOInfo.dll (see Single Sign-On White Paper 7.0 )

• Web Browser client– Login.jsp– Direct Access URL– Authenticator customizations (see Single Sign-On White Paper 7.0 )– Next release will add support for SSO over WAM (BMC Web Access Manager)

› Variables passed to AREA– $\USER$ login name of user or the value from fieldid 117 in user form– $\DN$ distinguished name of login user– $\AUTHSTRING$ the value that user typed into the Authentication String prompt or

the value from fieldid 118 in user form

9/2/2006 ©2006 BMC Software7

Authenticating With LDAP

› AREA LDAP Login Methodology– The AREA LDAP plug-in performs the following steps to authenticate a user:

1. Bind to the AREA Host as the user defined in the Distinguished Name field2. Perform a query using the Host Name, Port Number, User Base, and User Filter

fields– If a user is not found, return an invalid user error, otherwise continue.

3. Return the Distinguished Name of the user as well as all available attributes These attributes may be used to assign email address, license information, etc.

4. Bind as the Distinguished Name found in step 3 with password passed from the AR Client

– If Bind fails, return error (ARERR [623] Authentication failed), otherwise continue5. Perform a query using the Host Name, Port Number, Group Base, and Group

Filter fields to return a list of groups the user belongs to

9/2/2006 ©2006 BMC Software8

Configuring AREA LDAP

›AREA LDAP Configuration Form

9/2/2006 ©2006 BMC Software9


› AREA LDAP Configuration Form– Host

• Domain or Server name• Multiple server names

– Space separated list» Size increased from 64 to 255

– Provides Failover capability– User Base

• Use $\AUTHSTRING$ to make this dynamic– Example: set User Base to “$\AUTHSTRING$o=bmc”

add fieldid 118 to User form and set it to a value of “ou=Support,”during the LDAP login, a BaseDN of “ou=Support,o=bmc” will be used

– Group Base• 7.0 Now searches sub-folders. This adds a lot more flexibility to finding groups

9/2/2006 ©2006 BMC Software10


› BMC Remedy Administrator Tool› Group Mapping

– Allows 2 separate lists of Groups to be used together

– IT no longer has to spend extra time accommodating the AR System Group names

– Many LDAP groups can map to a single AR System group

• Not vice versa› Ignore Excess Groups

– Exact match of list no longer required

– Leading Search is used• LDAP group ‘Administrators’

will equate to AR System group ‘Adminstrator’

Note: Active Directories: Primary Group is stored separately and not returned

9/2/2006 ©2006 BMC Software11


› Authentication Chaining– Allows Administrator to specify order of authentication when using Internal

(ARS) and External (AREA) accounts– Also provides a method of using OS authentication in conjunction with AREA– Users that reside internally but authenticate externally will be allowed to use

internal user information such as Licenses, Groups, eMail address, etc.

9/2/2006 ©2006 BMC Software12


› AREA HUB– Automatically configured by the AREA LDAP Configuration workflow– Allows multiple LDAP Servers to be authenticated against– First successful login wins– Eliminates some of the need to chase referrals

9/2/2006 ©2006 BMC Software13

Using AREA LDAPUser

AR System Database

AR System Server

› Login Scenario #1– Simplest case– User logs into the AR System server with an Account that resides

in the User form

9/2/2006 ©2006 BMC Software14

Using AREA LDAP

User

› Login Scenario #2– AREA is used with Cross-Reference–Blank-Passwords to validate

the user– User account exists in the User form with a blank password

AR System Server

LDAP Database

AR System Database

9/2/2006 ©2006 BMC Software15

Using AREA LDAP

› Login Scenario #3– AREA is used Authenticate-Unregistered-Users to authenticate

and identify the user from an LDAP database– User does not exist in the User form

AR System Server

User AR System Database

LDAP Database

9/2/2006 ©2006 BMC Software16

Using AREA LDAP

AR System Server

› Login Scenario #4– Using AREA HUB, user accounts can exist in multiple LDAP

databases– User may or may not exist in the User form

User AR System Database

LDAP Database 3LDAP Database 2LDAP Database 1

9/2/2006 ©2006 BMC Software17

Using AREA LDAPUser 1

AR System Database

LDAP Database 1Windows Domain Controller

User 2

User 2

LDAP Database 2

› Login Scenario #5– Some users exist as an OS account, others are LDAP users

9/2/2006 ©2006 BMC Software18

Using AREA LDAP

User

› Login Scenario #6– User exists in LDAP but with different login name than what he

uses in AR System

AR System Server

LDAP Database

AR System Database

Login alias: Bob(fieldid 117)

9/2/2006 ©2006 BMC Software19

Using AREA LDAP

User

› Login Scenario #7– User Login information is obtained automatically through the new

ARSSOInfo.dll– AREA logs user into the LDAP Server

AR System Server

LDAP Database

AR System DatabaseARSSOInfo.dll

Login name: User1Password: abc

9/2/2006 ©2006 BMC Software20

Using AREA LDAP

› Note on RSA SecureID Support:– Each unique combination of Login name, password, authentication string

constitutes a distinct user in the AR System server’s internal user list– When using SecureID systems, the password may change every 60 seconds– If user does not cleanly ‘logout’, such as when exiting the Web Tool, user is

still on the active list in AR Server– If user logs in again with a different password, due to SecureID, this will be

considered a new distinct user and will create an additional entry in AR Server

– This may cause an addition license token to be consumed– Solution: AR System 7.0 will consider the new user to be the original user if

the Login Name, Authentication String, and Group List is the same and only the Password is different

9/2/2006 ©2006 BMC Software21

Configuring ARDBC LDAP Vendor Forms

› ARDBC LDAP Configuration Form– Host (same features as AREA)– Directory Page Size (no. of records)

• Performance Tuning• Large Datasets, such as Discovery, benefit from setting this accurately

– LDAP Date/Time formats are configurable• Generalized Time, AD Generalized Time, UTC Time

9/2/2006 ©2006 BMC Software22


– Base DN for Discovery• Discovery is much more thorough and time consuming• Reduce the scope to specific portions of the LDAP tree

– ARDBC Plugin Cache• Vendor form query results will be cached on AR Server• Speeds up commonly used queries, such as menus and picklists

9/2/2006 ©2006 BMC Software23


– Example:• Base DN for Discovery

– ou=Support,ou=Americas,o=largecompany

o=largecompany

ou=APAC ou=Americas ou=EMEA

ou=R&D ou=Sales ou=Support ou=QA Ou=sales ou=Support ou=sales

Cn=users Cn=groups Cn=computers

9/2/2006 ©2006 BMC Software24


› Vendor Form Wizard– New ‘Load’ button allows user defined table and refreshes tables and columns– New button to define the RequestID field

9/2/2006 ©2006 BMC Software25


› Form Properties– Provides a mechanism to hardcode:

• Hostname• BaseDN• Search Range• Filter

9/2/2006 ©2006 BMC Software26


– Base DN field• Provides a method of searching multiple Base DNs without creating multiple

Vendor forms• Value can be provided through workflow

9/2/2006 ©2006 BMC Software27


– Example:• Base DN field

– Selectively search specific portions of the database

o=largecompany

ou=APAC ou=Americas ou=EMEA

ou=R&D ou=Sales ou=Support ou=QA Ou=sales ou=Support ou=sales

Cn=users Cn=groups Cn=computers

9/2/2006 ©2006 BMC Software28


– Example:• Base DN field

9/2/2006 ©2006 BMC Software29

Using ARDBC LDAP Vendor Forms

› Populating Internal Forms from LDAP data– BMC Remedy packaged applications require that user information be stored

internally– Use an Escalation to import LDAP data

• Provides a simple method of bringing LDAP data into the AR System application• Escalation Runs on Vendor form• Data is ‘Pushed’ to a regular form• Documented in Tips and Tricks article, “Using a Vendor Form to Update the

SHR:People Form “– http://www.bmc.com/arsystem/dht/archive/07-06-2004_B.htm

9/2/2006 ©2006 BMC Software30


› Populating Internal Forms from LDAP data– Using Server-Side Table Loop Filter

• Uses Escalation to schedule the import• Accesses only the LDAP data that has not already been imported

– Using an Escalation provides no dynamic method of querying only data created or modified since a specific date/time

• Components:– Underlying Vendor form to access LDAP data– Regular form with table field to cursor through LDAP data on Vendor form– Destination form that will be repository for imported LDAP data– Filter to push data from Vendor form to destination form– Filter Guide used to cursor through the table field– Filter to call the Guide– Escalation to trigger the Filter on schedule

9/2/2006 ©2006 BMC Software31


– Using Server-Side Table Loop Filter (continued)• Steps:

1. Identify the destination form and the fields that will be requireda. SHR:People is a common form used for this purposeb. Fields to be populated include: Full Name, First Name, Last Name, Login Name, Email

2. Create a vendor form that will be used to access the LDAP dataa. Map all the attributes thatwill be necessary to providedata into the desired fieldsb. Map an attribute thatContains the create ofModify timestamp ofthe LDAP record

9/2/2006 ©2006 BMC Software32


– Using Server-Side Table Loop Filter (continued)3. Create a regular form with a table field that will be looped

– Add a field, ‘Last Run’, that will store the timestamp of the last import– This will be used in the table field qualification – ‘Run?’ will be used by the escalation to trigger the filter to fire on Modify– Create one, and only one, record is this form so that the Escalation triggers the table loop just once

9/2/2006 ©2006 BMC Software33


– Using Server-Side Table Loop Filter (continued)4. Create a filter that will perform the Push Fields to the destination form (SHR:People)

a. It will be triggered by a Filter Guide and will run against the Regular form with the Table fieldb. Set Run If qualification to ‘Run?’ = “Yes”

5. Create a Filter Guide that will loop through the table and calls the filter from step 46. Create a Filter that will call the Filter Guide,

a. Set the ‘Last Run’ field with the current timestampb. Set ‘Run?’ to ”No”

7. Create an Escalation that will run on the one record in the regular forma. Set the ‘Run?’ field to “Yes” so that the Filter qualification is met and the process is started

• To manually update users, just modify the ‘Last Run’ field in the regular form

• To schedule the process, just set the appropriate time in the Escalation

9/2/2006 ©2006 BMC Software34


› Example regular form

9/2/2006 ©2006 BMC Software35

Conclusion

BMC provides robust and highly functional LDAP integrations into the AR System

By understanding these features, BMC Remedy administrators can leverage information already maintained in the IT department

The more you use LDAP Vendor forms, the more opportunities will arise to use them even further

The more you integrate LDAP into your authentication processes, the less work you will have to maintain user accounts

9/2/2006 ©2006 BMC Software36

Related Documentation

› Integrating BMC Remedy Action Request System with Single Sign-On (SSO) – http://supportweb.remedy.com/arsys/apps/default/sentinel/arforms/Documents_web.jsp

• Search for Version 7.0 White Papers› BMC Remedy Action Request System 7.0 - Integrating with Plug-ins and Third-Party Products

– http://supportweb.remedy.com/arsys/apps/default/sentinel/arforms/Documents_web.jsp• Search for Version 7.0 Manuals

› Using a Vendor Form to Update the SHR:People Form – http://www.bmc.com/arsystem/dht/archive/07-06-2004_B.htm

› Configuring LDAP Plug-ins for SSL – http://www.bmc.com/arsystem/dht/archive/11-01-2005_A.htm

› Handling Failover with AR System® LDAP Plug-in – http://www.bmc.com/arsystem/dht/archive/11-01-2004_B.htm

› Using AR System®'s AREA LDAP Functionality to Assign Groups – http://www.bmc.com/arsystem/dht/archive/03-07-2005_B.htm

› Developing AR System® Plug-Ins – Filter API, AREA, ARDBC – http://www.bmc.com/arsystem/dht/archive/11-01-2005_D.htm

› Using Active Directories with ARDBC LDAP – http://www.bmc.com/arsystem/dht/archive/02-02-2004.htm

› Using AR System's LDAP Functionality to Communicate with Active Directories – http://www.bmc.com/arsystem/dht/archive/01-26-2004.htm

http://supportweb.remedy.com/arsys/apps/default/sentinel/arforms/Documents_web.jsp

http://supportweb.remedy.com/arsys/apps/default/sentinel/arforms/Documents_web.jsp

http://www.bmc.com/arsystem/dht/archive/11-01-2005_A.htm

http://www.bmc.com/arsystem/dht/archive/11-01-2005_D.htm

http://www.bmc.com/arsystem/dht/archive/02-02-2004.htm

9/2/2006 ©2006 BMC Software37

Q&A

› Time for Question and Answers