9/2/2006 Cool Solutions for LDAP and AR System
9/2/2006
Cool Solutions for LDAP and AR System
9/2/2006 ©2006 BMC Software2
Introduction
› IT organizations often maintain systems containing data that can be useful in conjunction with BMC Remedy packaged applications
– Active Directories– Novell eDirectories– SunONE Directory Server– Open LDAP
› This data can be used for authentication, populating menus, filling in related data for users and assets, and many other purposes
› When that data is accessible through the LDAP protocol, it can be integrated into your BMC Remedy applications
› At the same time, corporate policies require tighter control over login processes and user account maintenance
› The goal of this session is to provide some innovative, or ‘cool’, solutions for leveraging this IT information
9/2/2006 ©2006 BMC Software3
Session Overview
› Overview of LDAP Integration functionality› Authenticating with LDAP
– Obtaining User Login Information– AREA LDAP Login Methodology
› Configuring AREA LDAP– Group Mapping– Authentication Chaining– AREA HUB
› Using AREA LDAP– Scenarios
› Configuring ARDBC LDAP Vendor Forms– ARDBC LDAP Configuration Form – ARDBC LDAP Vendor Form Properties
› Using ARDBC LDAP Vendor Forms– Populating Internal Forms from LDAP data
9/2/2006 ©2006 BMC Software4
Functionality Overview
› AREA LDAP– Validating passwords against an LDAP Server
• Cross-Reference-Blank-Password• User Exists in User form with Blank Password• All user information is stored within the AR System• LDAP is only used to validate the password
– Authenticating a user that exists only in an LDAP Server• Authenticate Unregistered Users• User does not exist in User form• All user information is obtained from LDAP
9/2/2006 ©2006 BMC Software5
Functionality Overview
› ARDBC LDAP– Directly querying external LDAP data via vendor forms
• Provides access to the LDAP Search URL to provide greater control• BaseDN can be provided on-the-fly to allow greater flexibility• Multiple types of objects and multiple hosts can be queried by creating separate
vendor forms– Joins are not allowed with Vendor forms
– Populating internal forms from LDAP data• Use ‘Push Fields’ action to update and create data in a regular form• Escalations can be used to automate the ‘push’• Server-side table looping can help make this more efficient
– Driving menus and picklists from external LDAP data
9/2/2006 ©2006 BMC Software6
Authenticating With LDAP
› Obtaining User Login information – ControlStruct
• Every API call includes:– Login name– Password– Authentication string (optional)
• User Tool– Login prompt– Do Not Prompt for Login (registry)– ARSSOInfo.dll (see Single Sign-On White Paper 7.0 )
• Web Browser client– Login.jsp– Direct Access URL– Authenticator customizations (see Single Sign-On White Paper 7.0 )– Next release will add support for SSO over WAM (BMC Web Access Manager)
› Variables passed to AREA– $\USER$ login name of user or the value from fieldid 117 in user form– $\DN$ distinguished name of login user– $\AUTHSTRING$ the value that user typed into the Authentication String prompt or
the value from fieldid 118 in user form
9/2/2006 ©2006 BMC Software7
Authenticating With LDAP
› AREA LDAP Login Methodology– The AREA LDAP plug-in performs the following steps to authenticate a user:
1. Bind to the AREA Host as the user defined in the Distinguished Name field2. Perform a query using the Host Name, Port Number, User Base, and User Filter
fields– If a user is not found, return an invalid user error, otherwise continue.
3. Return the Distinguished Name of the user as well as all available attributes These attributes may be used to assign email address, license information, etc.
4. Bind as the Distinguished Name found in step 3 with password passed from the AR Client
– If Bind fails, return error (ARERR [623] Authentication failed), otherwise continue5. Perform a query using the Host Name, Port Number, Group Base, and Group
Filter fields to return a list of groups the user belongs to
9/2/2006 ©2006 BMC Software8
Configuring AREA LDAP
›AREA LDAP Configuration Form
9/2/2006 ©2006 BMC Software9
Configuring AREA LDAP
› AREA LDAP Configuration Form– Host
• Domain or Server name• Multiple server names
– Space separated list» Size increased from 64 to 255
– Provides Failover capability– User Base
• Use $\AUTHSTRING$ to make this dynamic– Example: set User Base to “$\AUTHSTRING$o=bmc”
add fieldid 118 to User form and set it to a value of “ou=Support,”during the LDAP login, a BaseDN of “ou=Support,o=bmc” will be used
– Group Base• 7.0 Now searches sub-folders. This adds a lot more flexibility to finding groups
9/2/2006 ©2006 BMC Software10
Configuring AREA LDAP
› BMC Remedy Administrator Tool› Group Mapping
– Allows 2 separate lists of Groups to be used together
– IT no longer has to spend extra time accommodating the AR System Group names
– Many LDAP groups can map to a single AR System group
• Not vice versa› Ignore Excess Groups
– Exact match of list no longer required
– Leading Search is used• LDAP group ‘Administrators’
will equate to AR System group ‘Adminstrator’
Note: Active Directories: Primary Group is stored separately and not returned
9/2/2006 ©2006 BMC Software11
Configuring AREA LDAP
› Authentication Chaining– Allows Administrator to specify order of authentication when using Internal
(ARS) and External (AREA) accounts– Also provides a method of using OS authentication in conjunction with AREA– Users that reside internally but authenticate externally will be allowed to use
internal user information such as Licenses, Groups, eMail address, etc.
9/2/2006 ©2006 BMC Software12
Configuring AREA LDAP
› AREA HUB– Automatically configured by the AREA LDAP Configuration workflow– Allows multiple LDAP Servers to be authenticated against– First successful login wins– Eliminates some of the need to chase referrals
9/2/2006 ©2006 BMC Software13
Using AREA LDAPUser
AR System Database
AR System Server
› Login Scenario #1– Simplest case– User logs into the AR System server with an Account that resides
in the User form
9/2/2006 ©2006 BMC Software14
Using AREA LDAP
User
› Login Scenario #2– AREA is used with Cross-Reference–Blank-Passwords to validate
the user– User account exists in the User form with a blank password
AR System Server
LDAP Database
AR System Database
9/2/2006 ©2006 BMC Software15
Using AREA LDAP
› Login Scenario #3– AREA is used Authenticate-Unregistered-Users to authenticate
and identify the user from an LDAP database– User does not exist in the User form
AR System Server
User AR System Database
LDAP Database
9/2/2006 ©2006 BMC Software16
Using AREA LDAP
AR System Server
› Login Scenario #4– Using AREA HUB, user accounts can exist in multiple LDAP
databases– User may or may not exist in the User form
User AR System Database
LDAP Database 3LDAP Database 2LDAP Database 1
9/2/2006 ©2006 BMC Software17
Using AREA LDAPUser 1
AR System Database
LDAP Database 1Windows Domain Controller
User 2
User 2
LDAP Database 2
› Login Scenario #5– Some users exist as an OS account, others are LDAP users
9/2/2006 ©2006 BMC Software18
Using AREA LDAP
User
› Login Scenario #6– User exists in LDAP but with different login name than what he
uses in AR System
AR System Server
LDAP Database
AR System Database
Login alias: Bob(fieldid 117)
9/2/2006 ©2006 BMC Software19
Using AREA LDAP
User
› Login Scenario #7– User Login information is obtained automatically through the new
ARSSOInfo.dll– AREA logs user into the LDAP Server
AR System Server
LDAP Database
AR System DatabaseARSSOInfo.dll
Login name: User1Password: abc
9/2/2006 ©2006 BMC Software20
Using AREA LDAP
› Note on RSA SecureID Support:– Each unique combination of Login name, password, authentication string
constitutes a distinct user in the AR System server’s internal user list– When using SecureID systems, the password may change every 60 seconds– If user does not cleanly ‘logout’, such as when exiting the Web Tool, user is
still on the active list in AR Server– If user logs in again with a different password, due to SecureID, this will be
considered a new distinct user and will create an additional entry in AR Server
– This may cause an addition license token to be consumed– Solution: AR System 7.0 will consider the new user to be the original user if
the Login Name, Authentication String, and Group List is the same and only the Password is different
9/2/2006 ©2006 BMC Software21
Configuring ARDBC LDAP Vendor Forms
› ARDBC LDAP Configuration Form– Host (same features as AREA)– Directory Page Size (no. of records)
• Performance Tuning• Large Datasets, such as Discovery, benefit from setting this accurately
– LDAP Date/Time formats are configurable• Generalized Time, AD Generalized Time, UTC Time
9/2/2006 ©2006 BMC Software22
Configuring ARDBC LDAP Vendor Forms
– Base DN for Discovery• Discovery is much more thorough and time consuming• Reduce the scope to specific portions of the LDAP tree
– ARDBC Plugin Cache• Vendor form query results will be cached on AR Server• Speeds up commonly used queries, such as menus and picklists
9/2/2006 ©2006 BMC Software23
Configuring ARDBC LDAP Vendor Forms
– Example:• Base DN for Discovery
– ou=Support,ou=Americas,o=largecompany
o=largecompany
ou=APAC ou=Americas ou=EMEA
ou=R&D ou=Sales ou=Support ou=QA Ou=sales ou=Support ou=sales
Cn=users Cn=groups Cn=computers
9/2/2006 ©2006 BMC Software24
Configuring ARDBC LDAP Vendor Forms
› Vendor Form Wizard– New ‘Load’ button allows user defined table and refreshes tables and columns– New button to define the RequestID field
9/2/2006 ©2006 BMC Software25
Configuring ARDBC LDAP Vendor Forms
› Form Properties– Provides a mechanism to hardcode:
• Hostname• BaseDN• Search Range• Filter
9/2/2006 ©2006 BMC Software26
Configuring ARDBC LDAP Vendor Forms
– Base DN field• Provides a method of searching multiple Base DNs without creating multiple
Vendor forms• Value can be provided through workflow
9/2/2006 ©2006 BMC Software27
Configuring ARDBC LDAP Vendor Forms
– Example:• Base DN field
– Selectively search specific portions of the database
o=largecompany
ou=APAC ou=Americas ou=EMEA
ou=R&D ou=Sales ou=Support ou=QA Ou=sales ou=Support ou=sales
Cn=users Cn=groups Cn=computers
9/2/2006 ©2006 BMC Software28
Configuring ARDBC LDAP Vendor Forms
– Example:• Base DN field
9/2/2006 ©2006 BMC Software29
Using ARDBC LDAP Vendor Forms
› Populating Internal Forms from LDAP data– BMC Remedy packaged applications require that user information be stored
internally– Use an Escalation to import LDAP data
• Provides a simple method of bringing LDAP data into the AR System application• Escalation Runs on Vendor form• Data is ‘Pushed’ to a regular form• Documented in Tips and Tricks article, “Using a Vendor Form to Update the
SHR:People Form “– http://www.bmc.com/arsystem/dht/archive/07-06-2004_B.htm
9/2/2006 ©2006 BMC Software30
Using ARDBC LDAP Vendor Forms
› Populating Internal Forms from LDAP data– Using Server-Side Table Loop Filter
• Uses Escalation to schedule the import• Accesses only the LDAP data that has not already been imported
– Using an Escalation provides no dynamic method of querying only data created or modified since a specific date/time
• Components:– Underlying Vendor form to access LDAP data– Regular form with table field to cursor through LDAP data on Vendor form– Destination form that will be repository for imported LDAP data– Filter to push data from Vendor form to destination form– Filter Guide used to cursor through the table field– Filter to call the Guide– Escalation to trigger the Filter on schedule
9/2/2006 ©2006 BMC Software31
Using ARDBC LDAP Vendor Forms
– Using Server-Side Table Loop Filter (continued)• Steps:
1. Identify the destination form and the fields that will be requireda. SHR:People is a common form used for this purposeb. Fields to be populated include: Full Name, First Name, Last Name, Login Name, Email
2. Create a vendor form that will be used to access the LDAP dataa. Map all the attributes thatwill be necessary to providedata into the desired fieldsb. Map an attribute thatContains the create ofModify timestamp ofthe LDAP record
9/2/2006 ©2006 BMC Software32
Using ARDBC LDAP Vendor Forms
– Using Server-Side Table Loop Filter (continued)3. Create a regular form with a table field that will be looped
– Add a field, ‘Last Run’, that will store the timestamp of the last import– This will be used in the table field qualification – ‘Run?’ will be used by the escalation to trigger the filter to fire on Modify– Create one, and only one, record is this form so that the Escalation triggers the table loop just once
9/2/2006 ©2006 BMC Software33
Using ARDBC LDAP Vendor Forms
– Using Server-Side Table Loop Filter (continued)4. Create a filter that will perform the Push Fields to the destination form (SHR:People)
a. It will be triggered by a Filter Guide and will run against the Regular form with the Table fieldb. Set Run If qualification to ‘Run?’ = “Yes”
5. Create a Filter Guide that will loop through the table and calls the filter from step 46. Create a Filter that will call the Filter Guide,
a. Set the ‘Last Run’ field with the current timestampb. Set ‘Run?’ to ”No”
7. Create an Escalation that will run on the one record in the regular forma. Set the ‘Run?’ field to “Yes” so that the Filter qualification is met and the process is started
• To manually update users, just modify the ‘Last Run’ field in the regular form
• To schedule the process, just set the appropriate time in the Escalation
9/2/2006 ©2006 BMC Software34
Using ARDBC LDAP Vendor Forms
› Example regular form
9/2/2006 ©2006 BMC Software35
Conclusion
BMC provides robust and highly functional LDAP integrations into the AR System
By understanding these features, BMC Remedy administrators can leverage information already maintained in the IT department
The more you use LDAP Vendor forms, the more opportunities will arise to use them even further
The more you integrate LDAP into your authentication processes, the less work you will have to maintain user accounts
9/2/2006 ©2006 BMC Software36
Related Documentation
› Integrating BMC Remedy Action Request System with Single Sign-On (SSO) – http://supportweb.remedy.com/arsys/apps/default/sentinel/arforms/Documents_web.jsp
• Search for Version 7.0 White Papers› BMC Remedy Action Request System 7.0 - Integrating with Plug-ins and Third-Party Products
– http://supportweb.remedy.com/arsys/apps/default/sentinel/arforms/Documents_web.jsp• Search for Version 7.0 Manuals
› Using a Vendor Form to Update the SHR:People Form – http://www.bmc.com/arsystem/dht/archive/07-06-2004_B.htm
› Configuring LDAP Plug-ins for SSL – http://www.bmc.com/arsystem/dht/archive/11-01-2005_A.htm
› Handling Failover with AR System® LDAP Plug-in – http://www.bmc.com/arsystem/dht/archive/11-01-2004_B.htm
› Using AR System®'s AREA LDAP Functionality to Assign Groups – http://www.bmc.com/arsystem/dht/archive/03-07-2005_B.htm
› Developing AR System® Plug-Ins – Filter API, AREA, ARDBC – http://www.bmc.com/arsystem/dht/archive/11-01-2005_D.htm
› Using Active Directories with ARDBC LDAP – http://www.bmc.com/arsystem/dht/archive/02-02-2004.htm
› Using AR System's LDAP Functionality to Communicate with Active Directories – http://www.bmc.com/arsystem/dht/archive/01-26-2004.htm
9/2/2006 ©2006 BMC Software37
Q&A
› Time for Question and Answers