...

Title: Configuring External User Support Product: IBM Cognos Series 7

by user

on
Category: Documents
4

views

Report

Comments

Transcript

Title: Configuring External User Support Product: IBM Cognos Series 7
Proven Practice
Title: Configuring External User
Support
Product: IBM Cognos Series 7
Area of Interest: Security
Configuring External User Support
2
Copyright
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC
is an IBM Company. While every attempt has been made to ensure that the
information in this document is accurate and complete, some typographical
errors or technical inaccuracies may exist. Cognos does not accept
responsibility for any kind of loss resulting from the use of information
contained in this document. This document shows the publication date. The
information contained in this document is subject to change without notice.
Any improvements or changes to the information contained in this document
will be documented in subsequent editions. This document contains
proprietary information of Cognos. All rights are reserved. No part of this
document may be copied, photocopied, reproduced, stored in a retrieval
system, transmitted in any form or by any means, or translated into another
language without the prior written consent of Cognos. Cognos and the
Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated)
in the United States and/or other countries. IBM and the IBM logo are
trademarks of International Business Machines Corporation in the United
States, or other countries, or both. All other names are trademarks or
registered trademarks of their respective companies. Information about
Cognos products can be found at www.cognos.com
This document is maintained by the Best Practices, Product and Technology
team. You can send comments, suggestions, and additions to
[email protected] .
Cognos Proprietary Information
Configuring External User Support
3
CONTENTS
1
INTRODUCTION ............................................................................................ 4
1.1
1.2
PURPOSE ............................................................................................................4
APPLICABILITY .....................................................................................................4
2
CONFIGURING EXTERNAL USER SUPPORT .................................................. 4
2.1
2.2
2.3
2.4
EXTENDING THE SCHEMA .........................................................................................4
ENABLING EXTERNAL USER SUPPORT ..........................................................................6
ACCESS MANAGER .................................................................................................8
SINGLE SIGN ON (SSO) ....................................................................................... 11
Cognos Proprietary Information
Configuring External User Support
4
1 Introduction
1.1
Purpose
The purpose of this document is to outline the proper steps required to configure
external user support to a secondary directory server. The intent of external user
support is to leverage user attributes from a different directory server. Attributes
such as email address and phone numbers can be linked and re-used within the
Cognos namespace. This feature also enables the ability to achieve single sign on
by leveraging the network account specified in the external directory server.
This document focuses on some new features in this version, mainly linking to a
secondary directory server as well as changing the external identity mapping
string. Based on real world use, all examples used are linking to a secondary
Active Directory source.
1.2
Applicability
The guidelines outlined in this document apply to all operating systems.
2 Configuring External User Support
2.1
Extending the Schema
Before users can be linked to a secondary source, the Cognos schema must exist
in a directory server. At this time, IPlanet /Sun One, Active Directory, ADAM and
IBM Tivoli LDAP are the only supported directory servers. In Configuration
Manager, modify the values required to extend the directory server schema by
accessing the General page under Services -> Access Manager – Directory
Server.
The values that need to be modified to extend the schema can be found in the
right hand frame.
Are you sure that you want to configure this directory server? – This
value should be set to yes, otherwise the operation will not be executed when
the settings are applied.
Schema Version - In order to enable external user support at a later time, this
value MUST be set to Current.
Server Type – This value can be left to the default ‘Auto Detect’ or the
appropriate directory server type can be selected from the drop down list. Note
Cognos Proprietary Information
Configuring External User Support
5
that this the directory server type where the schema is to be extended, NOT
where the external users reside.
Computer – Host name of the directory server housing the Cognos schema. This
can be machine name, IP address or fully qualified DNS name.
Port – Port number that the directory server instance is running on.
Base distinguished name (DN) – Organizational Unit (OU) or Container (CN)
where the Cognos namespace will be created. This can be done at the root DN,
DC=Cognos,DC=com for example, or can be in part of the subtree, such as,
OU=Namespace,DC=Cognos,DC=com.
Unrestricted User distinguished name (DN) – User account that has
sufficient privileges to extend the schema of the directory server as well as create
the namespace. The value should be the full DN to the user account and NOT
just the user name.
Unrestricted User password – Matching password value for the user specified
as the unrestricted user.
Primary ticket service - Host and port where the Access Manager Server
(cer4) service is running.
All other values can be configured after the schema has been extended.
Apply these settings by clicking on the General object in the tree and pressing
the apply button.
The settings can also be applied by right-clicking on the
General object and selecting ‘Apply Selection’. If all values are correct, and the
credentials have enough privileges, the following message will be returned upon
successful schema extension.
Cognos Proprietary Information
Configuring External User Support
2.2
6
Enabling External User Support
Once the directory server schema has been extended with the Cognos objects
and attributes, the external user support option can be enabled. In Cognos
Configuration Manager, modify the values required to enable external user
support by accessing the External user support page under Services ->
Access Manager – Directory Server -> General.
The values required to configure external users in a Cognos namespace are
located in the right hand frame.
Enabled – This value should be set to yes, otherwise the operation will not be
executed when the settings are applied.
External User Root distinguished name (DN) – This value, which is the full
distinguished name to one of the external directory server’s objects, specifies
what the starting point will be to locate users. All user accounts located in the
subtree of this DN should be accessible through the Access Manager interface.
External User Objectclass – The object class of the external user objects.
External User Naming Attribute – Attribute used in the naming of the user
objects. For example, with Active Directory this is commonly sAMAccountName
and with Sun One, the attribute used is uid.
External Folder Objectclasses – Comma separated list of the object classes
used in the directory server hierarchy. Usually ‘organizationalunit’ would be
sufficient,
but
an
example
of
multiple
values
would
be
‘organizationalunit,container,organization’.
Cognos Proprietary Information
Configuring External User Support
7
Access External Users from a Secondary Directory Server – Enable this
option if the user accounts to be linked to are located in a directory server that is
external to the directory server housing the Cognos schema and namespace.
Secondary Directory server Host – Host name of the directory server where
the external user accounts are located. This can be machine name, IP address or
fully qualified DNS name.
Secondary Directory server Port – Port number that the secondary directory
server instance is running on.
Secondary Directory server Credential DN – User account that has sufficient
privileges to read the objects located in the External User Root distinguished
name. The value should be the full DN to the user account and NOT just the user
name.
Secondary Directory server Credential Password – – Matching password
value for the user account specified for the secondary directory server credential.
The other attribute tabs contain the mappings required to leverage the values
from various attributes in the secondary directory server. Typically, most of these
can be left with the default values with the exception of the OS Signon
Attribute mapping. To configure the environment for Single Sign On, the
attribute must be properly mapped. For Active Directory, the common attribute is
sAMAccountName.
Cognos Proprietary Information
Configuring External User Support
8
Apply these settings by clicking on the External user Support object in the tree
and pressing the apply button.
The settings can also be applied by rightclicking on the External user Support object and selecting ‘Apply Selection’. If
all values are correct, then the same dialog box as in the previous step,
indicating success, should be returned.
2.3
Access Manager
Now that all of the configuration settings have been made in Configuration
Manager, the final steps in Access Manager can be taken. Open Access Manager
and establish the connection to the directory server housing the Cognos
namespace, if it hasn’t already been made. To verify that External User Support
is not already configured and ready to go, expand the directory server connection
name, right click on the namespace name (typically default) and select
Properties.
This action will open the namespace properties dialog box. To ensure that
External Support is ready to be configured, examine the version of the
namespace on the General page. If the namespace version is 17.0 then
namespace is ready for external user support and the numbered steps can be
skipped. If the namespace version is 16.0 then the following steps must be
taken.
1- Close the namespace properties dialog box.
Cognos Proprietary Information
Configuring External User Support
9
2- Right click on the directory server connection and select Enable External
User Support.
3- Read the warning message and press OK to continue with the operation. As
the warning message indicates, this procedure is not reversible and should only
be performed when creating a new namespace or that the procedure will not
impact any existing installations.
The next step is to add a user in Access Manager by linking to the external
directory server. Right click on the Users folder located under the namespace
and select the Link User … option.
This will open the Link User dialog box. There are two available in this dialog
box, Browse and Search. The Browse tab displays a tree structure starting at
the External User Root distinguished name (DN) as specified in
Configuration Manager. Users can be selected and added via this tab by selecting
the checkbox(es) next to the user account(s) and pressing the Link Users
button.
Typically, this list will be quite extensive if linking to an existing corporate LDAP
source. In the case that a known user is trying to be located, it would be faster
to search for the object rather than browsing the hierarchy. Click on the Search
tab to conduct a search through the directory server.
For the User Name or LDAP Search Filter value, enter the user name along with
the user External User Naming Attribute as specified in Configuration
Manager. Because this value will be used as the LDAP search criteria, it must be
enclosed in parentheses. Change the ‘Search By’ value to be ‘LDAP Search Filter’
and the ‘Search Scope’ to be Subtree. The Start DN can be left with the default
value. If the search was successful, an entry will be returned in the right hand
frame. Select the user account and click on the Link Users button to add the
user reference to Access Manager. Press the OK button if the user properties box
is displayed to complete the action.
Cognos Proprietary Information
Configuring External User Support
10
Note: It is possible that more than one entry is returned based on which
attributes were specified in the search filter and if wildcards were used.
Once the user has been added, the linked attributes can be verified by double
clicking on the user object in Access Manager. Some of the attributes will appear
as read only (grayed out) while other will be configurable. The read only
attributes are the ones that are being read from the external directory server. If
the values are incorrect or missing, first verify that they exist in the directory
server as properties for that user account. If they do exist in the external
directory server, ensure that the attribute mappings are correct in Configuration
Manager.
For Single Sign On, it is important to make sure that the proper value is set on
the User Signons tab, in the ‘OS Signons’ section. Make sure that the value
listed for the user matches the sAMAccountName value in Active Directory. The
value will appear with an external next to it to designate that it is derived from
an external directory server.
Cognos Proprietary Information
Configuring External User Support
2.4
11
Single Sign On (SSO)
Single Sign On using external user support and Active Directory is possible, as
long as the following steps have been taken. Before the Cognos products can
leverage the SSO mechanism, the namespace must first be configured to use
SSO. To accomplish this, right click on the namespace and select Properties. On
the Signons tab set the ‘Active Signons’ to be either ‘OS Signons only’ or ‘Both’.
The OS signon mechanism leverages the session variable REMOTE_USER which
is set by the web server. Depending on the web server, the usual format of this
variable is DOMAIN\username. If this is the variable syntax, there will be no
matching attribute in Active Directory by default. With older versions of the
Cognos products it then became necessary to populate an attribute with these
Cognos Proprietary Information
Configuring External User Support
12
values. With the release of IBM Cognos Series 7 Version 3, this is no longer
necessary.
There is a setting on the Signons tab called ‘OS signon option’ that allows to
leverage a different session variable or use functions to manipulate the search
string. In the case of REMOTE_USER containing the domain name, a replace
function can be used to strip out the domain name.
To make the string easier to read, here it is typed out.
${replace(${environment("REMOTE_USER")},"DOMAIN\\", "")}
The string reads the environment variable REMOTE_USER, strips out the
DOMAIN\ portion of the string. Keep in mind that the domain name is case
sensitive and must match the value for the REMOTE_USER variable.
Cognos Proprietary Information
Fly UP