...

Configuring Microsoft Active Directory 2003 Guideline

by user

on
Category: Documents
1

views

Report

Comments

Transcript

Configuring Microsoft Active Directory 2003 Guideline
Guideline
Configuring Microsoft Active
Directory 2003
Product(s): IBM Cognos Series 7
Area of Interest: Security
Configuring Microsoft Active Directory 2003
2
Copyright
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is
an IBM Company. While every attempt has been made to ensure that the
information in this document is accurate and complete, some typographical
errors or technical inaccuracies may exist. Cognos does not accept responsibility
for any kind of loss resulting from the use of information contained in this
document. This document shows the publication date. The information contained
in this document is subject to change without notice. Any improvements or
changes to the information contained in this document will be documented in
subsequent editions. This document contains proprietary information of Cognos.
All rights are reserved. No part of this document may be copied, photocopied,
reproduced, stored in a retrieval system, transmitted in any form or by any
means, or translated into another language without the prior written consent of
Cognos. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly
Cognos Incorporated) in the United States and/or other countries. IBM and the
IBM logo are trademarks of International Business Machines Corporation in the
United States, or other countries, or both. All other names are trademarks or
registered trademarks of their respective companies. Information about Cognos
products can be found at www.cognos.com
This document is maintained by the Best Practices, Product and Technology
team. You can send comments, suggestions, and additions to
[email protected] .
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
Contents
1
INTRODUCTION ............................................................................................ 4
1.1
1.2
PURPOSE ............................................................................................................4
APPLICABILITY .....................................................................................................4
2
EXTENDING THE SCHEMA............................................................................. 4
2.1
2.2
2.2.1
2.2.2
2.2.3
2.3
DSHEURISTICS .....................................................................................................4
REQUIRED DETAILS ...............................................................................................7
Base Distinguished name....................................................................................7
Schema Admin ..................................................................................................8
Configuration Manager .......................................................................................9
SCHEMA OBJECTS AND ATTRIBUTES .......................................................................... 11
Cognos Proprietary Information
3
Configuring Microsoft Active Directory 2003
1
Introduction
1.1
Purpose
4
This document provides a walkthrough of configuring Microsoft Active Directory
2003 for use with the IBM Cognos Series 7 products. Once the Active Directory
schema has been extended, the Cognos namespace can be created.
1.2
Applicability
Product version is important when using this document. If the product version is
not at least IBM Cognos Series 7 Version 2 MR1, the operation will fail. If
extending the schema in an Active Directory 2000 environment, the dSHeuristics
setting does not have to be modified.
2
Extending the Schema
The process of extending the schema to be able to use Active Directory as an
authentication source, is split into two operations; extending the schema, where
IBM Cognos specific objects and attributes are added to the existing AD schema,
and creating the Cognos namespace that will contain all of the users and user
classes to be used in the Cognos security infrastructure.
When using Configuration Manager, the two operations appear to be part of the
same process, but there are in fact two distinct operations that occur. Once the
schema has been extended, the objects and attributes are forever part of the
Active Directory schema so ensure that correct domain is being configured. That
being said, the schema only needs to be extended once, but multiple
namespaces can be created at different locations within Active Directory. This
can be done either through the Access Manager admin interface, which allows
you to create multiple namespaces within the same instance, or, through
Configuration Manager which permits the creation of different instances
within the same directory server instance. This is achieved by setting different
baseDN values for the Base distinguished name (DN) parameter. For
instance, specifying o=Cognos_prod,dc=support,sc=local and
o=Cognos_dev,dc=support,dc=local would create two unique instances of the
Cognos namespace that would have to be administered separately.
2.1
dSHeuristics
Before the schema can be successfully extended, Active Directory must first be
configured to accept anonymous requests. By default, Active Directory 2000
accepted anonymous requests, but with AD 2003, the default has been
configured to reject anonymous requests. For more information regarding
anonymous requests, document Q326690 from the Microsoft knowledge base
should be consulted.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
5
Using the Microsoft ADSI Edit utility, the necessary changes can be made to
allow anonymous requests to the directory server. The ADSI Edit utility is not
part of the operating system utilities by default and must be installed from the
Windows Support Tools. Once installed, to launch the ADSI Edit console,
navigate through Windows Explorer to the X:\Program Files\Support Tools
directory and locate the adsiedit.msc file. Alternatively, ADSI Edit can be added
to the MMC console as a snap-in.
Within ADSI Edit, right click on the top level ‘ADSI Edit’ and select ‘Connect to…’
This presents the Connection Settings dialog box, in which the distinguished
name will have to be entered as a connection point to locate the dSHeuristics
setting. The distinguished name that will be used is
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=Support,DC=local
It is important to note that the DC values of Support and local will have be
modified to reflect the desired environment and that there may be more than
just two DC values.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
6
Once the values have been entered, and the ‘OK’ button was selected, there will
be a new entry in the ADSI Edit tool corresponding to the value used in the
previous step, which was Domain in this example. Important to note that there
already exists a Domain entry in the ADSI Edit tool, so if Domain is used as the
default name for the new connection details, there will be two Domain entries
visible. Select the Domain entry that has the distinguished name that was
specified as the connection point.
Right-click on the connection point entry (highlighted in the previous screen
capture) and select ‘Properties’. All of the properties pertaining to that
distinguished name will be visible in the resulting dialog box. Locate the
dSHeuristics attribute and press the ‘Edit’ button.
Pressing the ‘Edit’ button will display the String Attribute Editor dialog box for
the dSHeuristics attribute. Change the value from the default to be 0000002.
Click ‘OK’. This will now allow anonymous requests to be made against the Active
Directory Server.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
2.2
Required Details
2.2.1
Base Distinguished name
Extending the Active Directory schema, to include the necessary IBM Cognos
objects and attributes, requires some additional details that may not be readily
available from the IBM Cognos application server. The first piece of required
information is the base distinguished name (baseDN) that will be used. The
baseDN, for the purposes of this document, is broken into two parts; the name
of the container that will contain the Cognos namespace, and the actual root
baseDN of the Active Directory schema being extended.
7
When selecting a name for the container to contain the Cognos namespace, it is
recommended that Cognos be chosen as the name. By naming the container
Cognos, it clearly identifies to the Active Directory administrators which
application this branch of the AD tree belongs to. Keep in mind that many Active
Directory administrators prefer to use a preset naming convention, so they may
have to be consulted prior to extending the schema and creating the Cognos
namespace.
There are two ways of determining the baseDN of the Active Directory domain,
other than asking the administrator for this information. The first way is through
the Active Directory Users and Computers interface. Examining the default
display should indicate what the base distinguished name is for the server. Once
inside the graphical interface, the domain suffix can be obtained by looking at
the root of the domain, as indicated by the computer group icon. In the screen
capture below, the base distinguished name would be dc=support,dc=local.
The second method of identifying the baseDN is via the System Properties
dialog box on the Active Directory server itself. To open this dialog box, rightclick on the My Computer icon, select ‘Properties’ and click on the ‘Computer
Name’ tab. On this tab, you will find most of the details required to ensure a
successful schema extension.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
8
1- Machine name – ADS as per the screen capture
2- Domain name – Support
3- Internet domain suffix - LOCAL
NOTE: It is important to note that the schema extension must occur on the
schema master domain and not on a child domain. If the domain is not the
schema master, it must be promoted, or the operation will fail.
2.2.2
Schema Admin
Another critical piece of information is the account that will be used to extend
the schema. This account must be a member of the Schema Admin group. Even
though a user account may be part of the Domain Admin group, the account
may still lack the privileges to extend the Active Directory schema. To verify the
account membership, open the Active Directory Users and Computers
interface, and locate the user account that will be used. Right-click on the
account and select the ‘Properties’ option. Click on the ‘Member Of’ tab and
verify that Schema Admin is a listed member.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
9
If the user account is not a member of the Schema Admin group, then the
schema extension may fail. It is possible that the Schema Admin group does not
own the schema. In this case, the user account being used for the schema
extension must be a member of the group that does own the schema.
2.2.3
Configuration Manager
To complete the schema extension and the creation of the namespace, the
Configuration Manager utility must be used. In Cognos Configuration Manager,
modify the values required to extend the directory server schema by accessing
the General page under Services -> Access Manager – Directory Server.
The values that need to be modified to extend the schema can be found in the
right hand frame.
Are you sure that you want to configure this directory server? – This
value should be set to yes, otherwise the operation will not be executed when
the settings are applied.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
10
Schema Version – This value should be set to CURRENT unless older IBM
Cognos Series 7 applications will be accessing this directory server as well.
Server Type – This value can be left to the default ‘Auto Detect’ or the Active
Directory option can be selected.
Computer – Host name of the directory server housing the Cognos schema.
This can be machine name, IP address or fully qualified DNS name.
Port – Port number that the directory server instance is running on.
Base distinguished name (DN) – Organizational Unit (OU) or Container (CN)
where the Cognos namespace will be created. This can be done at the root DN,
DC=Support,DC=local for example, or can be in part of the subtree, such as,
O=Cognos,DC=Support,DC=local. Again, it would be good practice to not specify
just the baseDn and use an Organization or Organizational Unit such as Cognos
to house the namespace.
The namespace does not need to be created in the root of the domain. It can be
created at any point of the domain hierarchy. For example, if the desired location
was in an Organizational Unit (OU) called applications, which was under the root
of the domain, the baseDN would then be:
o=Cognos,OU=applications,dc=support,dc=local.
Unrestricted User distinguished name (DN) – User account that has
sufficient privileges to extend the schema of the directory server as well as
create the namespace. The value should be the full DN to the user account and
NOT just the user name.
Unrestricted User password – Matching password value for the user specified
as the unrestricted user.
Primary ticket service - Host and port where the Cognos Access Manager
Server or Ticket Server service is running. This value can be supplied after the
schema has been extended either through Configuration Manager or the Access
Manager admin tool, but it is recommended that this be set at the same time as
the schema extension.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
11
Apply these settings by clicking on the General object in the tree and pressing
The settings can also be applied by right-clicking on the
the apply button.
General object and selecting ‘Apply Selection’. If all values are correct, and the
credentials have enough privileges, the following message will be returned upon
successful schema extension.
2.3 Schema Objects and Attributes
Prior to extending the schema in Active Directory, administrators may inquire as
to which objects and attributes will be added into the schema. As mentioned
before, this is an irreversible action, so great discretion is sometimes used. All of
the files that deal with the schema modification are located in the
<install_path>\cerx\accman directory.
The files in this directory are organized by both schema version (15.2 or 16.0)
and directory server type. The files required for the CURRENT schema type (see
section 2.2.3) contain 16.0 in the file name.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
12
For example, slapd.oc.conf.16.0.extension.
All files that are required for Active Directory have the .Active Directory suffix in
the file names.
For example, slapd.oc.conf.16.0.extension.active_directory.
Files that create the Object Classes contain .oc. in the file name, and files that
create attributes contain .at. in the file name.
Cognos Proprietary Information
Configuring Microsoft Active Directory 2003
13
Here is a sample from the slapd.oc.conf.16.0.extension.active_directory file:
# objectclasses below added for Cognos Authenticator Directory Service
#Schema Version 16.0
objectclass authSubdirectory
oid 1.2.840.114050.1.1.1.2.1
requires
objectclass,
cn
allows
authCreationDate,
authConfigurationItem,
authDefaultNamespace,
authMiscellaneous,
camUtf8Namespaces
parents
authSecurityData,
authSubdirectory,
domainDNS,
organization,
organizationalUnit
objectclass camObjectDirectory
oid 1.2.840.114050.1.1.1.2.13
requires
objectclass,
cn
parents
authSecurityData,
camObjectDirectory
And a sample from the slapd.at.conf.16.0.extension.active_directory file:
#attributes below added for Cognos Authenticator Directory Service
#Schema Version 16.0
attribute camUserFolderRef
attribute camDBSignonRef
attribute camUserClassRef
Cognos Proprietary Information
camUserFolderRef
camDBSignonRef
camUserClassRef
1.2.840.114050.1.1.1.1.300
1.2.840.114050.1.1.1.1.301
1.2.840.114050.1.1.1.1.302
dn
dn
dn
13801
13806
13804
Fly UP