RSSO for TrueSight 11 - integration into Active Directory using LDAP protocol - best practices

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    COMPONENT:

    Capacity Optimization


    APPLIES TO:

    TrueSight Capacity Optimization 11 TrueSight Presentation Server 11 RSSO For TrueSight 11



    DETAILS:

     

     

      
    The scope of this Solution is not the installation of Remedy Single Sign-On, the scope of the Solution is to integrate a installed Remedy Sing--On environment into Active Directory Using LDAP protocol. 

    This Solution does cover the following chapters: 

    - Prerequisites 
    - What configuration settings can be re-used from a ASSO - LDAP integration 
    - Overview for settings and parameter used for the integration 
    - Troubleshooting and find the correct Distinguished Name Search path for User and Groups  

    - Prerequisites

      

    1. Installed version of RSSO supported by TrueSight 11 family

       

    2. If possible a TrueSight Presentation Server integrated into RSSO ( useful to validate the LDAP integration)

      
    The best in-house source to get the information below is the Windows Domain Administrator team.
       

    3. Domain Controller Hostname with low network latency used for the LDAP connection.

    If possible a Domain Controller in the same sub-net or at least same region. 
    Consider to connect to a Global Catalog, for large forest Active Directory and site and Universal Groups. 
    If you don't know the hostname of a domain controller you can run nslookup command against the domain name on a Windows PC. 
    For example "nslookup domain.com" 
       

    4. Does Active Directory support LDAPS (LDAP over SSL)?

    This connection is using port 636, it is recommended because all communication is encrypted, typically a Windows Enterprise Certificate Authority is used. 
    If not possible LDAP using port 389 has to be used, communication is not encrypted, unless encryption is established with VPN or Layer 2 or 3 security. 
    If LDAPS against Port 636 or 3269 for the Global Catalog is used, it is required to get a certificate from all the domain controllers to connect.
    Or preferable a single certificate from the enterprise certificate authority which signs the domain controller certificates, this certificate is typically valid for a longer time also. 
    See troubleshooting chapter at the end of the document how to import the certificate by using keytool  

    5. Bind DN - User Account in Distinguished Name Format with Password which is used for the initial LDAP Bind as a service account.

    Consider if a Domain Policy requires password changes for the account, the password has to be in sync at the RSSO configuration. 
    The same account and password can be used as for Atrium Single Sign-On.  

    6. User Base DN:

    The Distinguished Name from the Orgainzation Unit Structure under which all User can be found, in fact the Root DN of the Domain can be used. 
    For performance and security reasons it is recommended to use a DN which is more down in the Organization Unit hierarchy  

    7. Group Base DN:

    The same as for Users, the Groups can be stored in a different Organization Unit structure 
    For performance  and security reason is is recommended to find a DN under which all groups required for authorization can be found.  

    8. Group Filter for Search:

    Get the name of the groups supposed to login into TrueSight products for authentication. 
    In a large Active Directory requirement it is recommended to setup Filter to only search for the required groups. 
    Without proper group filter the authentication process can be slow, or the queries results from RSSO against Active Directory exceeding the number of results limited by Active Directory which may prevent that logins are not working at all. A few examples for Group Filter are at the end of the Overview chapter.  

    - What configuration settings can be re-used from a ASSO - LDAP integration.

                                                                                                                                                   
    ASSORSSO
    Realm Authentication, Primary LDAP Server, NameRealm Authentication,LDAP Authentication, Server Host
    Realm Authentication, Primary LDAP Server, PortRealm Authentication,LDAP Authentication, Server Port
    Realm Authentication,User Account for Search, User Account for SearchRealm Authentication,LDAP Authentication, Bind DN
    Realm Authentication,User Account for Search, PasswordRealm Authentication,LDAP Authentication, Bind Password
    Realm Authentication, DN to Start Search, Base DNRealm Authentication,LDAP Authentication, Users Base DN
    LDAP Users Store, Search Tab, Search Base DNRealm Authentication,LDAP Authentication, Group Support, Group Base DN
      

    - Overview for settings and parameter used for the integration

      
    1. Login to RSSO navigate to Realm open the default Realm * in Edit mode, select Authentication and Enable Chaining Mode, this allows to use Local and a second external authentication, save changes.
      
    RSSO configuration changes require the local Admin user, this configuration changes are not possible with remote users, the default password is RSSO#Admin#. 
    To change the default password, you can use the Admin drop down list in the right upper corner.
      
    RSSO Realm Authentication 1

       
    2. Add new Authentication method
      
    RSSO Realm Authentication 2  
    3. Select Authentication Type as LDAP and use the Preset Button and select Active Directory, this loads a couple of settings you use like the Search Filter and Identity Attributes.
       RSSO Realm Authentication 3
       
    4. After selecting the Preset Active Directory, the following User Authentication settings are filled in.
       Realm Authentication - User Authentication
       
    5. After selecting the Preset Active Directory, the following Group Authentication Settings are filled in.
       Realm Authentication - Group Support  
    6. Consider to get all the settings you see here from your ASSO server from the Windows AD - LDAP Realm authentication
    - Verify that Enable Group Retrieval is enabled and the Search Scope is Subtree, without the later RSSO only looks to this Organization Unit defined as User Search DN. 
    - With the Subtree option enabled RSSO search recursively ( ldap referral) does in the Organization Unit structure. 
    - Use the Test button, if the Test completed with OK, RSSO can connect with the Domain Controller. 
    - Consider to use Port 636 is LDAPS is available and don't forget to enable the "The Use TLS connection" checkbox. 
      But TLS secured communication requires that you import the certificate from the domain controllers, or better from the certificate authority which signs the certificate. 
      See the keytool example in this document how you can import a certificate. 
    - If unsure about the Users Base DN, see troubleshooting section. 

    Realm Authentication - Connection Settings.
       
    7.  Scrolling down shows the User Authentication, no changes required here, because we loaded the Active Directory Preset, see Point 4.
    On the Group Support you still have to set the Group Base DN, this setting can be found in the ASSO User Store for the Active Directory.
      
    In this screenshot you may realize that the root of the Domain is used as Users Base DN and Groups Base DN, this is typically not recommended. 
    But might be required if the Users and Groups are already in different top level OUs. 

    For example users and groups exist in each of the Organization Units OU=BMM,DC=BMMSUP,DC=XY and OU=TSCO,DC=BMMSUP,DC=XY and every user of this groups needs to login. 
    into the TrueSight products The root of the domain is needed as well if you have users in child domain using the same domain tree. 

    If you use a top level or high level  structure in the Active Directory domain , you must setup proper group filter. If not logins take long time, or are even not possible and may show in the<RSSO_Install>/rsso/tomcat/logs/rsso.0.log:   ERROR: [LDAP: error code 4 - Sizelimit Exceeded] 

    Which means that the result received by LDAP from RSSO is larger as the allowed limit, which is typically 1000 results. 
    See being of the troubleshooting sections how to use Group Filter and How to evaluate the best DNs for Users and Groups.  

     

      
    Realm Authentication - Group Support.  
    8 . Scroll up again and Test the settings, and save the LDAP Authentication settings.
       LDAP Config Save
       
    9.After saving the LDAP Authentication, don't forget to scroll down to save Realm settings.
       Realm Authentication - Save changes  

    - Troubleshooting - LDAP Group Filter -  LDAPS(SSL) - find the right DN- testing by using TSPS

    You cannot use the RSSO Gui to determine if the LDAP integration is working fine, you can verify the settings used outside RSSO for example by using TSPS and you can check the log. 
    There is no way to display or manage users from a remote Realm authentication, RSSO does only support the management of local users and groups.  

    Log:

    Errors related with the LDAP connections are written to the $RSSO_HOME/rsso/tomcat/logs/rsso.0.log:  

    LDAP Filter

    The filter are very important, because you can filter out for groups, you can filter out to only use security groups and you can filter out for persons instead of users. 
    A detailed documentation for LDAP can be found on the Microsoft Technet Pages under this URL.   

    https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx 

    a:) Filter out for groups  Group search Filter to filter out for 2 groups with the cn BMM and TSCO  you can simple change the filter from   (objectCategory=group) to:
       
    (&(objectCategory=group)(|(cn=BMM)(cn=TSCO)))
      
    This would only process this group names, the filter example for more groups works in this way: 
       
    (&(objectCategory=group)(|(cn=GroupA)(cn:=GroupB)(cn=GroupC)(cn=GroupD)(cn=GroupN)))
      

    b:) Filter out for groups with regular expression, for example all groups with a prefix Group are supposed to login into TrueSight, makes the filter shorter. 
       
    (&(objectCategory=group)(cn=Group*))
       


    LDAPS SSL integration issue

    When trying to connect to an LDAP port 636 instead of 389 or 3269 instead of 3268 for the Global Catalog, the GUI is showing this error: 
       
    SSL certificate is missing or port is incorrect
      

    Please double check with the Windows Active Directory Administrator if LDAPS is supported and configured to the port used in the attempt generated this error.
    If so, request a certificate from the certificate authority which has signed the certificate for the Domain Controller, it is very likely an Enterprise Certificate Authority, or a Root Certificate Authority.
    Get this certificate if possible in Base 64 format and transfer the file in binary format to the RRSO server, to import this certificate.

    - navigate with command line to the  $RSSO_HOME/rsso/jre/bin directory

    Important:  RSSO has 2 JRE directories:  RSSO_HOME/rsso/jre and
    RSSO_HOME/jre/

    It is required to import the certificates to the $RSSO_HOME/rsso/jre/lib/security/cacerts truststore file importing the certifcates into $RSSO_HOME/jre/lib/security/cacerts does not help.


    - run keytool in this way.

      
    ./keytool -alias root -import -keystore ../lib/security/cacerts -trustcacerts -file /full/path/to/certificate.cer
       

    The default password of the cacerts file is changeit, please be aware that the cacerts file is overwritten when doing a product update.
    To change this password and use a custom truststore is not the scope of this Solution, if this is required please open a case with support.

    The alias parameter can be used as a free form, it must be unique, but you can use the name of the CA signed the certificate.

     

      

    Find the best Search DN

    The best DN depends on the Active Directory Organization Unit Structure and is quite unique for every environment. 
    If users from child domains are supposed to login in the same domain tree, for example domain.com and child.domain.com, it is required to use the Root DN of the root domain 
    for the User and and Group Search DN, please consider to use Group Filter when using this approach. 

    For domains in the same forest, but different domain tree like domain.com and domain.co.uk, or with domains using a trust relationship you need separate LDAP Authorization for each. 
    Because this domains have different root DN and the DN must match, accross the domain for this kind of recommendations. 

    On method to find the right DN is using a common LDAP Explorer, however this may take a long time to understand the structure, and it may cause confusion if the domain has user and computer objects with the same name. 

    An easier method is to use dsquery and dsget commands, this commands are available on a Domain Controller, or on boxes where the Active Directory client tools are installed. 
    So it might be required to ask a Administrator to run the command, this may take some time , but during that time you can work on other integration issues. 

    The advantage is that this command examples provide the output you need to find the best DN in a good and readable format. 


    1. Get the DN of all member of a Group, replace groupname with the name of the group 
       
    dsquery group -name groupname | dsget group -members -expand
       

    a. example output 

      
    CN=user1,OU=IT,OU=US,DC=DOMAIN,DC=COMCN=user2,OU=IT,OU=US,DC=DOMAIN,DC=COMCN=user3,OU=IT,OU=US,DC=DOMAIN,DC=COMCN=user4,OU=IT,OU=US,DC=DOMAIN,DC=COM
      

    You can use OU=IT,OU=US,DC=DOMAIN,DC=COM as Search DN for the Users.

      
     
      

    b. example output

      
    CN=user1,OU=IT,OU=US,DC=DOMAIN,DC=COMCN=user2,OU=IT,OU=EN,DC=DOMAIN,DC=COMCN=user3,OU=IT,OU=AP,DC=DOMAIN,DC=COMCN=user4,OU=IT,OU=EM,DC=DOMAIN,DC=COM
      


    You must use DC=DOMAIN,DC=COM as Search DN for the Users, because all users are in different structure under the root of the domain.

      
     
      

    c. example output

      
    CN=user1,OU=US,OU=IT,DC=DOMAIN,DC=COMCN=user2,OU=EN,OU=IT,DC=DOMAIN,DC=COMCN=user3,OU=AP,OU=IT,DC=DOMAIN,DC=COMCN=user4,OU=EN,OU=IT,DC=DOMAIN,DC=COM
      

    You can use OU=IT,DC=DOMAIN,DC=COM because this is most top OU under which all structure below are located.

    The concept is to read from right which is the top structure, to the left and found a matching OU= under which all users are located.
    Is is recommended to run this command for every group you want to use in RSSO for Authentication and Authorization
    You should take a look to all groups you want to in the TrueSight Products.

    The easiest way might be to use the root of the domain DC=DOMAIN:DC=COM for the search DN, but for security and performance reasons this is not recommended.

    2. Find the best Group Search DN, replace groupname with the name of the group.
     

      
    dsquery group -name groupname
       

    example output

      
    CN=groupname,OU=US,OU=IT,DC=DOMAIN,DC=COM
      

    This output shows the DN from the group, run the command against all groups, and read from right to left to find a Organization Unit level under which the groups are located, it is the same concept as to find the best DN for the users.

    3. get details for a single user, could be useful to verify the service account, replace username with the name of the user
     

      
    dsquery user -samid username | dsget user -fn -n -samid -disabled
       

    example output

      
    dn                                    samid    fn       disabled  CN=username,CN=Users,DC=domain,DC=com username username no
      

     

      

     To test the LDAP integration with TSPS

    Login with wit  h Admin user to TSPS( admin with admin12345 password is default)
    Use the Burger icon in the top upper left corner and go to Administration Authorization Profiles, use the Burger Icon before the Profile Name to select Edit


    User-added image

    Use the Burger Icon at one of the Profiles at the right side and select Edit. 

    User-added image



    Click on Add Group, this should show the Active Directory Groups, if no Active Directory tools are listed you can check the RSSO logs for errors.  
    But try to do a search with the prefix of the group, for example if all groups start with TSCO search for TS*, if the groups are listed after this search. 

    It is iliekly that the result of the ldap search exceed the limit configured in Active Directory and you need proper group filter. 

    User-added image  


    Error example messages from rsso.0.log

       
    SEVERE Thread_41 com.bmc.rsso.admin.helpers.LDAPHelper.isLDAPServerAccessible(): LDAP connection error ERROR: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]
      
    The data 52e error does typically mean that account used as Bind DN and the password is not working. 
    Check if the correct password is used,Please also check if the DistinguishName used is correct 
    A 3rd Party LDAP Explorer could be used to verify the account by trying to connect to Active Directory. 
    Check with Active Directory Administrator for the correct DistinguishedName and password 

       
    SEVERE Thread_46 com.bmc.rsso.admin.helpers.LDAPHelper.isLDAPServerAccessible(): LDAP connection error ERROR: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 533, v2580]
      
    The data 533 error does typically mean that the account is Disabled or Locked out, due to too many password attempts in Active Directory. 
    Check with the Active Directory Administrator if the account is disabled or locked out. 
    A 3rd Party LDAP Explorer could be used to verify the account by trying to connect to Active Directory. 

       
    INFO Thread_42 com.bmc.rsso.admin.helpers.LDAPHelper.isLDAPServerAccessible(): Checking server:port - hostname.domain.com:636 SEVERE Thread_42 com.bmc.rsso.admin.helpers.LDAPHelper.isLDAPServerAccessible(): LDAP connection error ERROR: hostname.domain.com:636; socket closed
      
    Check if the ""The Use TLS connection" is enabled", the connection is against a LDAPS Port, this connection requires a certificate from the domain controller 
    or the certificate authority signed the certificates. See keytool example for more details. 

       
    INFO Thread_65 com.bmc.rsso.admin.helpers.LDAPHelper.isLDAPServerAccessible(): Checking server:port - hostname.domain.com:636 SEVERE Thread_65 com.bmc.rsso.admin.helpers.LDAPHelper.isLDAPServerAccessible(): LDAP connection error ERROR: simple bind failed: hostname.domain.com:636 com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)  com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
      
    A connect against LDAPS Port and the TLS Option is selected, but you need to import the certificate from the certificate authority which signs the certificates from 
    the domain controller. See keytool example for more details 

     


    Article Number:

    000143901


    Article Type:

    Product/Service Description



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles