8 Replies Latest reply on May 23, 2014 10:13 AM by Amit Gupta

    BLadeLogic AD authentication best practices

    Vernon Whicker

      Hello,

       

      We are currently in a POC stage of implementing the BladeLogic AD sync. We have many roles and are currently looking to do a one to one mapping of Bladelogic roles to AD groups. While looking through the BLCLI documentation for the cli to sync the roles I see that many of the commands require the query information to sync. This leaves me with a couple of questions.

       

       

      • Is there a command to sync roles to groups that does not require the individual query information?

       

      • If not could I use wildcards in the query?

       

      • What is the recommended mapping and sync script method to maximize efficiency of the use of the AD sync?

       

       

      Our base requirements are as follows....

       

      The job must run each night to sync the roles and groups

           - Additions to the membership should be added

           - Persons removed from the group should be removed from the role

        • 1. Re: BLadeLogic AD authentication best practices
          Amit Gupta

          BSA has ability to map one BSA role to multiple AD groups, but there is no reason why you couldn’t use 1:1 mapping if that is what your AD setup allows you to do.

           

          The following doc explains how you will go about that: https://docs.bmc.com/docs/display/public/bsa82/RBAC+User+Synchronization+with+AD

           

          In short, we need 4 basic things that must be provided:

          1. LDAP server name and a cert to validate LDAP server certificate. This goes into LDAP connection
          2. A user credential that can be used to browse the AD . This goes into an automation principal
          3. The group information about the group to be mapped to the role. This goes into Group Query
          4. The attribute that should be used to get the username registered in RBAC. This goes into User query

           

          LDAP Queries do support wild cards. They have the same syntax for the filters that ldapsearch has.

           

           

          The role options for RBAC synchronization can be used to remove users from the role if they are removed from the AD group.

           

          AD mappings generally depend on what AD structure customers have. Ideally, you won’t need to create a new structure just to map to BSA. But, you would use RBAC sync to map BSA roless to existing AD groups. But, the feature is flexible to do either and we do have a mix of customers between the ones who were able to use existing AD structure versus the ones who tweaked AD structure to get BSA users synced.

           

          Thanks,

          Amit

          • 2. Re: BLadeLogic AD authentication best practices
            Amit Gupta

            And once you have the group mappings and role options configured for the role, you can create a nsh script job that runs the following command to schedule this synchronization at whatever schedule you want:

            blcli_execute RBACRole syncRole <Name of the Role>

            • 3. Re: BLadeLogic AD authentication best practices
              Christopher Blanks

              Amit,

               

              There is a right-click/Synchronize option in the 8.3 GUI that allows ad-hoc synchronizations that appear to be similar in nature to the blcli RBACRole syncRole command.  Do you know if there is a "Synchronize Role" job type that can be created and scheduled in the GUI?  This would certainly be a great feature for those new to NSH scripting, etc.

              • 4. Re: BLadeLogic AD authentication best practices
                Vernon Whicker

                Hey Amit thanks for the reply. I have been at a conference and am just catching up. SO we have started many of these tasks and have a few a few issues. Ill review this content and try that cli and reply.

                 

                In short, we need 4 basic things that must be provided:

                1. LDAP server name and a cert to validate LDAP server certificate. This goes into LDAP connection
                  1. We have done this but are having a cert issue because the AD servers are fronted by an f5. there is another thread on this that Jason Lammar is running with.
                2. A user credential that can be used to browse the AD . This goes into an automation principal
                  1. We are using a SA account for this but see this.
                3. The group information about the group to be mapped to the role. This goes into Group Query
                  1. We have a simple query that we are using right now for the POC and are just starting to evaluate the queries needed for all the roles as next step.
                4. The attribute that should be used to get the username registered in RBAC. This goes into User query
                  1. same as above
                • 5. Re: BLadeLogic AD authentication best practices
                  Vernon Whicker

                  Hey Amit,

                   

                  I am getting the following error with the cmd syncRole

                   

                  blcli_execute RBACRole syncRole 123-blanco

                   

                  Command execution failed. com.bladelogic.om.infra.cli.factory.CommandNotFoundException: Name space : RBACRole has no commands by name : syncRole

                  • 6. Re: BLadeLogic AD authentication best practices
                    Vernon Whicker

                    Got the cmd working. Its in the documentation you provided. It was syncUsers not syncRole

                     

                    LIBP03P-UCMNM7D% blcli_execute RBACRole syncUsers 123-BLANCCO

                    DBKey:SBLRoleModelKeyImpl:2108174-145111410

                    • 7. Re: BLadeLogic AD authentication best practices
                      Vernon Whicker

                      Hey Amit,

                       

                      We are going to have a one to one relationship with AD groups for each role. I am trying to see if I can stream line the number of queries (USERS:GROUPS) since we have roughly 400 roles.

                       

                      For each role when you set the group mappings you need to define "Group Query" and "User Query".

                       

                      The format is going to be the same in the group query with the exception of the GROUP NAME. SO I believe that this means 400 different LDAP queries.

                       

                      The format is going to be identical for the User Query. So I should be able to use the same LDAP Query for each group mapping correct.

                       

                      Let me know if I am missing something here.

                      • 8. Re: BLadeLogic AD authentication best practices
                        Amit Gupta

                        Chris, there is no synchronization job type in the product. The way to schedule it is to create a nsh script job with the blcli commands.

                         

                        Lee, you got it exactly right, user query can be re-used if you are using the same user attribute for all incoming users (typically, this is true). As teh group yuu are synchronizing is different for each role, group queries will be distinct for each group mapping.

                         

                        Thanks,

                        Amit