1 Reply Latest reply: Oct 1, 2009 10:19 AM by Danny Kellett RSS

Remedy integration with Active Directory.

shashidhar.ms

Dear friends,

 

There is a request for us to integrate the Remedy (ITSM suite) with Active Directory (AD). We are aware of the basic interfacing steps but the request goes beyond that and has a few really special points to be considered. I have tried to explain them as better as possible, please reply to them in case you have any (possible) solutions to them.

 

1. The user profiles should not be stored in Remedy, Remedy should access the AD for authentication.

          - I believe it is not possible to comply to this fully since Remedy needs info on the type of license provided to that user and the details of the permissions he has and this can be stored only in Remedy.

          Please correct me if my understanding is wrong and if any option is available to do it.

 

2. Even the system login (Demo) should be stored in AD.

          - I don't think even this is possible since atleast this user needs to be in the system for it to be alive.

          Please correct me if my understanding is wrong and if any option is available to do it.

 

Explained that during integrating with AD, the user passwords need to be blank so that they are always authenticated with AD and the system accounts (Demo, appadmin) will have passwords so that they are not authenticated with AD. In response to that explaination, I got another point mentioning that the passwords cannot be kept blank. And when the option of having a dummy password (by not disclosing to user so that he always the password in AD) was provided, was told that the user profile duplication shouldn't be there. Also, got the below query on the storage of passwords.

 

3. Storage of passwords - need to encrypt them.

          - Got to know from the BMC documentation that the passwords are one-way hashed. Need a confirmation if it is just one-way hashed or encrypted and then hashed. Any further info on the way it is stored (the number of bits used to encrypt, the algorithm used for hashing) will be helpful (if it is shareable).

 

Please let me know if you have any solution for my situation. Also, let me know if you have any queries/need more info on the above.

 

Thanks in advance,

SMS

  • 1. Re: Remedy integration with Active Directory.
    Danny Kellett
    1. Correct. The application permissions etc are not something that is stored in AD and its not set via anyting other than CTM:People so this is going to be extreamly hard to do.
    2. You could do this by getting them to create an account in thier AD with the account name as Demo. If you have AREA (AR External Authentication) on, which you will have to enable using AD as an authentication method, you have to have something called "Cross Reference Blank Password" enabled on your AR Servers. This means that ANYONE with a blank password in the AR System (not AD) will be authenticated via AD. So its not as if someone can have a AR System account without a password and gain access. Remember this just means that there is a blank password in the AR system as a flag to use the AD and nothing else.
    3. I stopped working for BMC when 7.1 came out but at that point it was encrypted with RC4 then hashed with SHA. Not sure if its the same with other versions. But if you use AREA with AD then this doesnt matter.

     

    Kind regards

    Danny