Create a Microsoft Active Directory User Data Store on the CA SSO Server r12.1 CR5 and newer

Document ID : KB000021122
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document describes how to integrate Microsoft Active Directory as a User Data Store for the CA SSO Server. It demonstrates the procedure step-by-step utilising the built in automatism available in CR5 and later.

Note that even now with Microsoft Active Directory Store (ADS) as the user data store the CA SSO Server still maintains SSO-specific user information, such as application or logon information in the embedded CA Directory.

CA SSO just retrieves user information from the ADS without modifying it in any way.

Solution:

Note:

The following procedure assumes that the ADS computer (Domain Controler, DC) host name is "ADServer1", your domain name is "acmecorp", and that you have an employee named Prani Patil who works in the Help Desk department. Replace this information with information specific for your organization.

Prani Patil is used by SSO Server to connect to AD to authorise SSO Client login requests.

(There is no need for Prani Patil to be an administrative user but it must not be limited in read access to the entire AD tree.)

Follow these steps:

  1. Log in to the Policy Manager to any SSO farm member server

    The tabs for your user privileges appear.

  2. Click Resources, Single Sign-On Resources, User Resources, Datastores

    The Datastores pane appears.

  3. Right-click in the Datastores pane and select New

    The Create New USER_DIR Resource dialog appears.

  4. Complete the fields in the General dialog

    The following fields are not self-explanatory:

    Name

    Specifies the name of the new user data store on the CA SSO Server.

    Example: ad-acmecorp

    Data Store Type

    Specifies the data store type. Select AD.

    Owner

    Specifies the owner of the data store. To create an Active Directory user data store, leave the option blank.

    Base Path

    Specifies the user data store base path.

    Example: dc=acmecorp,dc=com

    Comment

    Specifies an additional description about the data store.

    Example: Active Directory data store.

    Host

    Specifies the hostname of the CA SSO Policy Server. Enter localhost.

    Port

    Specifies the port of the CA Directory. Enter the port as 13389.

    Figure 1

  5. Click the Directory Configuration icon

    The Directory Configuration pane appears.

  6. Complete the fields in the directory configuration dialog:

    Hostname

    Specifies the host name value of the Active Directory domain controller.

    Example: ADServer1

    Admin

    Specifies the name of a permanent user. The user need not be an administrator.

    Example: Admin: cn=Prani Patil, ou=Help_Desk, DC=acmecorp, DC=com

    Password

    Specifies the password of the user.

    Confirm Password

    Specifies the password of the user.

    Figure 2

  7. Click Advanced

    The Advanced Data Store Properties dialog appears.

  8. Modify the following fields in the Advanced Data Store Properties dialog:

    Container Classes : container,organization,organizationalUnit,builtinDomain,country

    Note: The Containers Classes field determines the classes the Policy Manager interprets as containers. Any typographical error causes problems when viewed in the Policy Manager.

    Login Info Container DN : ou=ad-acmecorp,ou=LoginInfos,o=PS

    Note: Remove the angle brackets "<" and ">" that appear in the LoginInfoContainerDN field. They indicate that you must enter text.

    Figure 3

  9. Click OK twice

    The Active Directory user data store is created.

  10. Stop and Start the following services:

    • CA SSO Server Service

    • CA Directory - PS ACMECORP and CA Directory PSTD ACMECORP Services

      Note: For more information about restarting CA SSO and CA Directory services, see Chapter 14: Maintenance in the CA SSO Administration Guide.

  11. Using Windows Explorer, go to the following directory:

    %dxhome%\config\knowledge

  12. Verify that the router file e.g. "AD-ACMECORP_Router.dxc" has been created

    This file creates a router DSA named AD_ACMECORP_Router on SSOServer1; it points to the Active Directory AcmeCorp on ADServer1.

    Its contents should look like:
    set dsa AD_ad-acmecorp_Router = 	{ 	prefix = <dc "com"><dc "acmecorp"> 	native-prefix = <dc "com"><dc "acmecorp"> 	dsa-name = <o AD_ad-acmecorp ><cn AD_ad-acmecorp_Router> 	dsa-password = "secret" 	address = tcp "ADServer1" port 389 	auth-levels = clear-password, ssl-auth 	dsa-flags = read-only 	trust-flags = allow-check-password, no-server-credentials 	link-flags = dsp-ldap, ms-ad 	}; 	set transparent-routing = true ; 

  13. Verify that the PS_Servers.dxg file is sourcing the newly created Router config file
     	source "../knowledge/PS_ACMESSO121.dxc"; 	 	source "../knowledge/PSTD_ACMESSO121.dxc"; 	 	source "../knowledge/ad-acmecorp_Router.dxc"; 

  14. Verify that the PS_Access.dxc file has been amended to grant the relevant access rights

    Using Windows Explorer, go to the following directory:

    %dxhome%\config\access

    and review the added sections to the file

    Note:

    This steps only need to be done once for the full SSO Server farm (no need to repeat the steps at other farm members), the configuration changes are propagated to all farm member servers

    For SSL configuration of the ADS integration please see

    How to set up SSL Between the SSO Server (with embedded CA DIR r12 SP2 and newer) and Microsoft Active Directory Datastore?