How to authenticate users of CA Service Desk Manager (CA SDM) on Linux against a LDAP Domain?

Document ID : KB000017405
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Normally on a Windows Platform, CA SDM's authentication module bopauth_nxd/boplgin is able to do native External Authentication against users that belong to the Windows Domain that the Windows host/server belongs to.

This is not the case for Linux/Unix based systems.

This document provides a few options that can be considered to authenticate such Domain users when CA SDM is on Linux platform. Similar approach could be considered for other Unix flavors as well.

Notes:

  1. This document also assumes that CA SDM's LDAP Options were configured to get CA SDM contacts imported/synced with CA SDM contacts table AND that the Access Type for users who need to be authenticated is set to External Authentication.
  2. Approaches discussed below are not formally certified by CA, but are being used as recommendations/approaches that can be investigated and utilized. CA Siteminder integration however is formally certified for integrated authentication purposes.

Solution:

Enabling Tomcat's Authentication:

CA SDM offers Tomcat web server, which serves as an "out of the box" web and application server for CA SDM needs. Out of the box, Tomcat 7s Integrated Windows authentication can be enabled as one option. There are several ways in which this can be done:

  1. Built-in Tomcat Support
  2. Use a third-party library such as WAFFLE
  3. Use a Reverse proxy that supports Windows authentication to perform the authentication step such as IIS or Apache Web Server - Refer to http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html for additional details.

Use CA Embedded Entitlements Manager (EEM) for Authentication:

CA SDM offers a way to authenticate CA SDM contacts against EEM. EEM can be setup against an external Directory like LDAP/Windows Active Directory for its users.

As long as a user is a valid user and can authenticate in EEM, that user now can login to CA SDM (assuming the contact record exists in CA SDM)

Enable some sort of Single Sign-On option for the Apache Web Server:

CA SDM offers native support to integrate with Apache Web Server and out of the box Tomcat that is offered with the CA SDM install.

Apache Web Server could be configured to do HTTP Basic Authentication.

  1. Ensure the Apache Module mod_authnz_ldap is installed on the Linux host first. This can be done by obtaining the necessary RPM and/or using native package installation applications like yum.
  2. CA SDM's CAisd website specific entries for Apache web server are normally listed in /opt/CAisd/bopcfg/www/CAisd_apache.conf
  3. Identify this entry in the same file: <Directory /opt/CAisd/bopcfg/www/wwwroot>
  4. Insert a new line and add the configuration options for mod_authnz_ldap. Here's a sample where Authentication Type is Basic, and the module is connecting to an LDAP (in this case Active Directory) Server called LDAPServer.Company.Com. It is set to use a BaseDN="CN=Users,DC=casupport,DC=local", search by SAMAccountName under all subtrees with in the baseDN.
    AuthType Basic
    AuthName "SDM Web Site: Login with LDAP user id"
    AuthBasicProvider ldap AuthzLDAPAuthoritative off
    AuthLDAPURL ldap://LDAPServer.Company.com:389/CN=Users,DC=casupport,DC=local?samaccountname?sub
    AuthLDAPBindDN "cn=administrator,cn=users,dc=casupport,dc=local"
    AuthLDAPBindPassword AdminPassword
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN off
    Require valid-user

  5. Restart Apache Web Server and next time you try to access CA SDM over Apache Web Server, you will get prompted for LDAP credentials.

Notes:

  1. Additional information on this topic with several additional features etc., are available at: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html. Should there be need for LDAP Connection Pooling, LDAP Cache, SSL/TLS etc., those details are available at http://httpd.apache.org/docs/2.2/mod/mod_ldap.html
  2. In a similar way, Apache Web Server can also be protected by CA Siteminder as well, should CA Siteminder be available for use.
  3. It is recommended to engage system admin for this as there may be pre-requisite modules that need to be installed as well and depending on how each Linux setup is done, the list could vary.

Move CA SDM Authentication Program to a Windows Server:

The CA SDM bopauth_nxd program can moved from Linux/Unix platform to a Windows Server, which belongs to the same domain against which the CA SDM users need to be authenticated. Documentation on how to move this program to a Windows server is available via CA SDM Implementation/Administration guides.

Notice: CA does not own the 3rd party technology plug-ins mentioned in this document and as a result may not be able to resolve issues with those technologies. If CA Support determines the issue lies with the 3rd party plug-in, they may ask you to try an alternate architecture for authentication.