How to configure CEM with LDAP authentication using your own LDAP groups

Document ID : KB000006453
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

How to configure CEM with LDAP authentication using your own LDAP groups?

Cause:

From documentation > security section:

"for CA CEM, you must create users and all four default security groups on the LDAP server. For example, on the LDAP server you create the cemadmin user and the CEM System Administrator security group. Then you assign cemadmin as a member of the CEM System Administrator security group, thus providing cemadmin with CEM System Administrator security group permissions."

Resolution:

If you would like to use your own LDAP groups, you must use CA EEM as described in the below example:


a) custom LDAP groups:

ABC_CEM_ANALYSTS
ABC_CEM_CONADMINS
ABC_CEM_INCIDENTS
ABC_CEM_SYSADMINS
ABC_CEM_TENANT
ABC_INT_ADMIN
Guest

b) We use the default apm users: admin, cemadmin, guest, etc.

c) Each user has been assigned to the its corresponding APM group using the same user structure as the one provided in the users.xml as below:

1.png

2.png

3.png

4.png

5.png

6.png

 

NOTE: The name or number of LDAP groups is not important as long as you properly allocate the LDAP user or groups to the correct APM policies as documented below:


Step 1: Install and configure EEM with Introscope EM as per KB TEC593939 - How to implement CA EEM and LDAP for Authentication and Authorization of CA APM: http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec593939.aspx

Step 2:  Once you finish uploading the safex script, configuring EEM with your LDAP server and reconfiguring your realms.xml in the Introscope EM, you need to update the predefined APM EEM policies with your custom LDAP groups as below:

2a) login to the EEM APM application

7.png
 
2b) Go to the Manage Access Policies > You will see all the APM policies that have been created when you executed the APM safex scripts.

2c) Update all the APM Policies with your own Global Groups (LDAP groups):

Here is an example when updating the Access Policy:

8.png


Below a quick summary view to all the policies:

9.png

10.png

11.png

12.png

13.png

14.png

15.png

16.png

17.png

18.png

19.png

20.png

Step 3: Restart the Introscope EM

Step 4: Login to the CEM console

21.png 

You can also verify the results in the log

22.png