Logging into ITPAM as an LDAP user.

Document ID : KB000021600
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Most companies have an LDAP implementation (such as Active Directory) where they store their user information. You can integrate EEM with LDAP but there are some steps that must be followed to allow the user to login to ITPAM.

Solution:

NOTE: Before pointing EEM to your LDAP server you must register the ITPAM application with EEM. Registering the application with EEM must be done while EEM is still pointing to the internal data store and not to your LDAP server. This doc assumes that the ITPAM application has already been registered with EEM.

Begin by logging into EEM to the "Global" application as the EiamAdmin user.

Figure 1

On the Manage Identities tab, you will see that the PAMAdmin and PAMUser that were installed when you registered ITPAM with EEM.

Figure 2

Click on the Configure tab and then on the EEM Server link and Global Users/Global Groups:

Figure 3

Notice that EEM is currently storing users in the EEM internal datastore. We are going to select "Reference from an external directory"

Figure 4

Selecting "Reference from an external directory" enables fields that can be set to point to your external directory server. Fill these fields in accordingly. If you do not know what values to fill in, talk to your company LDAP administrator for details.

Figure 5

Once you have completed the fields, scroll to the right and at the top of the screen click Save.

Figure 6

You should then see a success message:

Figure 7

At the bottom of this screen you will see the following:

Figure 8

Click the "Refresh status" link periodically until you see this:

Figure 9

EEM is now successfully connected to your External Directory. Now we need to find any users that you want to log into ITPAM and add them to the correct groups. To do this, log out of EEM and log back into the ITPAM (Process Automation) application group as the EiamAdmin user:

Figure 10

Click on Manage Identities and search for the username that you would like to have permissions to log into ITPAM and then click on that user to display the user details on the right.

Figure 11

Scroll over to the far right at the top and click on the "Add Application user Details" button.

Figure 12

That will show the following Application Group Membership details. Select the group or groups that you want this user to be a member of and click Save on the far right at the bottom of the screen.

Figure 13

Now that user will be able to login to ITPAM and have permissions according to the group or groups you added that user to.

NOTE: The PAMAdmin and PAMUser that are set up when you register the ITPAM application with EEM are stored in the EEM internal datastore. When you point EEM at your LDAP directory server as we did above, the PAMAdmin and PAMUser are no longer accessible and will not be able to login to ITPAM. If you want to use these users with EEM pointed at your LDAP directory server you will need to add these users to your LDAP directory server.

LDAP Groups will also be imported if you select to import groups. With Active Directory, only "domain.local" groups and not "global" groups will be imported.