Setting up LDAP connections for IBM ADDI Extension

This tutorial guides you through the setup of IBM® ADDI Extension with the LDAP connections through Microsoft Active Directory Domain Services (AD DS) for user management.

Prerequisite

In this tutorial, it is required to have a machine with the Windows Server 2012 or above for LDAP setup.

Installing and configuring AD DS

Complete the following steps to set up LDAP through AD DS.
  1. Log in as the administrator on the Windows Server machine.
  2. Click Start > Server Manager.
  3. Select Dashboard on the left menu and select 2) Add roles and features.
  4. Perform the feature installation with the Add Roles and Features Wizard.
    1. Click Next on the Before You Begin tab.
    2. Select Role-based or feature-based installation on the Installation Type tab and click Next.
    3. Click Next on the Server Selection tab to keep the default server information.
    4. Select Active Directory Domain Services from the Roles checklist on the Server Roles tab.
    5. Select the Include management tools (if applicable) checkbox and click Add Features on the pop-up dialog box.
    6. Click Next on the Server Roles tab. Make sure that Active Directory Domain Services checkbox is selected.
    7. Click Next on the Features tab.
    8. Click Next on the AD DS tab.
    9. Select the Restart the destination server automatically if required checkbox and click Install on the Confirmation tab.
    10. Wait until the installation is done.
  5. Click the Promote this server to a domain controller link on the Results tab.
  6. Complete the following steps to configure AD DS.
    1. Click Add a new forest and enter sample.com in the Root domain name field. Then, click Next on the Deployment Configuration tab.
    2. Enter the password for directory service restore in the Password and Confirm password fields. Then, click Next.
      Note: Remember this password in case that you might need to restore your directory service.
    3. Click Next on the DNS Options tab.
    4. Click Next on the Additional Options tab. The NetBIOS domain name field is automatically completed for you at this step.
    5. Click Next on the Path tab to keep the location of AD DS database, log files, and SYSVOL.
    6. Review the configured options and click Next to confirm.
    7. Click Install on the Prerequisites Check page when all prerequisites checks are passed.
    8. Wait until the installation is done and the results page is displayed. Then, your server will be automatically restarted to finish the configuration.
After the server is restarted, you can log back into the server. You have now successfully installed and configured AD DS. Next you will set up active directory user groups and users for IBM ADDI Extension. These users and user groups will be used to access IBM ADDI Extension and show you how to setup user permissions.

Setting up active directory user groups and users

Complete the following steps to setup active directory user groups and users.
  1. In the Server Manager, select Tools > Active Directory Users and Computers from the upper right menu.
  2. Select the name of the user who has Administrators role and will initialize the connection between active directory and IBM ADDI Extension. In this tutorial, ldapadmin user is the user for example. For the rest of this tutorial, this user will be used as the administrator for IBM ADDI Extension.
  3. Double-click the user item to open the ldapadmin Properties window.
  4. Enter the email address that you want to use for initialization in the E-mail field. It is ldapadmin@sample.com in this example.
  5. Select the Account tab and enter the same e-mail account name as the user logon name. The email account name will be used as the username when you log in to IBM ADDI Extension. It is ldapadmin in this example.
  6. Clear all the checkboxes in the Account options list and click OK.
  7. Create the active directory users to access IBM ADDI Extension.
    1. In the Active Directory Users and Computers window, right-click the Users folder.
    2. Select New > User.
    3. Enter the following information in the New Object – User dialog box.
      1. First name: Marco
      2. User logon name: marco
      3. Click Next.
      4. Enter the password to be used for this user in the Password and Confirm Password fields. Note that you can use the user name as password to make it easy to remember.
      5. Clear the User must change password at next logon checkbox.
      6. Click Next.
      7. Click Finish to confirm the user creation.
    4. Repeat step a through c to create Jane and Tammy as users.
  8. Create user groups to manage workbook permissions in IBM ADDI Extension.
    1. In the Active Directory Users and Computers window, right-click the Users folder.
    2. Select New > Group.
    3. Specify the following information in the New Object – Group dialog box.
      1. Group name: zMobile
      2. Group scope: Ensure that the Global is selected.
      3. Click OK to create a group.
    4. Repeat step a through c to create Addi Administrators and HRM App groups.
  9. Assign users to the zMobile group.
    1. Double-click the zMobile group to open the zMobile Properties window.
    2. Select the Members tab.
    3. Click the Add button.
    4. Type Marco in the Enter the object name to select field.
    5. Click Check Names. The object name with the logon name is displayed.
    6. Click OK to finish.
    7. Repeat step c through f to add Jane to the zMobile group.
    8. Click OK to close the zMobile Properties window.
  10. Assign Tammy to the HRM App group.
    1. Double-click HRM App group to open the HRM App Properties window.
    2. Select the Members tab.
    3. Click the Add button.
    4. Type tammy in the Enter the object name to select field.
    5. Click Check Names. The object name with the logon name is displayed.
    6. Click OK to finish.
    7. Click OK to close the HRM App Properties window.
  11. Assign administrator user to the Addi Administrators group.
    1. Double-click the Addi Administrators group to open the Addi Administrators Properties window.
    2. Select the Members tab.
    3. Click the Add button.
    4. Type the name of user who you would like to be the ADDI administrator in the Enter the object name to select field. In this example, it is ldapadmin (the local administrator who is also the active directory administrator).
    5. Click Check Names. The object name with the logon name is displayed.
    6. Click OK to finish.
    8. Click OK to close the Addi Administrators Properties window.
  12. Close the Active Directory Users and Computers window.
  13. Get the Distinguished Name of active directory administrator user to use for IBM ADDI Extension authentication setup.
    1. In the Server Manager, select Tools > ADSI Edit from the upper right menu.
    2. Right-click the ADSI Edit item and select Connect to.
    3. Keep the default settings and click OK in the Connection Settings window.
    4. The default object tree for your sample.com domain is populated.
    5. Select the CN=Users object. The objects within the CN=Users are displayed in the middle pane.
    6. Select the active directory administrator user that you set up in the previous steps. In this case, it is ldapadmin.
    7. Right-click and select Properties.
    8. Find the distinguishedName attribute and double-click.
    9. Copy the distinguishedName and paste on a note for future use.
    10. Click OK to close the String Attribute Editor dialog box.
    11. Close the ADSI Edit window.

You have finished the setup of active directory users to access IBM ADDI Extension through LDAP. Next step is to install and setup IBM ADDI Extension.

Installing and setting up IBM ADDI Extension

Before the installation, you need to update the hosts file to understand the public URI that you use for the setup. For example, complete the following steps to update the hosts file.
  1. Type Notepad in the search box next to the Start menu icon.
  2. In the search results, right-click Notepad, and select Run as administrator.
  3. From the Notepad, open the hosts file in the C:\Windows\System32\drivers\etc directory.
  4. Add the following entry under the localhost section.
    127.0.0.1    sample.com
  5. Save the hosts file.
Complete the following steps to install and set up IBM ADDI Extension.
  1. Download the ADDI installer and run the ADDI installer wizard as an administrator.
  2. Follow the instructions in the wizard to install ADDI.
    1. On the Welcome page, click Next.
    2. Review the Licensing Agreements page. Then, select I accept the terms of this license agreement and click Next.
    3. On the Installation Path page, click Next to use the default path or click Browse to select a path to install IBM ADDI and click Next.
    4. Click OK in the Message dialog box to create the target directory.
    5. Check the following components to install and click Next.
      • IBM Application Discovery Servers and Services
      • Authentication Server (DEX)
      • IBM Application Discovery and Delivery Intelligence Extension for your system. The following example shows the Select Installation Components page that is displayed on a Windows system.
    6. Click Next on the Information page.
    7. On the IBM Application Discovery and Delivery Intelligence Extension Installation Path page, click Next to use the default path or click Browse to select a path to install IBM ADDI Extension and click Next.
    8. Click OK in the Message dialog box to create the target directory.
    9. Clear the Opening IBM Application Discovery Configuration Wizard checkbox.
    10. Click Next on the Installation page when the installation progress is finished.
    11. Click Next on the Setup Shortcuts page.
    12. Click Done on the Installation Finished page.
  3. Open the command prompt as an administrator and navigate to c:\Program Files\IBM Application Discovery and Delivery Intelligence\IBM Application Discovery and Delivery Intelligence Extensions\adi5109\server directory.
  4. Run the following command to generate the bcrypt hash of an admin password:
    adi-setup bcryptPassword -dex.password <password>
    Note: In the following example, adiadmin is a password that you want to generate the bcrypt hash.
  5. Save the generated bcrypt hash password somewhere. The password will be used when you set up the dex.yaml file.
  6. Configure the Authentication Server (DEX) as described in the following steps:
    1. Navigate to the C:\Program Files\IBM Application Discovery and Delivery Intelligence\Authentication Server (DEX)\sample-conf\addi directory.
    2. Copy all three files in the directory: dex.yaml, root.crt, and root.key.
      Note: All these files are provided for only evaluation purposes. For the production server, you must generate SSL keystore and security certificate for your server and configure your own dex.yaml file as described in the Configuring the parameters in the dex.yaml file topic.
    3. Navigate to the c:\Program Files\IBM Application Discovery and Delivery Intelligence\Authentication Server (DEX)\conf\ directory and paste the copied files there.
    4. Run the text editor as the administrator and update the dex.yaml file with the following changes:
      1. Update the issuer to https://sample.com:7600/dex.
      2. Update the web section with the following changes:
        • Change the http property to https: sample.com:7600.
        • Uncomment the TLSCert and TLSKey properties and update their paths as shown in the following sample.
      3. Make sure that the connectors section is uncommented and update the section with the following changes:
        1. Change the host to localhost:389.
        2. Change the insecureNoSSL value to true.
        3. Change the bindDN to the distinguished name of Active Directory administrator that you have copied to the note in the previous steps.
        4. Change the bindPW to the password of Active Directory administrator.
        5. Update the baseDN in the userSearch section to CN=Users,DC=sample,DC=COM.
        6. Update the baseDN in the groupSearch section to CN=Users,DC=sample,DC=COM.
      4. Update the staticClients section with the following changes while removing the <<>> brackets.
        • Update the id property to addi-liberty. Remove the extra leading space characters on this line.
        • Replace the localhost within the redirectURIs property with sample.com.
        • Update the name property to ‘ADDI Liberty Server’.
        • Update the secret to f1a75f8abc2ffcbd46e2c1b5f7b12c7b.
        • Comment out lines from 77 through 81 by using # symbol in front of each of those lines.
      5. Update the StaticPasswords section with the following changes while removing the <<>> brackets.
        • Uncomment the email property and update it to “adiadmin@sample.com”. Remove the extra leading space characters on this line.
        • Uncomment the hash property and update it as the hash password that you saved in step 5 with double quotes.
        • Uncomment the username property and update it to “adiadmin”.
        Note: The hash value comes from the value that you saved on step 5.
    5. Save the dex.yaml file.
  7. Press Ctrl + Alt + Del and choose Task Manager to open the Task Manager window.
  8. Select the Services tab and click Open Services on the bottom of the Task Manager window.
  9. Right-click the Authentication Service (DEX) and select Start to start the service.
  10. Browse to localhost:9080/ad-audit on Firefox browser.
  11. Complete the IBM ADDI Extension Install Configuration as described in the following steps:
    1. Select Configure > Install Configurations > IBM Application Discovery and Delivery Intelligence Extension Install Configuration.
    2. Specify the Base URL on the Web and Application Server tab as shown in the following example. 
      https://sample.com:9753
    3. Leave the default value on the Databases tab.
    4. Specify the following information on the Authentication Service tab.
      • Host: sample.com
      • Port: 7600
      • HTTP protocol: Select HTTP Secure (https).
    5. Specify the following information on the User Groups tab.
      • Admin Group List: ADDI Administrators
      • User Group List: zMobile, HRM App
    6. Click SAVE to create the ADI configuration. A message is displayed to indicate the configuration was successfully created.
  12. On your Command Prompt window, navigate to c:\Program Files\IBM Application Discovery and Delivery Intelligence\IBM Application Discovery and Delivery Intelligence Extensions\adi5109\server directory.
    Note: If you have closed the Command Prompt previously, you need to run the Command Prompt again as an administrator.
  13. Run the command adi-setup addiConfigurationServer.
  14. Run the server.startup.bat command and wait until the server is started successfully.
  15. Browse to https://sample.com:9753/addi/web/workbook to test your access to IBM ADDI Extension.
  16. Select Log in with OpenLDAP to login with active directory users.
  17. Log in to IBM ADDI Extension by using a user that is a member of the Addi Administrators group.
  18. The IBM ADDI Extension home page appears.
Now, you have finished the installation and configuration of ADDI to enable the login through Active Directory. Next, follow the steps in the Generating sample data to generate the demonstration data and create a workbook accordingly for data analysis.
Note: You will log in by using the OpenLDAP method instead of the static user. Use ADDI administrators user that you have set up in the previous steps to perform the tutorial instead of the adiadmin user.

Setting up user permissions

After you complete the tutorial for Generating sample data, you need to complete the following steps to set up user permissions to allow only zMobile users to have access to this workbook.
  1. On the IBM ADDI Extension home page, click the overflow menu (vertical ellipsis) icon on the zMibile Health Care workbook card.
  2. Select Edit to edit the workbook information.
  3. Click the Add Permissions link in the Permissions section.
  4. Select the zMobile checkbox in the Add User Groups window and click Save to save the updates of user groups.
  5. Scroll down and click Save to update the workbook.
  6. Click the profile icon on the upper right corner of the window and select Logout.
  7. Select Log in with OpenLDAP to log back in.
  8. Log in as Marco with the email address marco@sample.com and the password that you set for Marco.
    You can now see that Marco has access to this workbook. Since Marco is not an ADDI administrator, no Create Workbook button is displayed on the upper right corner of the window.
  9. Click the profile icon on the upper right corner of the window and select Logout.
  10. Select Log in with OpenLDAP to log back in.
  11. Log in as Jane with the email address jane@sample.com and the password that you set for Jane.
  12. Click the profile icon on the upper right corner of the window and select Logout.
  13. Select Log in with OpenLDAP to log back in.
  14. Log in as Tammy with the email address tammy@sample.com and the password that you set for Tammy.
    This time, you cannot see the zMobile Health Care workbook since Tammy is not a member of zMobile group.

You have now explored how IBM ADDI Extension manages user authentication and permissions through LDAP. You can now be able to set up your production environment by using your organization active directory.

Parent topic: Tutorials