Page History

...

1. Before downloading and installing the SiteMinder Web agent, perform the steps described in the procedure, "To make changes on the System tab in the Configuring the SiteMinder Policy server.".
2. Download and install the latest SiteMinder Web agent for Apache Web servers.
   Verify that the version you download supports the Apache Web server version that we support – in this case, version 2.2.3 and that you download the file for the platform on which your Apache Web server is installed.
   
   1. Download the agent from https//support.netegrity.com.
   2. Insert your user name and password.
   3. Select Tools in the left pane.
   4. Choose Download Manager.
   5. Select SiteMinder Web Agent in the Download a product drop-down menu.
   6. Choose SiteMinder 6.x QMR's.
   7. Choose the agent to be downloaded.
3. After installing the SiteMinder Web agent, configure it according to the SiteMinder's Web agent Installation and Configuration guide.
4. Open the WebAgent.conf file in the \Program Files\Apache Software Foundation\Apache2.2\conf folder, and then set EnableWebAgent="YES".
5. Add the Apache Web server as a protected resource to the SiteMinder's protected resources.
6. Restart the machine after you have installed the Web Agent.

...

The Precise configuration needs to be changed to connect it to SiteMinder and activate the Single Sign On feature. To connect SiteMinder and activate the Single Sign On feature to Precise.

1. Edit the siteMinderSiteMinder.htm file located in:
   <Precise<Precise_root>root>\products\gui\website\webapps\i3\Login.
2. Set the bSiteMinderActive variable to true True (bSiteMinderActive = true;).
3. Save the file.
4. Edit the products\i3fp\login\jaas.config file so that its content looks like:
   StartPoint{com.precise.infra.login.SiteMinderLoginModule required;};
5. Stop and then restart the Precise FocalPoint.

...

To disable the integration between SiteMinder and Precise, two procedures need to be performed: one to roll back the Precise configuration changes and one to roll back the Apache Web agent configuration changes.

To roll back the Precise configuration changes1.    Edit

1. Edit the siteMinder.htm file located in:
   

...

1. <Precise_

...

1. root>\products\gui\website\webapps\i3\Login

...

...

1. Set the bSiteMinderActive variable to

...

1. False (bSiteMinderActive = false;).

...

1. Edit the products\i3fp\login\jaas.config file so that its content looks like:
   StartPoint{com.precise.infra.login.InfraDbLoginModule required;};

...

1. Stop and then restart the Precise FocalPoint.

To rollback the SiteMinder configuration changes1.    Shut

1. Shut down the Web Agent installed on Precise Web

...

1. server machine. For more information on how to shut down the Web agent, see the SiteMinder documentation.

...

1. In the Apache installation folder, open the WebAgent.conf file which is located in:
   
   • Windows

...

1. • . \Program Files\Apache Software Foundation\Apache2.2\conf
   • Linux

...

1. • . web_server_home/conf
   where web_server_home is the location of the installed Web server.

...

1. Change EnableWebAgent to

...

1. No (EnableWebAgent="NO").

...

1. Restart the Apache service.

Anchor
ConfiguringLDAPtoauthenticatePreciseusers ConfiguringLDAPtoauthenticatePreciseusers

Configuring LDAP to authenticate Precise users

Precise Version 9.6 can integrate with Lightweight Directory Access Protocol (LDAP). LDAP is a better option than JAAS. The following section describes how to configure LDAP.

Best practices for LDAP configuration

Once integrated with LDAP, Precise Version 9.6 gets all users and groups from the LDAP and synchronizes them into its own database. Login passwords are authorized by LDAP, thus preventing the need to keep (and verify) the users’ users' passwords within Precise.

LDAP provides access for management and browser applications that provide read/write interactive access to the X500 folder. Setting up an LDAP configuration will reduce Users/Roles management in Precise; it also uses the already managed LDAP repository for Precise.

Pay close attention to your organizational structure in the LDAP repository before setting up the LDAP configuration for Precise. You must understand the current LDAP structure to determine the data needed from existing LDAP repository entities for Precise.

Map a set of users and roles to a Precise domain. While synchronizing the LDAP data to Precise, the relevant users/roles will be identified by the given domain. For login, the domain name will be the user.NOTE    It

Setting up the Precise system to work with LDAP blocks all user/role management operations in the Precise system, except for permissions management. The LDAP synchronization process deletes all Precise users and roles from the Precise system which are not also found in the LDAP repository, except for user “admin” "admin" and role “Precise manager”"Precise manager."

Map a set of users and roles to the Precise domain. After synchronizing the LDAP data to the Precise system, the domain will identify relevant users or roles. The domain name will be user-defined for login purposes. Set the domain name as the enterprise domain, and the users/roles root as the relevant LDAP branch that holds domain users.

To enable synchronization of Users and Roles from the LDAP repository into the Precise database, configure the LDAP as described below.

To configure LDAP1.    Update

1. Update the ldap file (as specified below) in the main Precise FocalPoint machine under:
   <precise_root>\products\i3fp\registry\products\infrastructure\login\ldap.xml

...

1. Delete the ldap.xml.status file (in the same folder as ldap.xml)

...

1. Update the roles file in the main Precise FocalPoint server under:
   <precise_root>\products\i3fp\registry\products\infrastructure\roles\settings.xml by updating ignore-last-role-on-delete to true:
   <ignore-last-role-on-delete>true</ignore-last-role-on-delete>

...

1. Delete the settings.xml.status file (in the same folder as settings.xml)

...

1. Restart the Precise FocalPoint.

Connection details

Enter the following connection information:•    <host>

• <host> to specify the host name/IP of the LDAP repository server

...

• <port> to specify the port on which the LDAP repository server is listening on

...

• <bind-user> to specify the LDAP user name for binding in the synchronization process

...

• <bind-password> to specify the password of the bind user

...

...

...

Mapping information

The domain element holds information for the domains that are required to synchronize. You can specify one or more domain elements. Enter the following mapping information:

• <domain-

...

• name> A unique name for the domain, to be concatenated to the imported users or roles name. The user name of such user is: domain-name\user-name.
• <root-

...

• group> To specify an LDAP group DN. The import process will take all members (users and groups) of this group. (Use this when <domain-root-method> is

...

• 'single'.)
• <users-

...

• root> To specify an LDAP object DN. The import process will take all users under this object. (Use this

...

• when <domain-root-method> is ‘multiple’.)
• <groups-

...

• root> To specify an LDAP object DN. The import process will take all groups under this object. (Use this

...

• when <domain-root-method> is

...

• 'multiple'.)

...

General information

Enter the following general information:

• <user-object-

...

• class> Indicates the object class name in the LDAP for the user entity.
• <group-object-

...

• class> Indicates the object class name in LDAP for the group entity.
• <user-name-

...

• attribute> Indicates the attribute name in the LDAP for the user name.
• <group-name-

...

• attribute> Indicates the attribute name in the LDAP for the group name.
• <user-dn-

...

• attribute> Indicates the attribute name in the LDAP for the user entity DN.
• <user-login-

...

• attribute> Indicates the attribute name in the LDAP for the user login ID.
• <group-members-

...

• attribute> Indicates the attribute name in the LDAP for the group members list.
• <max-

...

• users> Indicates the maximum number of users allowed to import into Precise.
• <max-

...

• groups> Indicates the maximum number of groups allowed to import into Precise.
• <domain-root-

...

• method> Indicates whether to use the <root-group> or the <users-root>/<groups-root> configuration for the entities mapping. Specify single or multiple.
• <paging-

...

• size> Indicates the number of entities per page in the result set from the LDAP. If zero (0) is specified, the paging mechanism is not used.
• <use-ldap-

...

• authentication> Indicates whether the LDAP authentication mechanism is used. Specify true or false.
• <use-ldap-

...

• management> If <use-ldap-authentication> is set to true, this parameter specifies whether users/roles management is by LDAP or by the Precise user interface. Specify true or false.
• <use-case-

...

• sensitive> If <use-case-sensitive> is set to true, the LDAP sync user will be set to case sensitive.

Example of a registry entry

Below is a registry entry example for the ldap.xml file.
<ldap>
<!-- Indicator for using Ldap authentication true/false -->
<use-ldap-authentication>true</use-ldap-authentication>
<!-- Indicator for using Ldap for managing users/roles, true will block I3 GUI operations -->
<use-ldap-managment>true</use-ldap-managment>
<!-- Ldap server host name -->
<host>pss-dc01</host>
<!-- Ldap server port -->
<port>389</port>
<!-- Ldap paging size -->
<paging-size>500</paging-size>
<!-- Ldap bind user name -->
<bind-user>CN=i4dcf,OU=APM Service Users &amp; Groups,DC=precise,DC=com</bind-user>
<!-- Ldap bind user password, encrypted!! -->
<bind-password>_EncryptI3_A_1_F10EEB2FC3B6F88E</bind-password>
<!-- in case there is only on domain the user can configure not to type the domain in the login -->
<use-domain-in-login>false</use-domain-in-login>
<domains>
<domain>
<domain-name>development</domain-name>
<!-- Ldap group to import its members -->
<root-group>CN=BU_RnD,OU=R&amp;D,OU=APM,DC=precise,DC=com</root-group>
<!-- Ldap group to import its members -->
<root-group>CN=GRP_Integration,OU=Unknown users &amp; groups,OU=APM Service Users &amp; Groups,DC=precise,DC=com</root-group>
</domain>
<domain>
<domain-name>QA</domain-name>
<!-- Ldap group to import its members -->
<root-group>CN=BU_RnD,OU=R&amp;D,OU=APM,DC=precise,DC=com</root-group>
</domain>
</domains>
<!-- Ldap objectClass of the Users to sync -->
<user-object-class>person</user-object-class>
<!-- Ldap objectClass of the Roles to sync -->
<group-object-class>group</group-object-class>
<!-- Ldap attribute name of the User name -->
<user-name-attribute>name</user-name-attribute>
<!-- Ldap attribute name of the User distinguished name -->
<user-dn-attribute>distinguishedName</user-dn-attribute>
<!-- Ldap attribute name of the User login name -->
<user-login-attribute>sAMAccountName</user-login-attribute>
<!-- Ldap attribute name of the Role member list -->
<group-members-attribute>member</group-members-attribute>
<!-- Ldap attribute name of the Role name -->
<group-name-attribute>name</group-name-attribute>
<!-- I3 max users -->
<max-users>500</max-users>
<!-- I3 max roles -->
<max-roles>500</max-roles>
<!-- Parameters handling method: single/multiple -->
<domain-root-method>single</domain-root-method>
<!-- Ldap sync user set as case sensitive -->
<use-case-sensitive>false</use-case-sensitive>
</ldap>
For more information on running LDAP-sync command, see the Precise CLI Utility Reference Guide.

...