Integrate PPM with an LDAP Server

  1. Collect the following LDAP server information:

    • LDAP server URL (the default port is 389), in the following format.

    • LDAP base distinguished name (DN) for PPM users, in the following format:

    • LDAP user account and password. (The PPM Server uses this information to look up users.)

    • If you are integrating with SSL-enabled LDAP, collect the following additional information.

      • Entire certificate chain. That is, root_certificate_authority/intermediate_certificate/host_certificate, in the BASE-64 encoded X509 (.cer) file format.

      • LDAP SSL port number (the default is typically 636).

      • The TLS protocol of LDAP connections (the default is TLS).
  2. From <PPM_Home>/bin on the PPM Server, run the script.

  3. Provide the information that you collected in step 1 for the following server configuration parameters in the server.conf file:


    • LDAP_URL. Specify the comma-delimited list of LDAP URLs that the PPM Server queries (in the order queried). If you do not specify a port number, the server uses port number 389.


    • KINTANA_LDAP_PASSWORD. The KINTANA_LDAP_PASSWORD parameter in the server.conf file is an encrypted string enclosed with #!# character delimiters.



      You may set the KINTANA_LDAP_PASSWORD parameter in two ways:

      • Run the script and provide the plaintext LDAP password when prompted. The script will write out the server.conf file with the KINTANA_LDAP_PASSWORD entry encrypted as above. Or,
      • If the LDAP password change is the only change you want to make to the server.conf file, then do the following:

        1. Run, and provide the plaintext LDAP password when prompted.
        2. Paste the encrypted string output into the server.conf file KINTANA_LDAP_PASSWORD entry enclosed with the #!!# character delimiters as in the example above.

    • KINTANA_LDAP_ID. Specify the PPM account on the LDAP server. The PPM Server uses this to bind to the LDAP server.


      • KINTANA_LDAP_ID=kintana

      • \KINTANA_LDAP_ID=CN=kintana,CN=Users,DC=PPMAD,DC=com

    • LDAP_BASE_DN. Specify the base in the LDAP server from which the search is to start. If you do not specify a value, the server queries the LDAP server to determine the base.



    For an SSL-enabled LDAP server, provide the following additional information:

    • LDAP_SSL_PORT: SSL port number on the LDAP server. If not specified, all transactions are carried over the port specified for LDAP_URL

      Example: LDAP_SSL_PORT=636

    • LDAP_KEYSTORE: LDAP keystore

      Example: LDAP_KEYSTORE=<JAVA_Home>/jre/lib/security/cacerts

    • LDAP_KEYSTORE_PASSWORD: Encrypted LDAP keystore pasword

      Example: LDAP_KEYSTORE_PASSWORD=#!#<Encrypted_Password>#!#

    • SSL_CLIENT_SOCKET_ENABLED_PROTOCOL: TLS protocol of LDAP connections


  4. On the PPM Server, back up the existing LdapAttribute.conf file, which is located in the <PPM_Home>/integration/ldap directory.

    The LdapAttribute.conf file is required for user importation and authentication. The <PPM_Home>/integration/ldap directory contains LDAP attribute configuration files for different types of LDAP servers.

  5. Copy the appropriate LdapAttribute_<Vendor_Name>.conf file and overwrite the LdapAttribute.conf file in the same directory.

    If you are using Microsoft Active Directory, replace the LdapAttribute.conf file with the <PPM_Home>/integration/ldap/LdapAttribute_AD.conf file.

    If you are using a Sun Java System Active Server Pages LDAP server, replace the LdapAttribute.conf file with the <PPM_Home>/integration/ldap/LdapAttribute_Netscape.conf file.

  6. If you are integrating with an SSL-enabled LDAP server, do the following:

    1. Get the entire trusted certificate chain of the LDAP server (Root CA/Intermediate Certificate/host Certificate, exported as Base-64 encoded X509.cer format) from your LDAP server administrator.

      Note: If the certificate chain is not in the correct X509.cer format, you can import it to Internet Explorer, and then export it in the correct format.

    2. Use the JDK Keytool utility (from jdk 1.4.2 or later) to import the certificate into the <JAVA_Home>/jre/lib/security/cacerts keystore file.

      Note: Your system administrator can help you use the JRE Keytool utility to import the LDAP server certificate chain into the JDK cacerts file.

    3. Change to the <JAVA_Home>/jre/lib/security directory, and run the command:

      keytool -import -trustcacerts -alias <SSL_LDAP_Host> -file <SSL_LDAP_CERT.cer> -keystore cacerts

      Note: The default cacerts keystore password is "changeit". For tighter security, you may want to change this password.

  7. To enable entity ownership and security, do the following:

    1. Make sure that the PPM Server is running.

    2. Use the Import Users report to import the LDAP users into the KNTA_USERS table on the PPM Server.

      For instructions on how to run the Import Users report, see the Open Interface Guide and Reference.

      If you are running the Import Users report for the first time, edit the LdapAttribute.conf file and comment out the MANAGER_USERNAME, LOCATION_MEANING, and DEPARTMENT_MEANING parameters. If you do not make these changes, the import fails and an error message such as "Unknown Manager", "Unknown Location", or "Unknown Department" is displayed. The error occurs because the import tries to validate the data before the data is imported.

      Note that you can import users from Org Units that do not have unique names but are of different hierarchical levels. A Hierarchy column is added to pages or pop-up windows that are related to Org Units to help differentiate the hierarchical levels of the Org Units you import.

      After running the report, check for duplicated user information and accuracy of each of the users' information in the PPM Workbench.

    3. For the LDAP Import? option, click Yes.

Support for Multi-Domain LDAP Import

PPM provides support for multi-domain LDAP import through the following two attributes of the KNTA_USERS_INT parameter:


    Maps to a unique and fixed field of the LDAP server. For example, DISTINGUISHED_NAME = distinguishedName.

    Note: By default, the DISTINGUISHED_NAME attribute maps to distinguishedName of the LDAP server. If distinguishedName of the LDAP server is changeable, make sure you map DISTINGUISHED_NAME to another field that is unique and fixed on the LDAP server.

    Required if using SSO, LDAP, or NTLM as the user authentication mode.


    Maps to a user's Logon ID, which is used by the user to log on to the NTLM or SSO server. For example, LDAP_USERNAME = sAMAccountName.

    Required if using SSO, LDAP, or NTLM as the user authentication mode.

The KNTA_USERS_INT parameter exists in the following four configuration files under the <PPM Server>/integration/ldap directory:

  - LdapAttribute.conf
- LdapAttribute_AD.conf
- LdapAttribute_NDS.conf
- LdapAttribute_Netscape.conf

If you do not find the DISTINGUISHED_NAME and LDAP_USERNAME columns, make sure to add them and their mapping values into each of the four configuration files manually.

After you run the Import Users report, the Distinguished Name and Logon ID in LDAP fields are added to the User Information tab of the User window in the User Workbench.

Running the Import Users report populates these two fields with appropriate values.

These two fields are not editable. If the fields are empty or display incorrect values, contact Micro Focus Software Support.