Integrate PPM with an LDAP server

  1. Collect the following LDAP server information:

    LDAP server URL

    The default port is 389. It should be in the following format.

    Ldap://<LDAP_Server>:PORT
    LDAP base distinguished name (DN)

    LDAP base distinguished name (DN) for PPM users, in the following format:

    CN=Users,DC=PPMAD,DC=com
    LDAP user account and password The PPM Server uses this information to search for users.

    If you are integrating with SSL-enabled LDAP, collect the following additional information:

    Entire certificate chain The root_certificate_authority/intermediate_certificate/host_certificate, in the BASE-64 encoded X509 (.cer) file format.
    LDAP SSL port number The default value is typically 636.

    The TLS protocol of LDAP connections

    		The default value is TLS.

  2. Open the <PPM_Home>/server.conf file and provide the information that you collected in step 1 for the following server configuration parameters:

    Parameter Description
    AUTHENTICATION_MODE Set to ITG,LDAP
    LDAP_URL Specify the comma-delimited list of LDAP URLs that the PPM Server queries (in the order queried). If you do not specify a port number, the server uses port number 389.

    Example: 

    ldap://ldap.theurl.com:389
    KINTANA_LDAP_PASSWORD

    The KINTANA_LDAP_PASSWORD parameter in the server.conf file is an encrypted string enclosed with #!# character delimiters.

    Example:

    com.kintana.core.server.KINTANA_LDAP_PASSWORD=#!#encryptedstring#!#

    1. Run the kEncrypt.sh script, and provide the plain text LDAP password when prompted.
    2. Paste the encrypted string output into the server.conf file KINTANA_LDAP_PASSWORD entry enclosed with the #!!# character delimiters as in the example above.
    KINTANA_LDAP_ID

    Specify the PPM account on the LDAP server. The PPM Server uses this to bind to the LDAP server.

    Examples:

    • KINTANA_LDAP_ID=kintana

    • \KINTANA_LDAP_ID=CN=kintana,CN=Users,DC=PPMAD,DC=com

    LDAP_BASE_DN

    Specify the base in the LDAP server from which the search is to start. If you do not specify a value, the server queries the LDAP server to determine the base.

    Example:

    LDAP_BASE_DN=CN=Users,DC=PPMAD,DC=com

    For an SSL-enabled LDAP server, provide the following additional information:

    Parameter Description
    LDAP_SSL_PORT

    SSL port number on the LDAP server. If not specified, all transactions are carried over the port specified for LDAP_URL

    Example: LDAP_SSL_PORT=636
    LDAP_KEYSTORE

    LDAP keystore.

    Example: LDAP_KEYSTORE=<JAVA_Home>/jre/lib/security/cacerts
    LDAP_KEYSTORE_PASSWORD

    Encrypted LDAP keystore password.

    Example: LDAP_KEYSTORE_PASSWORD=#!#<Encrypted_Password>#!#
    SSL_CLIENT_SOCKET_ENABLED_PROTOCOL

    TLS protocol of LDAP connections.

    Example: SSL_CLIENT_SOCKET_ENABLED_PROTOCOL=TLSv1.2

  3. On the PPM Server, back up the existing LdapAttribute.conf file, which is located in the <PPM_Home>/integration/ldap directory.

    The LdapAttribute.conf file is required for user importation and authentication. The <PPM_Home>/integration/ldap directory contains LDAP attribute configuration files for different types of LDAP servers.

  4. Copy the appropriate LdapAttribute_<Vendor_Name>.conf file and overwrite the LdapAttribute.conf file in the same directory.

    If you are using Microsoft Active Directory, replace the LdapAttribute.conf file with the <PPM_Home>/integration/ldap/LdapAttribute_AD.conf file.

    If you are using a Sun Java System Active Server Pages LDAP server, replace the LdapAttribute.conf file with the <PPM_Home>/integration/ldap/LdapAttribute_Netscape.conf file.

  5. If you are integrating with an SSL-enabled LDAP server, do the following:

    1. Get the entire trusted certificate chain of the LDAP server (Root CA/Intermediate Certificate/host Certificate, exported as Base-64 encoded X509.cer format) from your LDAP server administrator.

      Note: If the certificate chain is not in the correct X509.cer format, you can import it to Internet Explorer, and then export it in the correct format.

    2. Use the JDK Keytool utility (from jdk 1.4.2 or later) to import the certificate into the <JAVA_Home>/jre/lib/security/cacerts keystore file.

      Note: Your system administrator can help you use the JRE Keytool utility to import the LDAP server certificate chain into the JDK cacerts file.

    3. Change to the <JAVA_Home>/jre/lib/security directory, and run the command:

      keytool -import -trustcacerts -alias <SSL_LDAP_Host> -file <SSL_LDAP_CERT.cer> -keystore cacerts

      Note: The default cacerts keystore password is "changeit". For tighter security, you may want to change this password.

  6. To enable entity ownership and security, do the following:

    1. Make sure that the PPM Server is running.

    2. Use the Import Users report to import the LDAP users into the KNTA_USERS table on the PPM Server.

      For instructions on how to run the Import Users report, see the Open Interface Guide and Reference.

      If you are running the Import Users report for the first time, edit the LdapAttribute.conf file and comment out the MANAGER_USERNAME, LOCATION_MEANING, and DEPARTMENT_MEANING parameters. If you do not make these changes, the import fails and an error message such as "Unknown Manager", "Unknown Location", or "Unknown Department" is displayed. The error occurs because the import tries to validate the data before the data is imported.

      Note that you can import users from Org Units that do not have unique names but are of different hierarchical levels. A Hierarchy column is added to pages or pop-up windows that are related to Org Units to help differentiate the hierarchical levels of the Org Units you import.

      After running the report, check for duplicated user information and accuracy of each of the users' information in the PPM Workbench.

    3. For the LDAP Import? option, click Yes.

Back to top

Support for Multi-Domain LDAP import

PPM provides support for multi-domain LDAP import through the following attributes of the KNTA_USERS_INT parameter:

Attribute Description
DISTINGUISHED_NAME

Maps to a unique and fixed field of the LDAP server.

For example, DISTINGUISHED_NAME = distinguishedName.

Required if you use SSO, LDAP, or NTLM as the user authentication mode.

Note: By default, the DISTINGUISHED_NAME attribute maps to distinguishedName of the LDAP server. If distinguishedName of the LDAP server is changeable, make sure you map DISTINGUISHED_NAME to another field that is unique and fixed on the LDAP server.

 
LDAP_USERNAME

Maps to a user's Logon ID, which is used by the user to log on to the NTLM or SSO server. For example, LDAP_USERNAME = sAMAccountName.

Required if you use SSO, LDAP, or NTLM as the user authentication mode.
   
   

The KNTA_USERS_INT parameter exists in the following four configuration files under the <PPM Server>/integration/ldap directory: 

  - LdapAttribute.conf
  - LdapAttribute_AD.conf
  - LdapAttribute_NDS.conf
  - LdapAttribute_Netscape.conf

If you do not find the DISTINGUISHED_NAME and LDAP_USERNAME columns, make sure to add them and their mapping values into each of the four configuration files manually.

After you run the Import Users report, the Distinguished Name and Logon ID in LDAP fields are added to the User Information tab of the User window in the User Workbench.

Running the Import Users report populates these two fields with appropriate values.

These two fields are not editable. If the fields are empty or display incorrect values, contact Software Support.

Back to top