Configuring a user registry

By default, IBM® Rational® Asset Manager uses file-based authentication to store user information in a flat file. Instead, you can use other user registries, such as Lightweight Directory Access Protocol (LDAP) or a database for storing user information. A generic class is provided for accessing LDAP registries, but you can also specify a custom class to access other types of registries.

Before you begin

If you use an LDAP registry for authentication and user information, before you enable LDAP integration in the server configuration, you must configure Rational Asset Manager for LDAP integration.

In the server configuration, you can designate a repository administrator from within the LDAP registry. After you enable LDAP integration within the server configuration, you cannot log on by using admin as the user ID and password.

Tip: File-based authentication is not intended for use in a production environment. An LDAP or custom user registry supports common security practices such as rules for password patterns, password expiration, and account lockouts to prevent enumeration attacks. File-based authentication does not support these features.

After you edit the Custom User Registry settings, you must restart the server.

About this task

The integration of Rational Asset Manager and LDAP has three parts:
  • User authentication
  • User information
  • Group bindings

Setting up the application server to use LDAP for user authentication

Rational Asset Manager relies on an application server, such as a configuration of IBM WebSphere® Application Server or Apache Tomcat, to connect with the LDAP registry and to authenticate user logins for web or web services.

Before you begin

You must designate an administrator ID. If you do not set up a valid administrator ID, when you switch the container to use the external registry, you cannot log on to Rational Asset Manager by using the admin user ID and password and cannot configure the product.

To set up an administrator ID, click Administration > Configuration. Then, locate the Custom User Registry section and designate an administrator ID for a valid user in the external registry.

Procedure

To set up your container to work with an LDAP registry:

  1. Temporarily switch the container to use the custom file-based registry (using the Rational Asset Manager files).
  2. Set a Rational Asset Manager administrator.
  3. Switch back to the LDAP registry.

User information

Although LDAP is a common user registry, user information can be provided from other types of registries, such as file systems, services, and content managers. Even in the case of LDAP, the schema or manner in which the information is stored is beyond the capabilities of the default user class in Rational Asset Manager. Therefore, you can use any class that extends the CustomUserInformationFactory class. To use a different class name, you must set the name.

About this task

Rational Asset Manager is configured to work with a generic LDAPUserInformationFactory class that connects to an LDAP v3 registry and that provides the user information API.

The default LDAPUserInformationFactory class is a generic LDAP user information factory that requires a specific configuration to search and retrieve users and groups. The following information explains each configuration.

Group bindings

You can set Rational Asset Manager to search for groups. If you bind Rational Asset Manager to a group, you cannot add or remove users. Rational Asset Manager uses the group members of a registry and synchronizes the group. To add or remove users, remove the binding. The members remain in the group, but the group cannot be synchronized.

Feedback