AD registry support configuration

Follow these steps to set up the ISAM to support federated registries.

1. Set up an ISAM policy server using either the appliance internal LDAP server or an external TDS LDAP server. We cannot set up the policy server directly in AD.
2. Federate the AD registry suffixes into the ISAM registry. The AD registry must be accessed using its LDAP SSL interface. You can use either of the following methods:

   • Use the Federated Directories management page in the appliance LMI

     1. Select Web > Manage > Runtime Component.

     2. Select Manage > Federated Directories.

     3. Click New.

     4. Enter the information for the AD registry suffix to add.

     5. Click Save.

   • Modify the ldap.conf configuration file manually. For example:

     [server:myadserver]
     bind-dn = CN=Administrator,CN=Users,DC=home,DC=com
     bind-pwd = P@ssw0rd
     host = myad.ibm.com
     port = 636
     ssl-enabled = yes
     suffix = DC=home,DC=com
     #dynamic-groups-enabled = no
     bind-auth-and-pwdchg = yes

     We can federate multiple servers. So for an AD forest, you would need multiple [server:<inst>] stanzas for each AD server that contains users or groups we want to access. Some of the options such as dynamic-groups-enabled and bind-auth-and-pwdchg can only be set by manually modifying the ldap.conf configuration file. We cannot use the LMI method to set these options.

3. If we are not using SSL to your Security Verify Access registry (internal or TDS), then you also need to set up a keyfile for the SSL access to AD. We can use either of the following methods:

   • Use the Federated Directories management page in the appliance LMI

     1. Select Web > Manage > Runtime Component.

     2. Select Manage > Federated Directories.

     3. Click SSL Settings.

     4. Provide values for the displayed fields.

     5. Click Save.

   • Modify the ldap.conf configuration file manually. For example:

     [ldap]
     ssl-keyfile = /opt/PolicyDirector/etc/ldapssl.kdb
     ssl-keyfile-pwd = passw0rd

     The bind-pwd and ssl-keyfile-pwd should be placed in the ldap.conf obfuscation file. The ssl-keyfile settings in ivmgrd.conf, ivacld*.conf or webseald*.conf take precedence for their respective processes over the values in ldap.conf.

4. After we have federated AD suffixes into your Security Verify Access registry, we can manipulate the AD users and groups in those suffixes as normal Security Verify Access users. For example, we can import an AD user into ISAM:

   pdadmin sec_master> user import testuser CN=testuser,CN=Users,DC=home,DC=com

   There are some restrictions as to foreign group memberships (cross-federated registry). For example, AD groups do not allow adding Security Verify Access registry (non-AD) user members, but appliance internal or TDS registry groups do allow AD user members. We can add the AD user Administrator to su-admins (cn=su-admins,cn=SecurityGroups,secAuthority=Default), but we cannot add the ISAM user sec_master to the AD group Administrators (CN=Administrators,CN=Builtin,DC=home,DC=com).

Parent topic: Federated registry support