Configuring Microsoft Active Directory 2003 With Cognos Series 7

Guideline

Configuring Microsoft Active Directory 2003

Product(s): IBM Cognos Series 7

Area of Interest: Security


Cognos Proprietary Information

2

Copyright Copyright 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC is an IBM Company. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Cognos does not accept responsibility for any kind of loss resulting from the use of information contained in this document. This document shows the publication date. The information contained in this document is subject to change without notice. Any improvements or changes to the information contained in this document will be documented in subsequent editions. This document contains proprietary information of Cognos. All rights are reserved. No part of this document may be copied, photocopied, reproduced, stored in a retrieval system, transmitted in any form or by any means, or translated into another language without the prior written consent of Cognos. Cognos and the Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated) in the United States and/or other countries. IBM and the IBM logo are trademarks of International Business Machines Corporation in the United States, or other countries, or both. All other names are trademarks or registered trademarks of their respective companies. Information about Cognos products can be found at www.cognos.com This document is maintained by the Best Practices, Product and Technology team. You can send comments, suggestions, and additions to [email protected] .



3

Contents 1 INTRODUCTION ............................................................................................ 4

1.1 PURPOSE ............................................................................................................4

1.2 APPLICABILITY .....................................................................................................4

2 EXTENDING THE SCHEMA............................................................................. 4

2.1 DSHEURISTICS .....................................................................................................4 2.2 REQUIRED DETAILS ...............................................................................................7

2.2.1 Base Distinguished name....................................................................................7 2.2.2 Schema Admin ..................................................................................................8 2.2.3 Configuration Manager .......................................................................................9

2.3 SCHEMA OBJECTS AND ATTRIBUTES .......................................................................... 11



4

1 Introduction

1.1 Purpose

This document provides a walkthrough of configuring Microsoft Active Directory 2003 for use with the IBM Cognos Series 7 products. Once the Active Directory schema has been extended, the Cognos namespace can be created.

1.2 Applicability

Product version is important when using this document. If the product version is not at least IBM Cognos Series 7 Version 2 MR1, the operation will fail. If

extending the schema in an Active Directory 2000 environment, the dSHeuristics setting does not have to be modified.

2 Extending the Schema

The process of extending the schema to be able to use Active Directory as an authentication source, is split into two operations; extending the schema, where IBM Cognos specific objects and attributes are added to the existing AD schema, and creating the Cognos namespace that will contain all of the users and user classes to be used in the Cognos security infrastructure.

When using Configuration Manager, the two operations appear to be part of the same process, but there are in fact two distinct operations that occur. Once the schema has been extended, the objects and attributes are forever part of the

Active Directory schema so ensure that correct domain is being configured. That being said, the schema only needs to be extended once, but multiple namespaces can be created at different locations within Active Directory. This can be done either through the Access Manager admin interface, which allows you to create multiple namespaces within the same instance, or, through Configuration Manager which permits the creation of different instances within the same directory server instance. This is achieved by setting different baseDN values for the Base distinguished name (DN) parameter. For instance, specifying o=Cognos_prod,dc=support,sc=local and o=Cognos_dev,dc=support,dc=local would create two unique instances of the Cognos namespace that would have to be administered separately.

2.1 dSHeuristics

Before the schema can be successfully extended, Active Directory must first be configured to accept anonymous requests. By default, Active Directory 2000 accepted anonymous requests, but with AD 2003, the default has been configured to reject anonymous requests. For more information regarding anonymous requests, document Q326690 from the Microsoft knowledge base should be consulted.



5

Using the Microsoft ADSI Edit utility, the necessary changes can be made to allow anonymous requests to the directory server. The ADSI Edit utility is not part of the operating system utilities by default and must be installed from the

Windows Support Tools. Once installed, to launch the ADSI Edit console, navigate through Windows Explorer to the X:\Program Files\Support Tools directory and locate the adsiedit.msc file. Alternatively, ADSI Edit can be added

to the MMC console as a snap-in.

Within ADSI Edit, right click on the top level ADSI Edit and select Connect to

This presents the Connection Settings dialog box, in which the distinguished name will have to be entered as a connection point to locate the dSHeuristics setting. The distinguished name that will be used is

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Support,DC=local

It is important to note that the DC values of Support and local will have be modified to reflect the desired environment and that there may be more than just two DC values.



6

Once the values have been entered, and the OK button was selected, there will be a new entry in the ADSI Edit tool corresponding to the value used in the previous step, which was Domain in this example. Important to note that there

already exists a Domain entry in the ADSI Edit tool, so if Domain is used as the default name for the new connection details, there will be two Domain entries visible. Select the Domain entry that has the distinguished name that was

specified as the connection point.

Right-click on the connection point entry (highlighted in the previous screen capture) and select Properties. All of the properties pertaining to that distinguished name will be visible in the resulting dialog box. Locate the

dSHeuristics attribute and press the Edit button.

Pressing the Edit button will display the String Attribute Editor dialog box for

the dSHeuristics attribute. Change the value from the default to be 0000002. Click OK. This will now allow anonymous requests to be made against the Active

Directory Server.



7

2.2 Required Details

2.2.1 Base Distinguished name

Extending the Active Directory schema, to include the necessary IBM Cognos objects and attributes, requires some additional details that may not be readily available from the IBM Cognos application server. The first piece of required information is the base distinguished name (baseDN) that will be used. The baseDN, for the purposes of this document, is broken into two parts; the name

of the container that will contain the Cognos namespace, and the actual root baseDN of the Active Directory schema being extended.

When selecting a name for the container to contain the Cognos namespace, it is recommended that Cognos be chosen as the name. By naming the container Cognos, it clearly identifies to the Active Directory administrators which application this branch of the AD tree belongs to. Keep in mind that many Active Directory administrators prefer to use a preset naming convention, so they may have to be consulted prior to extending the schema and creating the Cognos namespace.

There are two ways of determining the baseDN of the Active Directory domain, other than asking the administrator for this information. The first way is through the Active Directory Users and Computers interface. Examining the default

display should indicate what the base distinguished name is for the server. Once inside the graphical interface, the domain suffix can be obtained by looking at the root of the domain, as indicated by the computer group icon. In the screen capture below, the base distinguished name would be dc=support,dc=local.

The second method of identifying the baseDN is via the System Properties dialog box on the Active Directory server itself. To open this dialog box, right-click on the My Computer icon, select Properties and click on the Computer Name tab. On this tab, you will find most of the details required to ensure a successful schema extension.



8

1- Machine name ADS as per the screen capture

2- Domain name Support

3- Internet domain suffix - LOCAL

NOTE: It is important to note that the schema extension must occur on the schema master domain and not on a child domain. If the domain is not the schema master, it must be promoted, or the operation will fail.

2.2.2 Schema Admin

Another critical piece of information is the account that will be used to extend the schema. This account must be a member of the Schema Admin group. Even

though a user account may be part of the Domain Admin group, the account may still lack the privileges to extend the Active Directory schema. To verify the account membership, open the Active Directory Users and Computers interface, and locate the user account that will be used. Right-click on the account and select the Properties option. Click on the Member Of tab and verify that Schema Admin is a listed member.



9

If the user account is not a member of the Schema Admin group, then the schema extension may fail. It is possible that the Schema Admin group does not

own the schema. In this case, the user account being used for the schema extension must be a member of the group that does own the schema.

2.2.3 Configuration Manager

To complete the schema extension and the creation of the namespace, the Configuration Manager utility must be used. In Cognos Configuration Manager,

modify the values required to extend the directory server schema by accessing the General page under Services -> Access Manager Directory Server.

The values that need to be modified to extend the schema can be found in the right hand frame.

Are you sure that you want to configure this directory server? This value should be set to yes, otherwise the operation will not be executed when the settings are applied.



10

Schema Version This value should be set to CURRENT unless older IBM Cognos Series 7 applications will be accessing this directory server as well.

Server Type This value can be left to the default Auto Detect or the Active Directory option can be selected.

Computer Host name of the directory server housing the Cognos schema. This can be machine name, IP address or fully qualified DNS name.

Port Port number that the directory server instance is running on.

Base distinguished name (DN) Organizational Unit (OU) or Container (CN) where the Cognos namespace will be created. This can be done at the root DN, DC=Support,DC=local for example, or can be in part of the subtree, such as,

O=Cognos,DC=Support,DC=local. Again, it would be good practice to not specify just the baseDn and use an Organization or Organizational Unit such as Cognos to house the namespace.

The namespace does not need to be created in the root of the domain. It can be created at any point of the domain hierarchy. For example, if the desired location

was in an Organizational Unit (OU) called applications, which was under the root of the domain, the baseDN would then be:

o=Cognos,OU=applications,dc=support,dc=local.

Unrestricted User distinguished name (DN) User account that has sufficient privileges to extend the schema of the directory server as well as create the namespace. The value should be the full DN to the user account and

NOT just the user name.

Unrestricted User password Matching password value for the user specified

as the unrestricted user.

Primary ticket service - Host and port where the Cognos Access Manager Server or Ticket Server service is running. This value can be supplied after the schema has been extended either through Configuration Manager or the Access Manager admin tool, but it is recommended that this be set at the same time as the schema extension.



11

Apply these settings by clicking on the General object in the tree and pressing

the apply button. The settings can also be applied by right-clicking on the General object and selecting Apply Selection. If all values are correct, and the credentials have enough privileges, the following message will be returned upon successful schema extension.

2.3 Schema Objects and Attributes

Prior to extending the schema in Active Directory, administrators may inquire as to which objects and attributes will be added into the schema. As mentioned before, this is an irreversible action, so great discretion is sometimes used. All of

the files that deal with the schema modification are located in the \cerx\accman directory.

The files in this directory are organized by both schema version (15.2 or 16.0) and directory server type. The files required for the CURRENT schema type (see section 2.2.3) contain 16.0 in the file name.



12

For example, slapd.oc.conf.16.0.extension.

All files that are required for Active Directory have the .Active Directory suffix in

the file names.

For example, slapd.oc.conf.16.0.extension.active_directory.

Files that create the Object Classes contain .oc. in the file name, and files that create attributes contain .at. in the file name.



13

Here is a sample from the slapd.oc.conf.16.0.extension.active_directory file: # objectclasses below added for Cognos Authenticator Directory Service #Schema Version 16.0 objectclass authSubdirectory oid 1.2.840.114050.1.1.1.2.1 requires objectclass, cn allows authCreationDate, authConfigurationItem, authDefaultNamespace, authMiscellaneous, camUtf8Namespaces parents authSecurityData,

authSubdirectory, domainDNS, organization, organizationalUnit objectclass camObjectDirectory

oid 1.2.840.114050.1.1.1.2.13 requires objectclass, cn parents authSecurityData,

camObjectDirectory And a sample from the slapd.at.conf.16.0.extension.active_directory file: #attributes below added for Cognos Authenticator Directory Service #Schema Version 16.0 attribute camUserFolderRef camUserFolderRef 1.2.840.114050.1.1.1.1.300 dn 13801 attribute camDBSignonRef camDBSignonRef 1.2.840.114050.1.1.1.1.301 dn 13806 attribute camUserClassRef camUserClassRef 1.2.840.114050.1.1.1.1.302 dn 13804

Documents

Configuring Microsoft Active Directory 2003 With Cognos Series 7