Integration of Active Directory LDAP with Sybase Unwired ... · Integration of LDAP with Sybase Control Center (Sybase Unwired Platform) March 2012 3 2. Background Information The

SAP How-to Guide

Mobile Technology

Sybase Unwired Platform

Applicable Releases:

Sybase Unwired Platform 2.x

Version 2.0

March 2012

Integration of LDAP with Sybase Control Center (Sybase Unwired Platform)

© Copyright 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP AG. The

information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, System z9, z10, z9, iSeries,

pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390,

OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power

Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,

OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS,

HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,

MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and

Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other

countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open

Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame,

and MultiWin are trademarks or registered trademarks of Citrix Systems,

Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks

of W3C®, World Wide Web Consortium, Massachusetts Institute of

Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, and other SAP products and

services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and other

countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other

Business Objects products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of Business

Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,

and other Sybase products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of Sybase, Inc.

Sybase is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this

document may be reproduced, copied, or transmitted in any form or for

any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license

agreement or any other agreement with SAP. This document contains

only intended strategies, developments, and functionalities of the SAP®

product and is not intended to be binding upon SAP to any particular

course of business, product strategy, and/or development. Please note

that this document is subject to change and may be changed by SAP at

any time without notice.

SAP assumes no responsibility for errors or omissions in this document.

SAP does not warrant the accuracy or completeness of the information,

text, graphics, links, or other items contained within this material. This

document is provided without a warranty of any kind, either express or

implied, including but not limited to the implied warranties of

merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without

limitation direct, special, indirect, or consequential damages that may

result from the use of these materials. This limitation shall not apply in

cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not

affected. SAP has no control over the information that you may access

through the use of hot links contained in these materials and does not

endorse your use of third-party Web pages nor provide any warranty

whatsoever relating to third-party Web pages.

SAP ‚How-to‛ Guides are intended to simplify the product implement-

tation. While specific product features and procedures typically are

explained in a practical business context, it is not implied that those

features and procedures are the only approach in solving a specific

business problem using SAP NetWeaver. Should you wish to receive

additional information, clarification or support, please refer to SAP

Consulting.

Any software coding and/or code lines / strings (‚Code‛) included in this

documentation are only examples and are not intended to be used in a

productive system environment. The Code is only intended better explain

and visualize the syntax and phrasing rules of certain coding. SAP does

not warrant the correctness and completeness of the Code given herein,

and SAP shall not be liable for errors or damages caused by the usage of

the Code, except if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. Any code change

in these components may cause unpredictable and severe malfunctions

and is therefore expressively prohibited, as is any decompilation of these

components.

Any Java™ Source Code delivered with this product is only to be used by

SAP’s Support Services and may not be modified or altered in any way.

Document History

Document Version Description

1.10 Update for SUP 2.1

1.00 First official release of this guide


March 2012 1

Table of Contents

1. Business Scenario ................................................................................................................ 2

2. Background Information ...................................................................................................... 3

3. Prerequisites ......................................................................................................................... 4

4. Step-by-Step Procedure ...................................................................................................... 5

4.1 Creating the LDAP Login Module in SCC ....................................................................... 5

4.2 Configure the Sybase Common Security Infrastructure ............................................12

4.3 Configure the Role Mapping ...........................................................................................13

4.4 Map Role(s) to User(s) ...................................................................................................13

4.5 Test Configuration ..........................................................................................................15

5. Appendix ............................................................................................................................. 16


March 2012 2

1. Business Scenario

Sybase Control Center is a server application that uses a Web-browser-based client to deliver an integrated solution for monitoring and managing Sybase products. Sybase Control Center provides a single comprehensive Web administration console for real-time performance, status, and availability monitoring of large-scale Sybase enterprise servers. Sybase Control Center combines a modular architecture, a rich client administrative console, agents, common services, and tools for managing and controlling Sybase products. It includes historical monitoring, threshold-based alerts and notifications, alert-based script execution, and intelligent tools for identifying performance and usage trends. A Sybase Control Center server can support:

Up to 50 monitored resources (servers)

Up to 10 users logged in simultaneously

Lightweight Directory Access Protocol (LDAP) is an industry standard for accessing directory services over a network. The primary benefits of using LDAP to manage users are:

Centralized password security policies in one authority,

Centralized identity and passwords across both UNIX and Windows,

Simplified creation and deletion of users,

Simplified user password for both the operating system and application, and

Reduced overall cost of ownership.

The Sybase Control Center security model delegates user authentication to the operating system or to your LDAP server. You can configure Sybase Control Center to authenticate user logins through an LDAP server, the operating system, or both.

Sybase Control Center can be configured to authenticate through any LDAP server that supports the inetOrgPerson (RFC 2798) schema.

When Sybase Control Center authenticates through the operating system, it uses the operating system of the Sybase Control Center server machine (not the client).

Sybase strongly recommends that you use a common authentication provider for all Sybase products, including Sybase Control Center. A common authentication provider ensures that single sign-on works for users of Sybase Control Center and its managed servers.


March 2012 3

2. Background Information

The SUP/LDAP integration consists of 4 essential steps at runtime:

1. Login to the LDAP server as some user with permission to search the server. (BindDN and BindPassword properties)

2. Perform a search containing the username off a person the SUP is trying to authenticate. The purpose of this search is to look up the fully qualified Distinguished Name (DN) of the user. When the authentication search returns a single match, we can proceed.

3. Login to LDAP with the DN and the user’s password.

4. Perform a Role search to discover the LDAP group this user is a member of. SUP considers a group membership as being a member of a security role.


March 2012 4

3. Prerequisites

Prerequisites for the steps described in this How-To Guide are:

Sybase Unwired Platform 2.x and

Existing LDAP Server (for this example we will be using the Microsoft Active Directory)

A user account with access to the LDAP

More information can be found at http://infocenter.sybase.com


March 2012 5

4. Step-by-Step Procedure

4.1 Creating the LDAP Login Module in SCC ...

1. Go to the Sybase Control Center URL: https://<hostname>:8283/scc

2. Login using the SUP admin user credentials and the password that input during the installation of the SUP server.

Note

The ‚User name‛ is case sensitive. If you are on Sybase Unwired Platform 2.0 or below than the default password during the installation is ‚s3pAdmin‛.

3. Select the ‚Security‛ navigation node as shown below in the figure


March 2012 6

4. Create another security profile to be use for the LDAP connection, click on ‚New…‛ and input a meaningful name for the profile. For this example, we will be naming it ‚LDAPconnection‛

5. Click on the ‚LDAPconnection‛ icon on then click on the Authentication tab as shown below. The default provider is not what we want but we will change it.


March 2012 7

6. Now add the ‚LDAPLoginModule‛, Click on the ‚New…” button as shown below:

7. Select ‚LDAPLoginModule” provider from the list as shown below:


March 2012 8

8. The following default screen will appear:

Note

In order to complete the ‚LDAPLoginModule‛, we will need to have connection properties to the LDAP which your LDAP should be able to provide. Below is a list of properties that one would need in-order to complete this task.

These are the explanation of the above LDAPLoginModule attributes and what we need to provide in order to complete the form.

Provider URL: The LDAP host you are trying to connect to.

In our example it is ldap://<LDAP HOST>:<LDAP Port>

Control Flag: usually we set this to sufficient

ServerType: This is the important one. We need to tell SUP what the LDAP server we are talking to. In this document we are going to select Windows LDAP server. So the value should be msad2k

Authentication Method: We are going to use simple

Bind DN: must be a valid DN (distinguished name) that identifies uniquely the user in the organization.

Bind Password: Your LDAP user password you are using in the Bind DN attribute

Authentication Search Base: Here you are telling LDAP which path to take to perform the search or the lookup: From where LDAP is going to start the base search.

Authentication Scope: We need to tell LDAP how deep to go below the Authentication Search Base. For example the hosts file we used in our example above it was one level below etc. folder. But if we have specified the search base to be c:\windows\system32, then the hosts file is located under sub-directories. In LDAP world this is called subtree. (For this example: subtree)

Authentication Filter: This like the where clause of a SQL query to use in LDAP to locate what we need. In our example, we are using Microsoft Windows LDAP and SUP is using your user id to authenticate, so the value for the filter is going to be (&(sAMAccountName={uid})(objectclass=user))

Role Search Base: This is used to determine your role in the organization and how to map it to SUP roles.


March 2012 9

Role Scope: This works in conjunction with the Role Search Base, is what we need to find belongs one level below the Role Search Base or more than one level. (For this example: subtree)

Referral: LDAP supports the ability to have many LDAP servers across the globe. For example, engineers in Waterloo can have an LDAP that is part of the enterprise LDAP server located in Dublin. Instead of going to Dublin to search across the globe, we can contact our local server for the needed path. If someone from a different region tries to login to our server, SCC we need to tell our local LDAP that if the user does not exist on our path, to follow through to figure out on what server this user resides. Therefore the value for this attribute is follow.

Most of the attributes mentioned above need to be added on the provider so the form should look like the example below

Note that when first setting this up, in the above image instead of the ‘Save’ button you will see an ‘OK’ button.

9. Add the properties as below:

a. Click on <ADD NEW PROPERTY>, you should see this image below

b. You should see something like the figure below. Select Bind DN attribute:


March 2012 10

c. Repeat the same steps to add the rest of the attributes.

10. Once all the attributes value pair has been enter, you can either remove the default provider (‚NoSecLoginModule‛) or move the new provider to top of the stack.

Example of removing the default provider:

Example of moving the new provider to the top of the stack:


March 2012 11

11. Once you finish updating the new security profile with a new provider, click on the ‚General‛ tab:

12. Click on the ‚Validate‛ button. If everything is correct then you should see a message similar to the screen shot below.

13. Click the ‚Apply‛ button.


March 2012 12

4.2 Configure the Sybase Common Security Infrastructure ...

At this point, you can update the Sybase CSI to use the LDAP provider as your main source of authentication instead of the default native SCC user account. This file is located in the following

directory <installation drive>:\Sybase\SCC-<control #>\conf\CSI.properties

1. Make a backup of the file before making the update

2. Open the file in your preferred text editor

3. Locate this section ## SUP Ldap Login module

4. You can uncomment the existing options or add yours as follows below ‚SUP LDAP Login module‛. These value pairs should match what you input in the security profile

CSI.loginModule.5.options.AuthenticationSearchBase=<CN=……>

CSI.loginModule.5.options.BindDN=<LDAP service user>

## BinPassword must contain your domain password.

CSI.loginModule.5.options.BindPassword=yourpasswordgoeshere

CSI.loginModule.5.options.DefaultSearchBase=<CN=…..>

CSI.loginModule.5.options.ProviderURL=ldap://<LDAP host>:<LDAP port>

CSI.loginModule.5.options.RoleSearchBase=<CN=…..>

CSI.loginModule.5.options.ServerType=msad2k

CSI.loginModule.5.options.moduleName=SUP LDAP Login Module

CSI.loginModule.5.provider=com.sybase.ua.services.security.ldap.LDAPWithRoleLoginModule

CSI.loginModule.5.controlFlag=sufficient

CSI.loginModule.5.options.Referral=follow

CSI.loginModule.5.options.RoleScope=subtree

CSI.loginModule.5.options.AuthenticationScope=subtree

5. Save the file


March 2012 13

4.3 Configure the Role Mapping

This part of the guide is a continuation of the previous step if you are planning to use the LDAP as your main source of authentication. This will map the security provider's physical roles to the logical roles for Sybase Control Center. This file is located in the following directory C:\Sybase\SCC-3_2\conf\roles-map.xml

1. Make a backup of the file before making the update

2. Open the file in your preferred text editor

3. Add the following under the <security-modules> tag and change the value accordingly for the ‚modRole‛

<module name="SUP LDAP Login Module">

<role-mapping modRole="<RDN value allow for this role>"

uafRole="uaAnonymous,uaAgentAdmin,uaPluginAdmin,sccAdminRole,sccUserR

ole,sccOperRole,sccGuestRole,jmxDirectAccess" />

<role-mapping modRole="<RDN value allow for this role>"

uafRole="uaAnonymous,uaAgentAdmin,uaPluginAdmin,sccAdminRole,sccUserR

ole,sccOperRole,sccGuestRole,jmxDirectAccess" />

<role-mapping modRole="SUP Domain Administrator"

uafRole="uaAnonymous,uaAgentAdmin,uaPluginAdmin,sccUserRole" />

</module>

4. Now save the file and restart the Sybase Control Center service

4.4 Map Role(s) to User(s)

Now we need to login back to Sybase Control Center using the default user id and password (see previous section) in order to set the mapping

1. Expand the Domains icon and expand Security icon then highlight admin as shown below

2. All we are interested in right now is to map the SUP Administrator role to the LDAP member of group that we added in the roles-map.xml. If everything is configured correctly should see the group listed as shown in the next step below

3. For the SUP Administrator Role click on MAPPED dropdown list, you should see this


March 2012 14

4. Now click on ‚Map Roles….‛

5. You should see the following figure below

6. Locate your Roles under Available Roles, once it is being located, click the ‛Add>‛ button

7. Repeat the same steps to add all the roles you put in the roles-map.xml

8. You should see something like this figure


March 2012 15

9. Once you are done, click the ‚OK‛ button

10. Logout from Sybase Control Center

4.5 Test Configuration

Finally let’s test our configuration

1. Go back to Sybase Control Center by going to the following URL in your browser https://<host-name>:8283/scc/#

2. Enter your domain user name credential

3. You should see the following


March 2012 16

5. Appendix

Debugging

In order to figure out if the authentication is working or not, we need to turn on the debugging login level within SUP. This is done by turning up the

1. logging level for the SECURITY components and set it to DEBUG

2. And changing the authentication cache timeout to a small value (5 seconds)

3. Finally the log file is located in (..\UnwiredServer\logs\<clustername>_server.log) so you will be able to see the traces of SUP authentication against the LDAP server

Once you are done with the debugging

1. you need to turn the logging level of security components back down to WARN

2. Bumping the authentication cache timeout back up to 3600 ( 1 hour)

3. You may need to delete the PreconfiguredLoginModule to disable the supAdmin account.

LDAP Error Code:

When debugging the SUP - LDAP connection with Microsoft AD you may find the following error message in the logs: "The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data xxx, vece ]."

Here data xxx refer to the an error code in the following list:

525 – user not found

52e – invalid credentials

530 – not permitted to logon at this time

531 – not permitted to logon at this workstation

532 – password expired

533 – account disabled

701 – account expired

773 – user must reset password

775 – user account locked

Debugging: Step 1

These are the steps to turn on the SECURITY components logging level steps.

1. Expand the Servers icon

2. Expand the cluster or server name

3. Click on Log icon

4. On the right side chose Settings and click on the Security component. Change it from INFO or WARN to DEBUG

5. Once you are done, click Save button


March 2012 17

Debugging Step: 2

Changing the authentication cache timeout to a small value (5 seconds)

1. Expand the Security icon

2. Highlight your security module, which in my example is called ‘admin’

3. On the right hand side, click on Settings

4. Change the Authentication cache timeout(seconds): from 3600 to 5

5. Once you are done, click Save button


March 2012 18

Note

Just as a reminder once you are done with the debugging

1. Turn the logging level of security components back down to WARN

2. Bumping the authentication cache timeout back up to 3600 ( 1 hour)

3. May need to disable the supAdmin account

Documents

Integration of Active Directory LDAP with Sybase Unwired ... · Integration of LDAP with Sybase Control Center (Sybase Unwired Platform) March 2012 3 2. Background Information The