28/5/2014 How to populate a group from LDAP

http://pic.dhe.ibm.com/infocenter/igsec/v1/advanced/print.jsp?topic=/com.ibm.guardium.using.doc/topics/how_to_populate_a_group_from_ldap.html 1/5
How to populate a group from LDAP
Contents
How to populate a group from LDAP
Import large user lists, for use in Guardium groups, without having to recreate manually this directory -
related information.
About this task
To populate a group from an LDAP server, follow these steps:
Define a group.
Configure an import operation to obtain the appropriate set of members from an LDAP server.
Run the import operation on demand, or schedule it to run at a specific time or on a periodic basis.
When you run the import on demand, you are presented with the set of LDAP entries that satisfy your
search criteria, and you must select which ones should be added to the group. When run on a scheduled
basis, all entries returned by your search will be added to the group.
Note: An LDAP import operation adds members to a group. It does not delete members.
InfoSphere Guardium administrators use a separate LDAP Import function to define InfoSphere Guardium
users and roles from an LDAP server. See Import Users from LDAP, LDAP User Import.
When importing LDAP users:
The InfoSphere Guardium admin user definition will not be changed in any way.
Existing users will not be deleted (in other words, the entire set of users is not replaced by the set
imported from LDAP), unless the Clear existing group members before importing is checked.
InfoSphere Guardium passwords will not be changed.
New users being added to InfoSphere Guardium will be marked disabled by default. They will have
blank InfoSphere Guardium passwords. They will be assigned the user role.
Note:
Special characters in a user name are not supported.
Important: Scheduled imports should be reviewed as this functionality change may affect the behavior of
already scheduled imports.
On both imports of group members, Run Once Now will not be allowed without first saving the configuration.
For further information on LDAP, see: Groups, Populate_Group_from_LDAP; CLI command, store_ldap-
mapping; and, GuardAPI command, grdapi import_ldap_users, Import LDAP users, GuardAPI Process
Control Functions.
28/5/2014 How to populate a group from LDAP
http://pic.dhe.ibm.com/infocenter/igsec/v1/advanced/print.jsp?topic=/com.ibm.guardium.using.doc/topics/how_to_populate_a_group_from_ldap.html 2/5
Procedure
1. To configure a group-member import from an LDAP server, click Access Management > LDAP
User Import to open the LDAP User Import panel.
2. In the LDAP Host Name box, enter the IP address or host name for the LDAP server to be
accessed.
3. In the Port box, enter the port number for connecting to the LDAP server.
4. Select the LDAP server type from the Server Type list. Choices are: Active Directory, Novell
Directory, Open LDAP, Sun ONE Directory, or Tivoli Directory.
5. Mark the Use SSL Connection checkbox if InfoSphere Guardium is to connect to your LDAP server
using an SSL (secure socket layer) connection. Consult with your LDAP administrator regarding the
setup within your LDAP infrastructure to determine the connection method used in your environment.
6. In the Base DN box, specify the node in the tree at which to begin the search; for example a
company tree might begin like this: DC=encore,DC=corp,DC=root
Note: Be careful of cut & paste errors when specifying the Base DN information. For example, a
dc=zone1 in the Base DN box must match the similar value dc=zone1 in the Log In As box.
7. For Import Mode, select Keep existing attributes to add, but not replace member information, or
select Override existing attributes to replace existing member information. Regardless of the
selection, no members will be deleted.
Note: Each time you change the CLI command ldap-mapping attributes you also need to select the
28/5/2014 How to populate a group from LDAP
http://pic.dhe.ibm.com/infocenter/igsec/v1/advanced/print.jsp?topic=/com.ibm.guardium.using.doc/topics/how_to_populate_a_group_from_ldap.html 3/5
"Override Existing Changes" button on the LDAP Import configuration screen in InfoSphere Guardium
GUI before updating. This action must occur each time you change the CLI command ldap-mapping
email, firstname or lastname attributes and import LDAP users. See the CLI command store ldap-
mapping on customizing mappings to the LDAP server schema.
8. Optionally mark the Disable user if not on the import list to disable users by default or optionally
mark the Enable New Imported Users box if you want new users created by import process to be
enabled immediately. The default is for users to be added disabled, which means you will have to
enable them manually. This is the approach that is generally taken when you have to supply a
password for the InfoSphere Guardium user account. On the other hand, if LDAP password
authentication is being used, there is no need to manually input a password for the InfoSphere
Guardium user definition, so in that case you may prefer to mark this checkbox.
9. User Import Configuration - Advanced. Use the Fill with default button to the right of the field choice if
you do not have your own value.
10. In the Log In As box, enter the user account to use for the connection from the InfoSphere Guardium
server.
11. In the Password box, enter the password for the above user.
12. For Search Filter Scope, select One-Level to apply the search to the base level only, or Sub-Tree to
apply the search to levels beneath the base level.
13. In the Limit box, enter the maximum number of items to be returned. We recommend that you use
this field to test new queries or modifications to existing queries, so that you do not inadvertently
load an excessive number of members.
Note: The attribute that will be used to import users is defined by the InfoSphere Guardium
administrator, in the User RDN Type box of the LDAP Authentication Configuration panel. The
default is uid, but you should consult with your InfoSphere Guardium administrator to determine what
value is being used.
14. In the Attribute to Import as User Login box, enter your attribute, for example cn. Each attribute has
a name and belongs to an objectClass. Or use the Fill with default button.
15. In the Search Filter box, optionally enter LDAP search criteria. An LDAP search is carried out by
defining a base DN, a scope and search filter. Typically, imports will be based on membership in an
LDAP group, so the filter might use the memberOF keyword and look something like this:
memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root See your LDAP server documentation
if you need help in this area.
16. In the Object Class for Users box, enter the object class, for example
(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person). An
objectClass is a collection of attributes, defining for each attribute, if it is mandatory (MUST) or
optional (MAY). An objectClass also defines the hierarchy of object classes and thus inheritance. Or
use the Fill with default button.
17. Mark the Import Roles box to bring in roles created elsewhere during the LDAP import. These roles
may be meaningless initially to InfoSphere Guardium, but they become editable through the Role
Permissions selection within Access Manager.
18. In the Attribute to Import as Role box, enter your attribute, for example, cn. Or use the Fill with
default button.
19. In the Role Search Base DN box, enter your roles, for example, ou=people,dc=guardium,dc=com. Or
use the Fill with default button.
20. In the Role Filter box, optionally enter Role search criteria (for example, certain columns or rows for
roles created elsewhere may be of value).
21. In the Role filter/Object Class for Role box, enter your object class, for example,
(objectClass=groupOfNames)(objectClass=group). Or use the Fill with default button.
22. In the Attribute in User to Associate Role box, enter your attribute, for example, memberOf. Or use
28/5/2014 How to populate a group from LDAP
http://pic.dhe.ibm.com/infocenter/igsec/v1/advanced/print.jsp?topic=/com.ibm.guardium.using.doc/topics/how_to_populate_a_group_from_ldap.html 4/5
the Fill with default button.
23. In the Attribute in Role to Associate User box, enter your attribute, for example, member. Or use the
Fill with default button.
24. Click Apply or Update to save the configuration. (After you have saved the configuration once, the
Apply button becomes an Update button.) Run Once Now is not permitted until the configuration has
been saved.
Note: After saving an LDAP import configuration, you can perform the following tasks, each of which
is described in a separate section. Because it is easy to miscode LDAP queries, we suggest that
you test each new or modified query by using the Limit field (described above) and by running the
query once on demand (see below), to verify that the correct set of members is being returned.
What to do next
Perform one of the following procedures:
Schedule LDAP User Import
Run LDAP User Import
Schedule an LDAP import
When you schedule an LDAP import to run at a specific time or on a periodic basis, all of the LDAP
entries that satisfy your search criteria will be imported to the group. In contrast, when the query is run on
demand, you have the opportunity to accept or reject each entry returned from the LDAP server.
1. As an admin user, open the Group Builder.
2. In the Modify Existing Groups panel, select the group for which you want to schedule an LDAP
import task.
3. Click LDAP to open the Set Up LDAP Import panel.
4. Click Modify Schedule. (If you have made any changes to the LDAP import configuration for this
group, the button will be disabled until you have applied the changes.)
For instructions on how to use the general-purpose task scheduler, see Scheduling.
Once a schedule has been defined, a Pause button appears on the Set Up LDAP Import panel. If you
click that button, the schedule is paused, and the Pause button is replaced by a Resume button.
Once a scheduled task has run, you can verify the group members by returning to the Modify Existing
Groups panel, selecting the appropriate group from the list, and clicking Modify, or you can use a
predefined report to list the group members. The latter approach provides more information, as it shows
the timestamp when each member was added to the group. See Reports Showing Group Membership
section at end of this topic.
Run an LDAP Import on Demand
28/5/2014 How to populate a group from LDAP
http://pic.dhe.ibm.com/infocenter/igsec/v1/advanced/print.jsp?topic=/com.ibm.guardium.using.doc/topics/how_to_populate_a_group_from_ldap.html 5/5
When you run an LDAP import on demand, you have the opportunity to accept or reject each of the
members returned by the query. This is especially useful for testing purposes.
1. As an admin user, open the Group Builder.
2. In the Modify Existing Groups panel, select the group to which you want to add members.
3. Click LDAP to open the Set Up LDAP Import panel.
4. Click Run Once Now. (If you have made any changes, the button will be disabled until you have
applied the changes.)
5. After the task completes, the set of members satisfying your selection criteria will be displayed in
the LDAP Query Results panel.
6. Mark the items you want to add to the group, and click Import, or click Cancel to return without
importing any members.
You can verify the group members by returning to the Modify Existing Groups panel, selecting the
appropriate group from the list, and clicking Modify, or you can use a predefined report to list the group
members. The latter approach provides more information, as it shows the timestamp when each member
was added to the group. See the next section, Reports Showing Group Membership.
Reports Showing Group Membership
You can check a group's membership by opening it in the Modify Existing Groups pane of the Group
Builder (as described above), but it can be difficult to view large groups that way, and you are limited to
displaying one group at a time. Alternatively, you can use the predefined Guardium Group Details Report,
which lists groups and members.
Guardium Group Details Report
The predefined Guardium Group Details report is on the default administrator layout, on the Guardium
Monitor tab, and it can be added to a user layout from the Custom Reporting tab (Monitor/Audit, then
Build Reports).
You can use the Group Description or Group Type runtime parameters to control what groups will be
listed.
Parent topic: Using InfoSphere Guardium
Feedback