Configuring an LDAP Authentication Module

Configure an LDAP authentication module for Sybase Control Center by editing the security properties file to point to the correct LDAP server.

1. Open the <SCC-install-dir>\conf\csi.properties file.
2. Uncomment the LDAP module in the properties file by removing the # symbol at the beginning of each line (or, if necessary, add an LDAP module to the file). The sample module below specifies the LDAP server that will provide user authentication.

   The sample module shows the properties used for an OpenDS LDAP server. See the example at the end for values that work for ActiveDirectory. Configuration properties you can use in the LDAP module are described in a subtopic.

   Each line of the LDAP server module of the properties file must begin with "CSI.loginModule." followed by a module number. (The module number in this sample is 7.) The module number you assign must be unique in the properties file, and you must use the same module number in every line of the module.

   CSI.loginModule.7.options.AuthenticationSearchBase=ou=users,dc=example,dc=com
   CSI.loginModule.7.options.BindDN=cn=Directory Manager
   CSI.loginModule.7.options.BindPassword=secret
   CSI.loginModule.7.options.DefaultSearchBase=dc=example,dc=com
   CSI.loginModule.7.options.ProviderURL=ldap://localhost:10389
   CSI.loginModule.7.options.RoleSearchBase=ou=groups,dc=example,dc=com
   CSI.loginModule.7.options.ServerType=openldap
   CSI.loginModule.7.options.moduleName=LDAP Login Module
   CSI.loginModule.7.controlFlag=sufficient
   CSI.loginModule.7.provider=com.sybase.ua.services.security.ldap.LDAPLoginModule
   

   Note: Change the values of bolded lines only.
3. Save the file.
4. If your LDAP server’s SSL certificate is signed by a nonstandard certificate authority (for example, if it is a self-signed certificate), use the keytool utility to configure your JVM or JDK to trust the certificate. Execute a command similar to this:

   keytool -import -keystore <sybase-dir>/shared/JRE-6_0_6/bin/keytool/lib/security/cacerts -file 
   <your cert file and path> -alias ldapcert -storepass changeit
   

 
ServerType: msad2K
DefaultSearchBase: dc=<domainname>,dc=<tld> or o=<company name>,c=<country code>
                E.g. dc=sybase,dc=com or o=Sybase,c=us
ProviderUrl: ldaps://<hostname>:<port>
                E.g.:  ldaps://myserver:636
AuthenticationFilter: (&(userPrincipalName={uid}) (objectclass=user))
BindDN: <User with read capability for all users>
BindPassword: <Password for BindDN user>
RoleFilter: (|(objectclass=groupofnames) (objectclass=group))
controlFlag: sufficient

• Set up roles and passwords for LDAP
• Map Sybase Control Center role to LDAP groups

• Setting Up Roles and Passwords
  Set the initial user roles and passwords required for Sybase Control Center to authenticate through an LDAP server.
• LDAP Configuration Properties
  Use these properties in your csi.properties file to control your LDAP service.