ClearQuest Ldap Settings with Windows Active Directory
In ClearQuest, it gives ldap option for user authentication. I have a try to setup the Windows AD as ldap server and enable integration between ClearQuest and Windows AD. Here are the summary of the setup.
a. In windows 2003 or 2000 server, setup domain controller. After promoted as domain controller, the server plays the role of ldap server as well. You can check whether the ldap service is up or not by below commands,
Netstat –a | find “ldap”
If the service is up, it outputs that ldap port is listening.
b. Download Ldap Admin Tool which acts as a ldap client to check the directory structure. It is a must to know this before you can successfully know its structure. For the Windows AD, the directory structure looks like,
DC=VM_TESTINGLAB -- VM_TESTINGLAB is the domain name of windows AD
CN=Users
CN=Administrator --the default administrator user name
CN=Cert Publishers
CN=cq_search -- another domain user which will be used later as the search user to look up ldap entries.
CN=Domain Admins -- the default domain administrator group
CN=Domain Computerrs -- the computer list in the domain
……………..
……………..
c. After we know the structure, we can enable the integration then by running below commands
installutil setauthenticationalgorithm db_set_name cq_admin_user cq_admin_user_pwd CQ_ONLY -- this command is to set ClearQuest to use itself as a user authentication method.
installutil setldapinit db_set_name cq_admin_user cq_admin_user_pwd "-h ldap_server_name -p 339 -D cn=cq_search,cn=Users,dc= VM_TESTINGLAB -w cq_search_password" -- this command is to set ldap related information for ClearQuest like what is the ldap server name, which port is used by that ldap server, which user ClearQuest should use for ldap entries search, what is this user’s DN?. In above command, the ldap server is ldap_server_name, port is 339 (default ldap port), cq_search is the user for ClearQuest to check the ldap entries. So this id must be added in windows AD and have ldap lookup privilege. According to the directory structure above, the user’s DN is cn=cq_search,cn=Users,dc= VM_TESTINGLAB. Actually I do not know how to setup a user with ldap directory lookup privilege in a AD but just add this user as administrators group instead. A member in administrators group must have full access right to all resources.
installutil setldapsearch db_set_name cq_admin_user admin_user_pwd "-s sub -b dc=vm_ol (&(objectCategory=person)(sAMAccountName=%login%)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -- this command is to set the search string for ClearQuest to lookup ldap user entries. –b specifies the base DN. In this case, it is dc=vm_ol. –s indicate ClearQuest to search the sub entries under vm_ol. (&(objectCategory=person)(sAMAccountName=%login%)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) string is what the ClearQuest help document says, just follow it without any changes.
installutil setcqldapmap db_set_name cq_admin_user admin_user_pwd CQ_LOGIN_NAME sAMAccountName -- this command is to set which user attribute to map to the ldap sAMAccountName (also a attribute of a AD user). CQ_LOGIN_NAME means to map the login to sAMAccountName. There are other options you can use like CQ_EMAIL, CQ_FULLNAME, CQ_LOGIN_NAME, CQ_MISC_INFO, or CQ_PHONE. For example, if CQ_LOGIN_NAME is used, then input the login name to login ClearQuest. If CQ_EMAIL is used, then input the user mail address to login ClearQuest instead of login name. But in this case, the email address must be same as the value of sAMAccountName in ldap side.
installutil validateldap db_set_name cq_admin_user admin a_ldap_user a_ldap_user_pwd -- this command is to check if the setup is correct. I failed many times during my setup. It mainly caused by 2 issues. Firstly, the search user in setldapinit step must be created in AD and should have directory lookup privilege(just give this id a administrator role). Secondly, search string(filter) in setldapsearch is not setup correctly. Remember just put the top dn after –b.
installutil setauthenticationalgorithm db_set_name cq_admin_user admin CQ_FIRST -- this command is to let ClearQuest know it’s time to use ldap for user authenticatiton.
d. After all those done, you can open ClearQuest user administration tool to add a user and check the ldap option . Then when user login ClearQuest, the login will pass to ldap for login authentication.
PS, keep in mind that do not change cq_search and its password in AD, else any ldap enabled user can not login ClearQuest. In multisite, if all sites’ settings are same, just run the exact commands in working master site and then sync those updates to other sites. Else with –site option in each site. Lastly, you can disable ldap with below commands
installutil setauthenticationalgorithm db_set_name cq_admin_user admin_user_pwd CQ_ONLY
installutil setldapinit db_set_name cq_admin_user admin_user_pwd -allsites -remove
installutil setldapsearch db_set_name cq_admin_user admin_user_pwd -allsites -remove
installutil setcqldapmap db_set_name cq_admin_user admin_user_pwd -allsites –remove
or temporily disable ldap with below command,
installutil setauthenticationalgorithm db_set_name cq_admin_user admin_user_pwd CQ_ONLY
This is pretty much of what I know about ClearQuest and LDAP integration.