LDAP Configuration Using Active Directory on AIX

manishk · Post by **manishk** » Mon Mar 19, 2012 7:43 pm

Hi

I am using 8.7 Version of IIS. WAS , Engine , Metadata Tier all in same AIX 6.1 box. I am able to use the MS active directories (AD) as the authentication process. I am able to access Business Glossary , Metadata workbench, Fasttrack using LDAP authentication. The challenge , i am facing is with the Datastage. My user is created in Unix using LDAP registry. i am able to login to unix using the LDAP authentication but i am not able to login Datastage using the same authentication. Given all the IIS privilege to the AD group where my ID belongs. Looks like to me that IIS doesnt like the LDAP Authentication at Unix.
When i made the unix id to use the Local Registry ( ie create a local user account in Unix ) with same crendential , it is able to access Datastage.

Please let me know if this is how it works or i am missing some steps to use the LDAP authentication for Datastage. After reading the IBM docs i guess PAM is not required as all are in the same box.

Apprecaite your help.
Thanks
Manish

ray.wurlod · Post by **ray.wurlod** » Mon Mar 19, 2012 7:53 pm

Looks to me like you've missed the Engine Credentials step.

manishk · Post by **manishk** » Mon Mar 19, 2012 8:07 pm

ray.wurlod wrote:Looks to me like you've missed the Engine Credentials step. ...

Thanks Ray .. but i used the Shared option there. "Share User Registry". So there is no other option to map.

JRodriguez · Post by **JRodriguez** » Mon Mar 19, 2012 9:29 pm

Manish,

PAM is required even all tiers are hosted in same box

Regards

manishk · Post by **manishk** » Tue Mar 20, 2012 6:22 am

Thanks Rodriguez

Do we need service tier PAM configuration along with engine tier pam configuration or only engine tier Pam configuration will work ?

JRodriguez · Post by **JRodriguez** » Tue Mar 20, 2012 8:12 am

Manishk,

PAM is required only for the Engine. Basically your services tier (WAS) should be configured to used an LDAP user registry (MS Active Directory) which in your case is already done. Just configure PAM to be able to authenticate DataStage users using your LDAP user registry

Try and let us know you finding

kwwilliams · Post by **kwwilliams** » Tue Mar 20, 2012 8:55 am

Are your LDAP and Active Directories in synch with one another? If not, this isn't going to work. If you can have one password in LDAP and another in Active Directory, it will authenticate in one tier and not in the other. I was implementing this at a client site and their user names in LDAP did not match the usernames in active directory, so we couldn't authenticate the users by enabling LDAP and Active Directory.

manishk · Post by **manishk** » Tue Mar 20, 2012 11:29 am

Thanks to all for the help.

The issue with the registry is reolved. In my case i was using a single server architecture .

If we have to use the LDAP Regaistry for Datastage then PAM with only Engine Tier Configuration will work. Service Tier Configuration is not required. I did the same and it worked.