Hi,
we are setting up a 11.3 environment on winodws, and planning to use windows AD authentication for datastage. Essentially having same windows network id for datastage and single password for windows and datastage and completely governed by the password policy of the organisation.
Is there a doc/guide that clearly describes the steps involved. Is it documented in the admin guide?
Any pointers are appreciated
DS 11.3 Windows AD Authentication
Moderators: chulett, rschirm, roy
-
ray.wurlod
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
It's in the Planning, Installation and Configuration Guide. Basically you have to configure the global security settings in WebSphere Application Server, providing details about the primary Active Directory server, port number (usually 389), base DSN (where to begin tree search in AD) and bind DN and password (user authorised to scan AD tree).
Optionally you can also configure search masks.
Optionally you can also configure search masks.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Thanks ray, i did that. How do we set up windows AD users of our choice in Infosphere and authenticate them when we login to designer?ray.wurlod wrote:It's in the Planning, Installation and Configuration Guide. Basically you have to configure the global security settings in WebSphere Application Server, providing details about the primary Ac ...
-
ray.wurlod
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Once LDAP authentication has been configured, all of the administrative facilities around users and groups in the web console for Information Server will use the LDAP-connected user registry.
That is, you assign Information Server suite and product roles to AD users or groups.
Similarly, when configuring user roles within projects, the list of users or groups is obtained from AD.
Make use of the extended Filter capabilities within Information Analyzer; that will mean you don't have to wade through your entire AD every time you need to reference a user or group.
When users log in, their credentials are checked by the login and security service, which (being a service exposed by WebSphere Application Server) verifies them against the LDAP-connected user registry, such as Active Directory.
Note that is still necessary to set up Engine credentials for DataStage (and QualityStage and Informaion Analyzer) users, which will map the AD identity onto an operating system user on the Engine tier, unless the engine tier is also using LDAP and configured to use the same, or a synchronized, Active Directory as WebSphere Application Server.
Wouldn't it be good if you had a premium membership?
That is, you assign Information Server suite and product roles to AD users or groups.
Similarly, when configuring user roles within projects, the list of users or groups is obtained from AD.
Make use of the extended Filter capabilities within Information Analyzer; that will mean you don't have to wade through your entire AD every time you need to reference a user or group.
When users log in, their credentials are checked by the login and security service, which (being a service exposed by WebSphere Application Server) verifies them against the LDAP-connected user registry, such as Active Directory.
Note that is still necessary to set up Engine credentials for DataStage (and QualityStage and Informaion Analyzer) users, which will map the AD identity onto an operating system user on the Engine tier, unless the engine tier is also using LDAP and configured to use the same, or a synchronized, Active Directory as WebSphere Application Server.
Wouldn't it be good if you had a premium membership?
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.