DSXchange

Hello,

I've installed IIS 8.5 Server edition on RHEL 6 (64-bit) and I can get Internal Registry and OS authentication to work. This is the first time I'm trying to get LDAP authentication to work. We use Microsoft Active Directory (AD).

Please validate/guide me on the following:
1) I assume RHEL must be set up to accept AD username & password. Is this right?
2) Is setting up PAM on RHEL a must or is it optional?
3) I have installed IIS 8.5 using local root. Local user dsadm (belonging to dstage group) exists. But dstage group doesn't exist on AD. I'm just concerned about the file permissions when many users are logged in using their AD credentials and start creating files by running DataStage jobs. How do I go about this?
(i) Do I create a new group on the AD, say AD_GROUP, and add DataStage users (AD users) to it and make AD_GROUP as their primary group?
(ii) If 'yes' to above then what would happen to files, if any, created by dsadm:dstage? FYI: This is a fresh install and no jobs have been imported/run yet.

Any other useful/good practices pointers deeply appreciated.

Thanks
Mav

Just now I verified there are a lot of files owned by dsadm:dstage in the installed IBM IS folder. I don't know if something needs to be done about these files.

It appears that you are using two different authentication mechanisms, I would not recommend that approach. When I looked at LDAP and Linux integration sometime ago, it was possible to have the Linux user and the LDAP user with different passwords and permissions. When the passwords were different the user was unable to login to all of the Information Server tiers.

There are products that will tie LDAP into the Linux environment, if you are using one of those. Then setting up PAM is a must. You will need to go into the Websphere console and set up the intregration with Active Directory.

Keith,

Thanks for your quick response. I want to use just the LDAP authentication. Sorry if my previous post is confusing.

Should I have the AD group (dstage) and AD user (dsadm) set up first and then do a clean install? Or is there a way to do it without re-installing?

Thanks

Here is what I did:
Install IIS 8.5 as root (sudo). Supplied dsadm as local OS user during the installation process. dsadm belongs to local group dstage in the OS. I see several files/directories in /opt/IBM owned by dsadm or root.

Here is my concern:
Let's assume I'm successful in getting Information Server and DS Engine to validate against Microsoft Active Directory (AD). My concern is there is no dstage group on the Active Directory and AD users have different primary AD group on the AD. When different AD users login to DataStage and start running jobs that create files, the files wouldn't belong to a common group. So a file created by user AD_user1 may not be accessible to user AD_user2. How do I go about solving this?
Secondly, would AD users be in a situation where they (or the jobs they create) need to access files created by dsadm?

Thank

AD is used to authenticate username/password and to return a list of AD groups to which the user belongs. IIS roles (suite roles and suite component roles) are assigned to AD users/groups.

AD users are mapped on to one or more operating system users for access to file system on the DataStage engine. This is done using the Engine Credentials dialog under Domain Management in Web Console.

Thanks Ray. Your answer resolves all my concerns.

I think I am successful in setting up LDAP for user authentication using SSL. The reason I say I think is I don't get any errors in WAS console however I'm not sure if the passwords are encrypted before being sent to LDAP. Are there logs in IS directory that I can look at and verify if SSL/encrypted passwords are used?

Just FYI: I'm using SSL (enabled) port for the LDAP server and I've checked Require SSL communications in WAS Web Console.

Thanks

Gurus - any thoughts?

If you're using SSL everything is encrypted.

Thanks Ray!