You are on page 1of 13

Most clients utilize an external directory tool, such as Microsoft Active Directory, to provide authentication.

CA Embedded Entitlements Manager (EEM) can be configured to integrate with the same external directory, eliminating the need to administer separate sets of user ids and passwords for each application that uses EEM to provide authentication. EEM currently supports the following types of external directories:

Microsoft Active Directory Sun One Directory Novel eDirectory Novel eDirectory CN Custom Mapped Directory

This document focuses on how to configure Microsoft Active Directory and Global Catalog. It also incorporates a Custom Mapped Directory to accomplish a specific Use Case.

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories. Tip! If there are a large number of users in your Active Directory, you should configure CA EEM to use the Global Catalog. This will provide significantly better performance. Further information on how to do this is provided later in this document. To configure EEM to use an external directory, do the following: 1. Launch the CA EEM UI https://localhost:5250/spin/eiam/eiam.csp The login dialog will display. 2. 3. Select <Global> application, enter your EiamAdmin password and click Login. Select the Configure Tab.


Select the EEM Server sub tab:


Select Global Users / Global Groups:


Select the Reference from an external directory option and select the appropriate external directory from the Type drop down menu.

For example, here it shows the Microsoft Active Directory is selected.

7. 8. 9.

Provide the necessary BaseDN and UserDN details which can be obtained from LDAP administrator. Click Save to save changes Review the Status and ensure that External directory bind succeeded is checked. If this is not the case then the BaseDN, UserDN or password you provided is not correct. Important! When you connect CA EEM to an external LDAP directory, you can only work with global users. You cannot create any application users using CA EEM. You can, however, create application groups using CA EEM.

You can manually configure EEM to use External directory by updating the ipoz.conf file or through the EEM GUI. The ipoz.conf file resides in the iTechnology folder. The default location is
C:\Program Files\CA\SharedComponents\iTechnology

Unless you are familiar with the ipoz.conf format, however, you should use the EEM GUI to configure external directory. Here you can see an example of the configuration dialog and the type of information you will need to provide:


Type Specifies the type of external directory. CA EEM currently supports: Custom Mapped Directory, Microsoft Active Directory, Novell eDirectory, Novell eDirectoryCN, and Sun One Directory.

Host Specifies the host of the external directory. Hostname is the IP name or address of the computer on which the external directory is installed and running. The IP name or address can be in Internet Packet version 4 (IPv4) or version 6 (IPv6) format.

Port Specifies the port to connect to on the external directory host. This is an LDAP port. The default for Microsoft Active Port is 389. Port 3268 is for Global Catalog

Base DN Specifies the LDAP DN that is used as the base. Only global users and groups discovered underneath this DN are mapped into CA EEM. Note: No spaces are allowed in this Base DN field.

User DN Specifies the DN to use to attach to the external directory host.

Note: No comma is allowed in the cn of the User DN. For example, if your User DN is: cn=firstname,middlename,dc=foo,dc=com use the backslash (\) character before the comma. For example, User DN: cn=firstname\,middlename,dc=foo,dc=com

Password and Confirm Password Specifies the password for the User DN that is used to attach to the external directory host.

Transport Layer Security Specifies whether to use TLS when making the LDAP connection to the external directory.

Include Unmapped Attribute Indicates the external attributes that are not mapped. Note: Unmapped attributes can be used for search and as filters.

Cache Global Users If selected, CA EEM Server caches global users in memory. Although this enables faster lookups it can impact scalability. If this option is selected, it may take significantly longer when loading users from the external directory and there is potential risk of EEM taking up lot of resources. Note: Global user groups are always cached.

Cache Update Time Specifies the time (in minutes) to update the cached groups (and, optionally, users).

Retrieve Exchange Groups as Global User Groups If this option is selected, the CA EEM Server retrieves the universal, global, and domain local security groups. This lets you write policies against members of distribution lists.

Status Here you can see the status of the External directory bind and whether the External directory data is loaded or not. There are three possible states:

External directory bind is successful and/or data is loaded. External directory data is still loading. External directory bind failed.

Note: To refresh the status, without saving the changes, click Refresh status.

When there is large number of users or groups, configuring CA EEM External Directory support to use Global Catalog for Microsoft Active Directory is highly recommended. Otherwise, it may take a significantly long time to extract data from those users or groups. For example, in a typical extract with approximately 15,000+ users the time it took to load those users could be measured in seconds when Global Catalog was used rather than in hours when not using Global catalog. To configure EEM External Directory to use Global Catalog, do the following:


Launch the CA EEM UI


2. 3. 4.

Select <Global> application, enter your EiamAdmin password and click Login. Select the Configure Tab. Click EEM Server subtab

5. 6. 7. 8. 9.

Select Global Users / Global Groups from the right pane. Select Reference From an external Directory button Select Microsoft Active Directory from the Type drop down list. Provide the Active Directory Host name in the Host field. Specify the Global Catalog Port in the Port field. The default for this is 3268

10. Provide Base DN and User DN details

11. Click Save to save your changes.

12. Verify that the Binding was successful

Important!: A Bind successful status indicates that it was able to connect (attach) to the Active Directory using your DN details and password - it does not necessarily mean that you will get the required number of users. If your Base DN is not correct, it may not extract any users.

13. Verify that the specified Base DN is correct and that it has extracted the required number of users. To do this: a. b. Select the Manage Identities tab Specify Search criteria in the Value field and click Go. For example, specify eem* to select all users prefixed by eem:

To check for the existence of a Global Catalog do the following: 1. 2. 3. On the Active Directory Server, Select Active Directory Sites and Services from the Administrative Tools menu. Double-click Sites, and then double-click your sitename. Double-click Servers, click your domain controller, right-click NTDS Settings, and select Properties.


Verify that Global Catalog is selected:

Since CA EEM supports connection to only a single directory at a time single domain this means that you cannot connect to multiple external directories at the same time. If, however, it is a requirement that you be able to retrieve users from multiple domains, there are two approaches you can use:

You can connect to the Active Directory Global Catalog which will have the data for all the directories in the forest. You can use the DXLINK functionality of CA Directory. You can connect to the dxlink as the external directory in EEM using the custom mapped directory feature. The dxlink has the capability to connect to multiple directories at a time which would provide CA EEM with the view of multiple directories.

Following are examples demonstrating how CA EEM would be configured to support an External Directory.

In this example the client wishes to configure CA EEM to use Active Directory as External Directory, however, the Security administrator only wants CA EEM to extract those users\groups who are members of a Security Group that will be created for that purpose. This can be accomplished by configuring CA EEM to use Custom Mapped Directory as External Directory. To do this: 1. 2. 3. 4. Launch the CA EEM UI and navigate to EEM Server -> Global Users / Global Catalog as described in the previous sections. Select Custom Mapped Directory from the Type drop down menu and specify a Label of Microsoft Active Directory. Enter the Host, Port, Base DN , User DN and Password details as described in the Configure EEM for Active Directory section earlier. Click Label to update filter criteria to meet security administrator requirements


Update User Filter to add memberOf criteria. For example, change the following:

(&(objectClass=user)(!(objectClass=computer))(| (memberOf=CN=Domain Admins,CN=Users,DC=forward,DC=inc)(memberOf=CN=EEMGroup1,CN=Users,DC=forward, DC=inc)))

In this example, the filter is based on multiple groups. The user has to be member of Domain Admin or security group EEMGroup1 for it to be selected. If you just have one group to filter on:
(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=EEMGroup1,CN=Users, DC=forward,DC=inc))


Once you have updated the User Filter click Save Label

This will update or create the file in iTechnology folder. You will need to click Save as well if you have made changes to any of the items listed in step 3


Verify that the filter works and only the members of the specified security group are selected. See list item 13 in the Configuring CA EEM to Use Global Catalog as External Directory section earlier for information on how to verify extracted users.