Clarity PPM allows LDAP authentication from various active directories. This blog post explains how to enable Clarity PPM authentication using Microsoft Active Directory through LDAP(Lightweight Directory Access Protocol).
LDAP, Lightweight Directory Access Protocol, is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to authenticate users.
LDAP, as a single user respository, makes it easy to maintain users in organizations. The LDAP directory can be integrated with the different applications in the organizations for successful user authentication. This helps administrators with a single respository system where all the users of organization are maintained. It also helps the end users, where they do not have to remember multiple login credentials for different applications. The end user, once authenticated to the windows server will be able to login to all the applications to which they are granted access and the LDAP integration is configured.
Network Administrator or Server Administrator is responsible in setting up Active Directory Server. The administrator creates a Domain in the Active Directory for an organization which will store all the groups and users that belong to the organization.
If there are multiple applications integrating with the active directory then the recommendation would be to create a group(s) for every application and assign the users to the respective groups based on the applications they would need access to.
To enable integration of users from the Active Directory to PPM we would require the details of the group to fetch the users from and a service account on the Active Directory with access to read user information.
PPM Administrator will be responsible in configuring the Active Directory information in CSA to enable LDAP Integration. The following steps help the administrator in defining the LDAP properties.
URL: Provide the LDAP server URL along with the port number. The defult LDAP port is 389 but may vary based on the configuration of server.
Root Context: Provide the LDAP context for PPM to fetch the users from. PPM will sync all the users under the specified container in the application.
Example: DC=LDAPDomain,DC=com,CN=Domain_Test
Search User: Provide the LDAP service account username that is used to bind PPM with LDAP server. The service account must have access to read the user information from the LDAP server.
Password and Confirm Password: Provide the password of the above entered service account user.
Batch Size: Identifies the total number of results that Clarity Project and Portfolio Management (PPM) limits for every search call it makes with a directory server. Set the batch size less than or equal to the same number that is set for your directory server.
Object Class: Identifies the LDAP object class name. Each entry in LDAP belongs to object classes that identify the type of data that is represented by the entry. Provide the object class name that your LDAP server is configured with. The default object class that is provided is Person.
Search Filter: Optional LDAP search filter string. Specifying a value in this field enables you to define search criteria and to provide more efficient and effective searches.
LDAP search filters must be as per RFC 2254. Refer to http://www.faqs.org/rfcs/rfc2254.html for more information abour RFC 2254.
Group Name: Identifies the name of the group that holds all the LDAP users that are to be synched with Clarity PPM
Group Identifier: Identifies the ID of the group that is specified in the Group Name field, if present. The name of the attribute that signifies that an entity is a group.
Allow non-LDAP users: If checked, then PPM can have direct users who do not exist in LDAP as well login to the application.
The following jobs in PPM make sure the LDAP users as per the configuration in CSA are synchronized with the application.
This job synchronizes LDAP records with Clarity PPM records by synchronizing the users that you add to the LDAP Clarity PPM group. The job also makes the users active on the Clarity PPM server. If you use the search filter option and you change an attribute to one used by Clarity PPM, the user is activated on the Clarity PPM server. The activation occurs the next time that the job runs. The job then stores the last date and time the job ran successfully in the CMN_DIRECTORY_SERVERS database table. The job synchronizes only recently created or changed user entries. For the synchronization, the timestamp has to be greater than the value found in the CMN_DIRECTORY_SERVERS.LAST_SYNC_DATE field.
This job inactivates users that you remove from the LDAP Clarity PPM group on the LDAP server or whose record no longer contains the chosen search attribute. This job does not verify whether a user found in the LDAP Clarity PPM group or in the search that CSA specifies is active or inactive in LDAP. To inactivate users in Clarity PPM using the job, remove the users from the LDAP Clarity PPM group or remove the search attribute that is specified in CSA. These synchronization jobs function properly if you have correctly configured the LDAP Server and LDAP Attribute Mapping sections in CSA.
External Authentication flag on the users which sync from LDAP to Clarity PPM will be marked as ‘Yes’. This flag indicates that the user profile will be updated as per the information in LDAP when the above mentioned jobs are run.
Author: Arjunan, Associate Consultant
Contact us:
For any questions or have enquiries about our PPM service offerings please contact us at info@albatrozsolutions.com or balaji@albatrozsolutions.com. We will be glad to help.