Calyx RIM Administration

LDAP Configuration FAQ

Calyx RIM has restrictions in configuring to LDAP.   

Question Answer
Can I create an ldap user if there is a forward slash (/) character in the name? Yes. If there is a forward slash (/) character in the ldap lookup user (user.ldap.user) name, remember that the "LDAPTrimQuotes=true" must be added to the insight.var file to properly add users with names containing special characters.
How do I add Users/Groups to the system when no users have been configured to log in to Calyx RIM? In the insight.var file, there is a property user.default.admin. This property specifies the DN of a user or group of users that are allowed to login and have full admin privileges. Use the user/group specified by this property to initially add users and groups to the system.
How do I configure multiple LDAP domains?

You can specify domains by adding properties of the form ldap.domain.<domain name>. The value of the property is the DN from which you want the LDAP search to start for that particular domain. In order to authenticate against the given domain, users need to choose the appropriate domain from the drop-down list when logging in. The user.ldap.base property must always be specified for each domain because searches for adding users/groups use this property. Note that additional LDAP properties that apply to a specific domain, must be post-fixed with the domain name. Any properties not specified for a particular domain, will automatically be defaulted to the non-domain settings (for example, if user.ldap.server.DE is not set, user.ldap.server will be used in its place).

  • Use these settings for a single LDAP instance, with one domain user.ldap.server=10.224.141.200 user.ldap.base=DC=JDtest user.ldap.user=CN=Administrator,CN=Users,DC=JDtest user.ldap.pass=password user.default.admin=CN=admin,OU=Insight Users,DC=JDtest
  • Use these settings for a single LDAP instance with multiple domains user.ldap.server=10.224.141.200 ldap.domain.DE=OU=DE,DC=JDtest ldap.domain.US=OU=Insight Users,DC=JDtest user.ldap.user=CN=Administrator,CN=Users,DC=JDtest user.ldap.pass=password user.default.admin=CN=admin,OU=Insight Users,DC=JDtest
  • Use these settings for multiple LDAP instances and multiple domains ldap.domain.DE=DC=mytest1,DC=liquent,DC=com user.ldap.server.DE=10.224.142.103 user.ldap.user.DE=CN=tjtest,OU=insightusers,DC=mytest1,DC=liquent,DC=com user.ldap.pass.DE=tjtest ldap.domain.US=OU=Insight Users,DC=JDtest user.ldap.server.US=10.224.141.200 user.ldap.user.US=CN=Administrator,CN=Users,DC=JDtest user.ldap.pass.US=password user.default.admin=CN=admin,OU=Insight Users,DC=JDtest
How can I configure Calyx RIM to use anonymous binding? If the properties user.ldap.user and user.ldap.pass are not present or commented out in the insight.var file, anonymous binding will be used by default.
My company does not support binding to CN, what are my options?

Calyx RIM supports changing the LDAP type which we use to obtain the username and groupname (by default we use the CN of the objects returned by the relevant search query). We also support binding to these types (in cases supported by LDAP and where the type is guaranteed to have a unique value for each user/group in the customer's implementation). You can change the default types by specifying the following in the insight.var file:

  • ldap.group.account.type=CN
  • ldap.user.account.type=CN
My company uses custom objectClasses to represent Users and Groups. How do I make  Calyx RIM aware of them?

Calyx RIM provides two properties for specifying the LDAP search criteria to use in retrieving Users and Groups. The defaults are specified below, and can be overridden by specifying the following properties in the insight.var file. Note that the value of these properties must be a valid LDAP query.

  • ldap.group.object.search=(objectClass=Group)
  • ldap.user.object.search=(|(objectClass=User)(objectClass=userProxy))
Q: What additional LDAP configuration is provided? ldap.connection.timeout=5000

override default ldap ports these properties can also be overridden on a domain basis ldap.port=389 ldap.secure.port=636

Authentication against Active Directory is slow, how can I speed it up?

You may be using objectClass to search Active Directory (which is the Calyx RIM default), you should use objectCategory which is indexed and has better performance. Add the following line to your insight.var:

user.ldap.object.attribute=objectCategory

Change Password

Question Answer
Q: How do I configure change password? SSL?

Importing root certificates: To be able to use secure connections,  Calyx RIM must be able to validate the certificate presented by an LDAP directory server. To do this you must import the root certificate (the Certificate Authority's certificate) into the keystore (the cacerts file) for the Java Runtime Environment (JRE) used by Calyx RIM. Run the following command:

install_dir/bin/jre/bin/keytool -import \ -keystore install_dir/bin/jre/lib/security/cacerts \ -file root_certificate_path \ -alias alias

We recommend you use the -alias option to uniquely identify the certificate. The standard password for the cacerts file is changeit. You must import the root certificate for every LDAP directory server you are using with Calyx RIM. Creating client certificates for use with Microsoft Active Directory will only accept secure connections from  Calyx RIM if it has a valid client certificate that has been signed using the Certificate Services on a Windows 2000/2003 Server. You must do this in addition to importing the root certificate, as described above. To do this, you must:

  • Generate the key pair for the client certificate
  • Generate a Certificate Signing Request (CSR) for the client certificate
  • Create the client certificate
  • Install the client certificate

Generating the Key Pair for the Client Certificate

Run the following command to generate the key pair for the client certificate:

install_dir/bin/jre/bin/keytool -genkey \ -keyalg rsa \ -keystore install_dir/var/info/certs/sslkeystore \ -storepass 123456 \ -alias alias \ -keypass 123456

Generating the Certificate Signing Request for the Client Certificate

Run the following command to generate the Certificate Signing Request for the client certificate:

install_dir/bin/jre/bin/keytool -certreq \ -keystore install_dir/var/info/certs/sslkeystore \ -storepass 123456 \ -alias alias \ -keypass 123456 -file path_to_CSR

The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

Installing the Client Certificate

Run the following command to install the client certificate on the Calyx RIM server:

install_dir/bin/jre/bin/keytool -import \ -file certificate_path -keystore install_dir/var/info/certs/sslkeystore \ -storepass 123456 \ -alias alias \ -keypass 123456
Note: If the server where Calyx RIM is installed contains multiple installations of Java, be sure to import the certificates into the version of java that is running InSight. This can be determined by looking at the JAVA tab in the Apache Tomcat properties dialog box.

Q: What properties can I configure in insight.var? What do they do?

A: Properties, descriptions, and default values for insight.var:

Property Description Default value
user.ldap.base The Base DN to search from when no domains are defined
user.ldap.server The address of the LDAP server
user.source This defines the authentication of the source
user.ldap.user The DN of a user to use to log into this LDAP server. This user must have read access and search capabilities to all of the items you want to access from LDAP Will attempt to bind anonymously if this is not present
user.ldap.pass The password for the user specified in user.ldap.user
user.default.admin The default administrator account for logging in and setting up security the first time objectClass
ldap.connection.timeout The timeout in ms for obtaining an LDAP connection network timeout time
ldap.domain. {DOMAIN_NAME} The Base DN to search from for the domain specified by {DOMAIN_NAME}. Any of the following properties can add a domain name to make the property specific to that domain No LDAP reserved characters can be used in the {DOMAIN_NAME} value
ldap.group.account.type The type of attribute to search for groups cn
ldap.user.account.type The type of attribute to search for users cn
ldap.group.object.search The search to use to find groups (objectClass=Group)
ldap.user.object.search The search to use to find users (objectClass=User)(objectClass=userProxy)
ldap.port The LDAP port to use 389
ldap.secure.port The secure LDAP port to use (for changing passwords) 636
user.ldap.object.attribute The LDAP attribute to use when searching by object type objectClass
user.ldap.groupObject.attribute The object type of Groups Group
user.ldap.groupChild.attribute The LDAP attribute that denotes group Children member
user.ldap.groupParent.attribute The LDAP attribute that denotes group Parents memberOf
user.ldap.groupsForUser.search The LDAP search that should be used to find the groups that a user belongs to. This search supports substitution values By default we just look up the DN of each item listed in the attribute specified by the groupParent attribute
ldap.group.name.attribute The LDAP attribute to use to obtain a groups name name

Q: What substitution values are available?

A: Available substitution values: 

Expression Substitution Value
$LDAP{USER_DN} The full distinguished name of the queried user