Friday, November 18, 2011

Integrating Siebel 8 with Active Directory or any other LDAP Directory

The documentation available in the Siebel Security Guide is guide detailed and very difficult to follow at the same time. I want to present a quick and easy way to integrate Siebel 8 with Microsoft Active Directory (or any other LDAP Directory).

I will assume in this post that Siebel is deployed in a UNIX/Linux environment (non-Windows) and the LDAP integration is NOT done via SSL. However, the steps on a Windows environment should be almost similar.

Step 1. Install the IBM LDAP Client SDK

The IBM LDAP Client SDK kit is located in the Siebel 8 install image, in the following location: <YOUR_OS>/Server_Ancillary/IBM_LDAP_6.0_Client/enu/itds60-client-sol-sparc-native.tar

Before installing the Client SDK, you need to make sure that there are no conflicting LDAP utilities installed on the server (like ldapsearch, ldapbind etc.). If there are, please move them to a temporary directory. Example:

# cd /usr/bin
# mkdir old_ldap
# mv ./ldap* ./old_ldap/ 

After you are sure that there are no more LDAP utilities on your sever (try to run ldapbind or ldapsearch from any location), you can proceed to the installation of the IBM LDAP Client SDK. I am giving an example for Solaris here:

# tar -xvf itds60-client-sol-sparc-native.tar
# cd itdsV60Client
# cd itds
# pkgadd -d idsldap.cltbase60.pkg 

The following packages are available:
 1  IDSlbc60     IBM Directory Server - Base Client
                 (sparc) 6.0.0.0
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Enter

Processing package instance <IDSlbc60> from </KIT/IBM_LDAP_Client_6/itdsV60Client/itds/idsldap.cltbase60.pkg>

IBM Directory Server - Base Client(sparc) 6.0.0.0
          5724-C08
          Copyright (c) IBM Corporation 1994-2003
 Portions Copyright (c) 1991 - 2000  Compuware Corporation

All rights reserved.  This product and its associated documentation are
protected by copyright and are distributed under a license agreement
restricting their use, reproduction, distribution, and decompilation.  No
part of this product or its associated documentation may be reproduced in
any form by any means without the prior written consent of IBM Corporation.

## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <IDSlbc60> [y,n,?]
y and Enter

Installing IBM Directory Server - Base Client as <IDSlbc60>

## Executing preinstall script.
## Installing part 1 of 1.
/opt/IBM/ldap/V6.0/bin/ITDSS060000.sys
/opt/IBM/ldap/V6.0/bin/ibmdirctl
/opt/IBM/ldap/V6.0/bin/idsdirctl
/opt/IBM/ldap/V6.0/bin/idsldapadd
/opt/IBM/ldap/V6.0/bin/idsldapchangepwd
….....
[ verifying class <idsldap> ]
## Executing postinstall script.
Installation of <IDSlbc60> was successful.


# pkgadd -d idsldap.clt32bit60.pkg 
 The following packages are available:
 1  IDSl32c60     IBM Directory Server - 32 bit Client
                  (sparc) 6.0.0.0
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Enter

Processing package instance <IDSl32c60> from </KIT/IBM_LDAP_Client_6/itdsV60Client/itds/idsldap.clt32bit60.pkg>
IBM Directory Server - 32 bit Client(sparc) 6.0.0.0
          5724-C08
          Copyright (c) IBM Corporation 1994-2003
 Portions Copyright (c) 1991 - 2000  Compuware Corporation

All rights reserved.  This product and its associated documentation are
protected by copyright and are distributed under a license agreement
restricting their use, reproduction, distribution, and decompilation.  No
part of this product or its associated documentation may be reproduced in
any form by any means without the prior written consent of IBM Corporation.

## Processing package information.
## Processing system information.
  2 package pathnames are already properly installed.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <IDSl32c60> [y,n,?]
y and Enter

Installing IBM Directory Server - 32 bit Client as <IDSl32c60>
## Executing preinstall script.
## Installing part 1 of 1.
/opt/IBM/ldap/V6.0/bin/32/ibmdirctl
….....
/opt/IBM/ldap/V6.0/lib/libidsstr.so
/opt/IBM/ldap/V6.0/lib/libldap.so <symbolic link>
[ verifying class <idsldap> ]
## Executing postinstall script.
Installation of <IDSl32c60> was successful.

After the installation is completed, you need to update the siebenv.sh file located in (SIEBEL_HOME/siebsrvr and SIEBEL_HOME/gtwysrvr) and add the path to the newly installed IBM CLient SDK lib folder:

siebenv.sh:
.......
if [ a${LD_LIBRARY_PATH} = ${LD_LIBRARY_PATH}a ]
then LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/opt/IBM/ldap/V6.0/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:$ORACLE_HOME/lib
else LD_LIBRARY_PATH=${SIEBEL_ROOT}/lib:${SIEBEL_ROOT}/lib/odbc/merant:/opt/IBM/ldap/V6.0/lib:${MWHOME}/lib:${SQLANY}/lib:/usr/lib:$ORACLE_HOME/lib:${LD_LIBRARY_PATH}
fi
..... 

Step 2. Create Active Directory accounts

You need at least one directory account for the Siebel Administrator: SADMIN. You can create this as a regular Active Directory user, with no special permissions.

Step 3. Create/Check LDAPUSER Siebel account

For the Active Directory integration, the Siebel LDAP Security Adapter needs to use a database account that can impersonate any user. This account is named LDAPUSER and is created by default in any Siebel installation, with a default password the same as the account name (ldapuser). This database account also has a special role granted: SSE_ROLE. Please make sure check that the LAPUSER has this role granted.

Try to login with this account in the Siebel application. If it does not work, create a Siebel user with the same name.

Step 4. Configure Siebel LDAP Security Adapter

Starting with Siebel 8, Oracle recommends to use the LDAP Security Adapter instead of the ADSI Adapter for integrating with Microsoft Active Directory or any other LDAP Directory. The LDAP Adapter has been greatly improved and includes all the features of the ADSI Adapter.


To configure the adapter, login to the Siebel application with a Siebel Administrator user and go to the following view: Site Map-> Administration - Server Configuration > Enterprises > Profile Configuration, and select LDAP Security Adapter from the table. Choose the Parameters tab below and set the following parameters:


Parameter NameValue
Application UserCN=Administrator,CN=Users,DC=mydomain,DC=com
Application Password<Administrator_Pasword>
Base DnDC=mydomain,DC=com
Credentials Attribute Typeurl
Port389
Hash DB CredFalse
Hash User PasswordFalse
Password Attribute TypeuserPassword
Server Namedirectoryserver.mydomain.com
Siebel Username Attribute TypesAMAccountName
Shared DB UsernameLDAPUSER
Shared DB Passwordldapuser
Username Attribute TypesAMAccountName
Propagate ChangeFalse

A few comments on the parameters above:

Shared DB Username and Shared DB Password
You can use these two parameters instead of the Shared Credentials DN and avoid creating a directory account to hold these credentials. Please don't set both the Shared Credentials DN and the Shared DB Username, Password parameters !

The Shared DB Username and Shared DB Password parameters must hold the database account values from Step 3.

Propagate Change
You can set this to True if you want Siebel account details to be propagated back to the directory server. If you specify this option, then you must also set the SecThickClientExtAuthent system preference to TRUE.


Step 5. Configure a Siebel component to use the LDAP Security Adapter

You can configure individual Siebel components to use the LDAP Security Adapter, while leaving others to use the DB Security Adapter.


To specify the adapter for a certain component, go to the Site Map-> Administration - Server Configuration > Enterprises > Component Definitions view, choose the component and set the following values in the Parameters tab:



Parameter NameValue
Security Adapter ModeLDAP
Security Adapter NameLDAPSecAdpt


Step 6. Update $SIEBEL_HOME/sweapp/bin/eapps.cfg

You need to update the $SIEBEL_HOME/sweapp/bin/eapps.cfg or $SIEBEL_HOME/sweapp/bin/eapps_sia.cfg etc. in order to use the new LDAP credentials for the LDAP-enabled Siebel components.


In this file, go to the section related to the LDAP-enabled Siebel component (e.g. [/edemocomponent_enu]) and set the following parameters:
  • EncryptedPassword = false
  • AnonUserName  = SADMIN
  • AnonPassword  =<Directory Password for the SADMIN user in clear text>
Note: If you don't want to use a clear-text password, set the EncryptedPassword parameter to true and encrypt your password using the $SIEBEL_HOME/sweapp/bin/encryptstring utility.

After updating the component parameters, the section should look something like:

[/edemocomponent_enu]
ConnectString = siebel.TCPIP.None.None://siebeldev:2321/SBLDEV/PSCcObjMgr_enu
WebPublicRootDir = /SIEBEL/sweapp/public/enu
SiebEntSecToken = 321pq2LcPpwBDAAfFP==
EncryptedPassword = false
AnonUserName  = SADMIN    
AnonPassword  = asdqwe123



After all is completed, restart both the Siebel server and the corresponding Web Server.

6 comments:

  1. Hello, Flavius Burca.
    If i skip step 5 and 6 then will it work?

    ReplyDelete
  2. you should not use SADMIN in the eapps.cfg unless you have a knack for job hopping.

    ReplyDelete
  3. Great post.
    Excuse me, I have a question; Above steps is for integrating authentication with Active Directroy Server, did you try also integration for authorization? i.e. Siebel groups is matched to Active Directory Server groups so whenever a user is added in Active Directory Server and assigned to specific groups in Active Directory Server, he will have corresponding access on forms when accessing Siebel.

    If you have tried it, please let me know.

    ReplyDelete