You can configure erwin Data Intelligence Suite (DI Suite) to use LDAP or Active Directory logon using the database.properties file. Ensure that the following prerequisites are in place:
- Create an organizational unit (OU) in Active Directory and create roles corresponding to the ones available in erwin DI Suite, except Administrator. Ensure that the role names in Active Directory match the role names in erwin DI Suite.
For example, create an organizational unit, AMMRoles in Active Directory. Then, under AMMRoles, create all the roles (ETLDeveloper, Mapping Admin, Power User, Tester, and so on) available in erwin DI Suite. - For the Administrator role, create a group in Active Directory. The name of the group cannot be Administrator as a Global Group named Administrator is already available in Active Directory.
For example, create an administrator role, AMMAdministrator, in Active Directory.
Following is a sample snippet of LDAP properties:
#Start LDAP Properties #uid,sAMAccount,cn
IsLDAPEnabled=false
LDAPLoginAttribute=sAMAccountName
LDAPServerUrl=ldap://<ldapserver/ipaddress>:389/DC=ERWIN,DC=LOCAL
LDAPUserDN=CN=ammuser,OU=AMMEmployees,DC=ERWIN,DC=LOCAL
LDAPServerPassword=<ldappwd>
LDAPSearchBase=DC=ERWIN,DC=LOCAL
LDAPBindUser=ammuser
LDAPBindServerURL=ldap://<ldapserver/ip>:389
SearchBase=
SearchFilter=(sAMAccountName={0})GroupRoleAttribute=cn
ConstructorArg=OU=AMMRoles
LDAPAdminGroupName=AMMAdministrator
## END LDAP Properties
The following table lists LDAP configuration parameters:
|
Parameter |
Description-Value |
|---|---|
|
IsLDAPEnabled |
Set to True. |
|
LDAPLoginAttribute |
Set the login attribute name used to bind to the LDAP database. It can be any of the #uid, sAMAccountName, or cn, as set up. For example, LDAPLoginAttribute=sAMAccountName. |
|
LDAPServerUrl |
Set a fully-qualified name (URL) of the LDAP Server IP address, port number, and domain controller. For example, LDAPServerUrl=ldap://192.168.1.10:389/DC=ERWIN,DC=LOCAL |
|
LDAPUserDN |
Set the LDAP bind user with fully-qualified distinguished name. You can add any user DN with the privilege to search LDAP/Active Directory. For example, in the following case, ammuser is the bind user: LDAPUserDN=CN=ammuser,OU=AMMEmployees,DC=ERWIN,DC=LOCAL. |
|
LDAPServerPassword |
Set the password associated with the LDAP Server. |
|
LDAPSearchBase |
Set a fully qualified search base. A search base to set limits on the authentication server directories. The standard format is, DC=<first part of distinguished server name>, DC=<any part of the distinguished server name that appears after the dot>. For example, LDAPSearchBase=DC=ERWIN,DC=LOCAL. |
|
LDAPBindUser |
Set the bind user name. For example, LDAPBindUser=ammuser. |
|
LDAPBindServerUrl |
Set the LDAP Bind Server URL. For example, LDAPBindServerURL=ldap://192.168.1.10:389 |
|
SearchBase |
Set an OU to put limits on the authentication server directories. It is an optional paramater. For example, SearchBase=OU=AMMEmployees |
|
SearchFilter |
Set the login attribute type used to get user information. For example, SearchFilter=(sAMAccountName={0}) |
|
GroupRoleAttribute |
Set the group role attribute to holds user group information on the LDAP server. It is the identifier to search the association between the user and the AMM role. For example, GroupRoleAttribute=cn |
|
ConstructorArg |
Set the path where AMM roles are created. For example, ConstructorArg=OU=AMMRoles |
|
LDAPAdminGroupName |
Set the AMM administrator role name. For example, LDAPAdminGroupName=AMMAdministrator |
|
Copyright © 2020 erwin, Inc.
All rights reserved.
|
|