Starting with version 1.3.1, IBM Operations Analytics – Log Analysis supports role based access control (RBAC) where the role and permission artifacts are managed in the internal Derby database. However, authentication can be configured using LDAP or Log Analysis custom user registry running on WebSphere Liberty.
In my previous blog, I explained how role base access control works. In this blog, I will summarize integration of LDAP with Log Analysis.
Log Analysis runs as an application on the Liberty container and leverages Liberty’s integration with LDAP. Beginning with Log Analysis 1.3.1, one can configure LDAP for authentication along with authorization (RBAC) feature in Log Analysis. Here, the authentication information is fetched from the LDAP server and the authorization data (roles, permissions etc.) is stored and used from the Derby database. Storing Log Analysis roles and permissions in LDAP or using roles/permission defined in LDAP for access control in Log Analysis would be requirements for future consideration.
Authentication using LDAP is based on the standard Liberty/LDAP configuration where an administrator can configure one or more LDAP servers for authentication. However, the users need to be unique across all the LDAP servers.
After configuring LDAP, a user needs to be registered with Log Analysis server before he/she can log-in to Log Analysis. The registration needs to be done by the administrator. To bootstrap this sequence, we ship the unityadmin user out-of-box in Log Analysis which then needs to be present in LDAP and mapped to the unityadmin security role.
Registration of an LDAP user with Log Analysis is basically a way to manually replicate LDAP users since we do not support automated procedure (scripts) to do that. Similarly, when a user is deleted from LDAP, the administrator needs to delete the user from Log Analysis as well. Once LDAP users are registered/replicated in Log Analysis, we can define roles and associate users with the roles.
Follow these steps to integrate LDAP with Log Analysis:
- Configure LDAP with Liberty right after installing Log Analysis.
- Login as unityadmin present in your LDAP server and register/add users in Log Analysis.
- Create roles/permissions, and associate users with roles. After this a user can start accessing Log Analysis.
One has to keep in mind that after configuring LDAP, one should not go back to the custom user registry for authentication.
LDAP configuration for Log Analysis can be done either manually or using scripts provided with the Log Analysis installation. During configuration, make sure to correctly specify the basedDN and set appropriate filters depending upon how objects are stored in your LDAP server. Similarly, set up SSL configuration between Liberty and LDAP by following detailed steps including creation of KeyStore, TrustStore and importing the LDAP server certificate etc.
Configuring multiple LDAP Servers
Using multiple LDAP servers with Liberty profile is a standard Liberty feature used in Log Analysis. This configuration needs to be done manually where one has to generate/create ldapRegistry.xml file for each of the LDAP servers and merge the two configuration files keeping only one server element.
Here is a flowchart that depicts various states a user can be in when integrating LDAP with Log Analysis.
Log Analysis has been tested with Microsoft Active Directory and Tivoli Directory Server, individually, and with a combination of the two.