Monday, 27 July 2015

4 Simple steps to Configure Passthough Authentication in TDS and Configuring the same to ISAM.

Firstly, Thank you all for the Great Responses and Awesome Support Shown to this blog 
If you have any doubts or issues about the Posts please do comment and we would get back to you at the Earliest.
Thanks and Keep Supporting ............

Now Lets get to the Matter in hand.

Everyone in the current corporate jungle is always looking for an extra piece of security to safe guard their corporate information

For satisfying the strict mandatory security conditions with an ease of access portfolio in mind an IDM Component is designed to provide a lot of extra functionalities to over come them.
and a Product like IBM is no exception, 

One of those Functionalities is the support of Passthrough Authentication.
Pass-through authentication is a mechanism which allows a client to bind to a directory server even if the user credential is not available locally. Using this mechanism the server attempts to verify the credentials from another external directory server or a pass-through server on behalf of the client

So, In much simpler ways - 
If you are using TDS as a user base to store User Details for an application like ISAM or any other product, But you have all your user details in an AD or any other directory server and you want to leverage that information.

In this case i am configuring a passthrough from TDS to AD.
What happens is that when any system tries to validate your USERID and Password from TDS. 
The TDS gets the bind request and knows the passthrough is configured then in this case the TDS connects to the AD machine and gets the password and validates it with the user provided password, but the TDS does not store any password information and all the password information is stored in the passthrough server(In this case the AD) rather than the TDS.

Ok I know that you if you are reading this page then you have already done your research and dont want to hear all this again,
So without further adieu the steps to configure Passthrough authetication from TDS/SDS to AD:

There are lot of ways for configuring passthrough but the below steps are one of the easy ones:

Enabling Pass through authentication from WebAdmin(IDSWebApp)

Step 1: enable Passthrough authentication option on your TDS/SDS:
If you are doing it through WebAdmin console then after logging in expand the Server Administration and click on Manage Security Properties and click on Passthorugh authetication TAB and select the Passthrough authentication checkbox for enabling it.

Step 2: Adding the details of the Passthrough server(AD):
Click on Add Button and enter the details of the Passthrough server like the host name and port and in the DN enter the suffix in the TDS for which you want the Passthrough enabled.

Step 3: Now Click on Next and in the next screen and check the option Enable Attribute Mapping. 
Enter the Bind Credentials of the Passthrough(AD) server and click on search base and select the OU in the Passthrough server you want to configure to.
In the Attribute for this directory server make sure to select an attribute that is present in the TDS like CN,SN,uid or any unique attribute in TDS.
In the Attribute from the Passthrough Server select an attribute that is present in the Passthrough Server(AD) like sAMAccountName,UserPrincipleName e.t.c.
The Attribute might not showup in the dropdown so make sure to enter them manually.
Click on Finish.

Step 4: Restart the TDS Instance. The server restart should be enough.


Enabling Passthrough authentication from Command Line:

This is my favourite as it is very easy and very clean.
Step 1: Browse to the bin folder of your TDS installed Location and create an LDIF file with the below (only the ones that are in Bold) Entries in it.
In my case i created a file called PTA.ldif


dn: cn=Configuration
changetype: modify
replace: ibm-slapdPtaEnabled
ibm-slapdPtaEnabled: true

dn: cn=Passthrough Server1, cn=Passthrough Authentication, cn=Configuration
changetype: add
cn: Passthrough Server1
ibm-slapdPtaURL: ldap://<PTA hostname>:<port>
ibm-slapdPtaSubtree: o=sample1
ibm-slapdPtaAttrMapping: uid $ userPrincipalName
ibm-slapdPtaSearchBase: c=in,dc=com
ibm-slapdPtaBindDN: <bind DN>
ibm-slapdPtabindPW: <bind password>
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdPta
objectclass: ibm-slapdPtaExt



o=sample1 -- is the Suffix in the TDS instance on which you want the Passthrough Authentication enabled.
ibm-slapdPtaAttrMapping -- "uid" is the Attribute from the TDS and "userPrincipalName" is the attribute from the Passthrough Server(AD).
c=in,dc=com -- is the Suffix in the AD on which you want the passthrough to be configured to.

Step 2: Execute the Below command with your TDS instance details.
ldapmodify -h <hostname> -p <port> -D <adminDN> -w <adminPWD> -f <Location of the PTA.ldif file>

Step 3: Restart the TDS Instance.

Step 4: Have a Cup of Coffee or a bottle of Beer or both as you have successfully configured the Pass Through Authentication.


Note: You would need to keep the Password field in LDAP to Empty as the password is to be fetched from the Passthrough Server(AD)

Special Note: Make sure that you have all the required ports open in the firewall or else your Coffee/Beer can turn into a Nightmare at office.


Now For Configuring the Same to the ISAM.
While Configuring the Policy Server make sure to configure the LDAP suffix to the suffix on which the Passthough is enabled.


After configuring the Policy server and webseal instance modify the property auth-using-compare to no in the ivmgrd.conf and the webseald.conf file.

Make sure to restart the Policy Server and the Webeal for the changes to be reflected Properly.