Last time we talked about the concepts involved in authentication using Active Directory. This week, we’ll have a look at how to apply these concepts by creating an authentication profile in Siebel, for use by an Object Manager.
First up, go into Site Map > Administration – System Configuration > Enterprises > Profile Configuration
If you query for Profile = ADSI*, you’ll see a vanilla AD security adapter configuration. If you’re going to try changing stuff, why not take a copy of this so that you can always refer back to the original.
So, here are the values you’ll need to fill in:
|Server Name||The name of your directory server||intra.myco.local
|Port||The port on which your server is listening||389
|Base DN||The container which will act as the root of your user objects||OU=USERS, DC=INTRA, DC=MYCO, DC=LOCAL
|Application User DN||An AD user that has the ability to add and modify existing objects||CN=ADSIUSER, OU=USERS, DC=INTRA, DC=MYCO, DC=LOCAL
|Application Password||Password for the user above||xxxxxx
|Propagate Change||Whether or not changes in Siebel will propagate down to AD||True
|Shared DB User Name||User name of the DB account which is used to access the Siebel Database||SADMIN
|Shared DB Password||Password for the user above||xxxxxx
Once you’re happy with this configuration, you need simply tell your OM component to use the new profile for authentication. Do this through Site Map > Administration – System Configuration > Servers > Components > Parameters. Simply set the follow parameter values:
|Security Adapter Mode||Either ADSI, DB or LDAP ADSI||ADSI
|Security Adapter Name||Name of the profile that you created above||intADSISecAdapt
You can trouble shoot by setting event logging on the OM, specifically around the Security Adapter Log and Security Adapter Manager events. I’d also recommend reading through the Siebel Security Guide in Bookshelf.
Please feel free to post if you’re having problems with enabling AD authentication in Siebel or if you have anything else to add.
One of the more complex installation and system administration functions of a Siebel 7 or 8 environment is authentication. Back in the old days, many Siebel sites used out of the box database authentication which required little or no additional configuration. Nowadays, we want to leverage existing company directories to cut down on unnecessary configuration and maintenance, while also providing a friendlier ‘single sign on’ experience to users. In this post, I want to cover off some of the concepts around Active Directory authentication within Siebel and hopefully show you that it is really not as complicated as it seems. It’s a big topic, so we’ll cover principles in this post and the finer details of setting things up in Siebel next time.
I’m going to concentrate on Microsoft Active Directory here but the principles can be applied to LDAP or other options that you care to mention.
First up, there are some important concepts and pieces of information that you need to understand:
- Profiles – in Siebel, profiles represent Enterprise wide configuration that can be used and shared by components in the enterprise.
- Security Adapters – these represent Siebel supplied DLLs that provide a black box between Siebel and your chosen authentication software
- Containers – in AD, these represent subdivisions of objects within the directory. Think of them as folders within a file system
- Distinguished Name (DN) – this is essentially a ‘path’ to a unique object within the directory, for example a user
- Base DN – in Siebel terms, this defines a ‘root’ path from which it will look for AD objects and containers
- Application User – an AD user that has write access to the directory. This is to allow Siebel to propagate changes down to AD
- Share Credentials DN – this is the location of an object, usually a user, where database authentication details are stored. This allows the component using the profile to connect to the Siebel database. This has been phased out in Siebel 8
- Anonymous Employee – User or Employee record that is used to log in as an anonymous user into an Employee application
- Anonymous User – User record that is used to login in as an anonymous user into a Customer application
You can define a security adapter profile in a number of ways:
- During installation of the Enterprise
- Through the Siebel Client – Site Admin > Administration – Server Configuration > Enterprises > Profile Configuration
- Through the Siebel Gateway Configuration tool
As ever, Bookshelf is here to help and you can find all this information in the Security Guide.
Next time, we’ll take a look at choosing these values and how to use them to set up AD authentication in Siebel.