Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Common Content for Data Engineering 10.2.1
  • All Products

Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication
  6. Domain Security
  7. SAML Authentication for Informatica Web Applications
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Command Line Privileges and Permissions
  14. Custom Roles
  15. Default List of Cipher Suites

Security Guide

Security Guide

Back Next

Step 1. Import User Accounts from Active Directory into an LDAP Security Domain

Step 1. Import User Accounts from Active Directory into an LDAP Security Domain

Import Informatica user accounts from Active Directory into the LDAP security domain that contains Kerberos user accounts.
When you enable Kerberos authentication in the domain, Informatica creates an empty LDAP security domain with the same name as the Kerberos realm. You can import user accounts from Active Directory into this LDAP security domain, or you can import the user accounts into a different LDAP security domain.
You use the Administrator tool to import the user accounts that use Kerberos authentication from Active Directory into an LDAP security domain.
  1. Start the domain and all Informatica services. Start the services in the following order:
    • Model Repository Service
    • Data Integration Service
    • Analyst Service
    • Content Management Service
    • PowerCenter® Repository Service
    • PowerCenter® Integration Service
    • Metadata Manager Service
  2. Log in to Windows with the administrator account you specified when you enabled Kerberos authentication in the domain.
    The following image shows the user name and password for nodeuser01 entered in the login dialog box:
    The Windows login dialog box shows the user name for the administrator user specified when you enabled Kerberos authentication.
  3. Log in to the Administrator tool. Select _infaInternalNamespace as the security domain.
    The following image shows _infaInternalNamespace selected as the security domain:
    The Administrator tool login dialog shows the _infaInternalNamespace security domain selected.
  4. In the Administrator tool, click the
    Security
     tab.
  5. Click the
    Actions
     menu and select
    LDAP Configuration
    .
  6. In the
    LDAP Configuration
     dialog box, click the
    LDAP Connectivity
     tab.
  7. Configure the connection properties for the Active Directory.
    You might need to consult the LDAP administrator to get the information needed to connect to the LDAP server.
    The following table describes the LDAP server configuration properties:
    Property
    Description
    Server name
    Host name or IP address of the Active Directory server.
    Port
    Listening port for the Active Directory server.
    LDAP Directory Service
    Select Microsoft Active Directory Service.
    Name
    Specify the bind user account you created in Active Directory to synchronize accounts in Active Directory with the LDAP security domain.
    Because the domain is enabled for Kerberos authentication, you do not have the option to provide a password for the account.
    Use SSL Certificate
    Indicates that the LDAP server uses the Secure Socket Layer (SSL) protocol.
    Trust LDAP Certificate
    Determines whether the Service Manager can trust the SSL certificate of the LDAP server. If selected, the Service Manager connects to the LDAP server without verifying the SSL certificate. If not selected, the Service Manager verifies that the SSL certificate is signed by a certificate authority before connecting to the LDAP server.
    Not Case Sensitive
    Indicates that the Service Manager must ignore case sensitivity for distinguished name attributes when assigning users to groups.
    Group Membership Attribute
    Name of the attribute that contains group membership information for a user. This is the attribute in the LDAP group object that contains the DNs of the users or groups who are members of a group. For example,
    member
     or
    memberof
    .
    Maximum Size
    Maximum number of user accounts to import into a security domain. For example, if the value is set to 100, you can import a maximum of 100 user accounts into the security domain.
    If the number of user to be imported exceeds the value for this property, the Service Manager generates an error message and does not import any user. Set this property to a higher value if you have many users to import.
    Default is 1000.
    The following image shows the ldapuser user account specified with the connection details for an Active Directory server set in the LDAP Connectivity panel of the
    LDAP Configuration
     dialog box:
    The LDAP Connectivity dialog box contains the connection details for the Active Directory server.
  8. In the
    LDAP Configuration
     dialog box, click the
    Security Domains
     tab.
  9. Click
    Add
    .
    The following table describes the filter properties that you can set for a security domain:
    Property
    Description
    Security Domain
    Name of the LDAP security domain into which you want to import user accounts from Active Directory.
    User search base
    Distinguished name (DN) of the entry that serves as the starting point to search for user names in Active Directory. The search finds an object in the directory according to the path in the distinguished name of the object.
    For example, to search the USERS container that contains Informatica user accounts in the example.com Windows domain, specify CN=USERS,DC=EXAMPLE,DC=COM.
    User filter
    An LDAP query string that specifies the criteria for searching for users in the directory service. The filter can specify attribute types, assertion values, and matching criteria.
    For example:
    (objectclass=*)
    searches all objects.
    (&(objectClass=user)(!(cn=susan)))
     searches all user objects except “susan”. For more information about search filters, see the documentation for the LDAP directory service.
    Group search base
    Distinguished name (DN) of the entry that serves as the starting point to search for group names in the LDAP directory service.
    Group filter
    An LDAP query string that specifies the criteria for searching for groups in the directory service.
    The following image shows the information required to import LDAP users from Active Directory into the LDAP security domain created when you enabled Kerberos in the domain:
    The Security Domains dialog box shows the details for the COMPANY.COM LDAP security domain.
  10. Click
    Synchronize Now
    .
    The Service Manager synchronizes the users in all the LDAP security domains with the users in the LDAP directory service. The time it takes for the synchronization process to complete depends on the number of users and groups to be imported.
  11. Click
    OK
     to save the LDAP security domain.
0 COMMENTS
We’d like to hear from you!