Table of Contents

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication
  6. Domain Security
  7. SAML Authentication for Informatica Web Applications
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Command Line Privileges and Permissions
  14. Custom Roles
  15. Default List of Cipher Suites

Security Guide

Security Guide

Step 2. Configure a Security Domain

Step 2. Configure a Security Domain

Create a security domain for each set of user accounts and groups you want to import from the LDAP directory service. Set up search bases and filters to define the set of user accounts and groups to include in a security domain. The Service Manager uses the user search bases and filters to import user accounts and the group search bases and filters to import groups. The Service Manager imports groups and the list of users that belong to the groups. It imports the groups that are included in the group filter and the user accounts that are included in the user filter.
The names of users and groups to be imported from the LDAP directory service must conform to the same rules as the names of native users and groups. The Service Manager does not import LDAP users or groups if names do not conform to the rules of native user and group names.
Unlike native user names, LDAP user names can be case-sensitive.
When you set up the LDAP directory service, you can use different attributes for the unique ID (UID). The Service Manager requires a particular UID to identify users in each LDAP directory service. Before you configure the security domain, verify that the LDAP directory service uses the required UID.
The following table lists the required UID for each LDAP directory service:
LDAP Directory Service
UID
IBM Tivoli Directory Server
uid
Microsoft Active Directory
sAMAccountName
Novell eDirectory
uid
OpenLDAP
uid
Sun Java System Directory Server
uid
The Service Manager does not import the LDAP attribute that indicates that a user account is enabled or disabled. You must enable or disable an LDAP user account in the Administrator tool. The status of the user account in the LDAP directory service affects user authentication in application clients. For example, a user account is enabled in the Informatica domain but disabled in the LDAP directory service. If the LDAP directory service allows disabled user accounts to log in, then the user can log in to application clients. If the LDAP directory service does not allow disabled user accounts to log in, then the user cannot log in to application clients.
If you modify the LDAP connection properties to connect to a different LDAP server, the Service Manager does not delete the existing security domains. You must ensure that the LDAP security domains are correct for the new LDAP server. Modify the user and group filters in the security domains or create additional security domains so that the Service Manager correctly imports the users and groups that you want to use in the Informatica domain.
To configure an LDAP security domain, perform the following steps:
  1. In the Administrator tool, click the Security tab.
  2. Click the Actions menu and select LDAP Configuration.
  3. In the LDAP Configuration dialog box, click the Security Domains tab.
  4. Click Add.
  5. Use LDAP query syntax to create filters to specify the users and groups to be included in the security domain you are creating.
    You might need to consult the LDAP administrator to get the information about the users and groups available in the LDAP directory service.
    The following table describes the filter properties that you can set for a security domain:
    Property
    Description
    Security Domain
    Name of the LDAP security domain. The name is not case sensitive and must be unique within the domain. It cannot exceed 128 characters or contain the following special characters:
    , + / < > @ ; \ % ?
    The name can contain an ASCII space character except for the first and last character. All other space characters are not allowed.
    User search base
    Distinguished name (DN) of the entry that serves as the starting point to search for user names in the LDAP directory service. The search finds an object in the directory according to the path in the distinguished name of the object.
    For example, in Microsoft Active Directory, the distinguished name of a user object might be cn=UserName,ou=OrganizationalUnit,dc=DomainName, where the series of relative distinguished names denoted by dc=DomainName identifies the DNS domain of the object.
    User filter
    An LDAP query string that specifies the criteria for searching for users in the directory service. The filter can specify attribute types, assertion values, and matching criteria.
    For example: (objectclass=*) searches all objects. (&(objectClass=user)(!(cn=susan))) searches all user objects except “susan.” For more information about search filters, see the documentation for the LDAP directory service.
    Group search base
    Distinguished name (DN) of the entry that serves as the starting point to search for group names in the LDAP directory service.
    Group filter
    An LDAP query string that specifies the criteria for searching for groups in the directory service.
  6. Click Preview to view a subset of the list of users and groups that fall within the filter parameters.
    If the preview does not display the correct set of users and groups, modify the user and group filters and search bases to get the correct users and groups.
  7. To add another LDAP security domain, repeat steps 4 through 6.
  8. To immediately synchronize the users and groups in the security domains with the users and groups in the LDAP directory service, click Synchronize Now.
    The Service Manager synchronizes the users in all the LDAP security domains with the users in the LDAP directory service. The time it takes for the synchronization process to complete depends on the number of users and groups to be imported.
  9. Click OK to save the security domains.

Updated July 24, 2019


Explore Informatica Network