Hitachi

JP1 Version 12 JP1/Base User's Guide

8.2.2 Settings for the operation to use a DS user

In case of operation to use a DS user, perform directory server linkage settings after finishing the in-advance preparation on the Active Directory.

Organization of this subsection

(1) Extending the schema of the Active Directory

To make Active Directory ready, the schema of Active Directory must be extended.

In order to perform integrated management of JP1 authentication information (JP1 user authentication information and JP1 operating permission) on the Active Directory, add an attribute to the Active Directory to allow the settings of JP1 operating permission. In accordance with the schema extension settings procedure shown below, add an attribute (JP1 operating permission) to the users and group objects on the Active Directory.

Specify a JP1 resource group and JP1 permission level to the value of the added attribute (JP1 operating permission).

The following explains the schema extension procedure to utilize an LDIF file. In order to enable system recovery in case the following schema extension procedure fails, back up the current system conditions (NTBACKUP) beforehand.

  1. Copy the model file (JP1_UserLevel_schema.ldf.model) from an authentication server with an arbitrary LDIF file name.

    The installation directory of the model file on the authentication server is as follows:

    installation-folder\tools\schema\JP1_UserLevel_schema.ldf.model

  2. Edit the copied LDIF file.

    Change the domain name identification (DC) to follow the dn: in the copied file to the corresponding domain name.

    The file contains entries [1] through [8], among which four entries, [1], [3], [5], and [7] need to be changed.

    Example: Assume the domain name to be domain.local.

    Before change:

    dn: CN=hitachiJP1UserLevel,CN=Schema,CN=Configuration,DC=DomainName

    After change:

    dn: CN=hitachiJP1UserLevel,CN=Schema,CN=Configuration,DC=domain,DC=local

  3. Execute the ldifde command to extend the schema through importing the LDIF file edited in step 2 above. 

    ldifde -i -f input-file-name -v -j log-file-output-folder-name

    Because the ldifde command execution log is output on the log file, you can confirm the import information.

    In case the ldifde command fails in an execution error, confirm and perform the following:

    • If the execution error indicates 0000202B: RefErr:

      The cause of the domain name reference error (RefErr) could be the wrong domain name. Verify the domain names in the LDIF file. If one is incorrect, correct it. In order to avoid repeating the execution of successfully processed entries, change the entries to comment (insert the # into the top column) before re-executing the ldifde command. If this error occurs during the execution of entry [3], for example, change all lines up to entry [2] to comment lines. If this error occurs during the execution of entry [1], no change to comment is needed.

    • If the execution error indicates 00002071: UpdErr:

      The cause of the update error (UpdErr) could be because the schema had been extended and objects already exist. Verify whether the schema is already extended in a way shown in step 4 below. If the schema is already extended, step 3 (schema extension) is unnecessary.

    • Other execution errors:

      Take appropriate actions depending on the nature of the ldifde error.

  4. Confirm that a JP1 operating permission attribute is added by schema extension through executing the ldifde command.

    Confirmation of the default class (User):

    Export the default class (User) to the LDIF file by executing the ldifde command. Specify the corresponding domain name for the domain name identification (DC) in the same manner as shown in step 2 above. 

    ldifde -f output-file-name -d CN=User,CN=Schema,CN=Configuration,DC=domain,DC=local

    Confirm that the JP1 operating permission class (hitachiJP1AccessLevel) is specified as an auxiliary class (auxiliaryClass) in the exported LDIF file. 

    :
auxiliaryClass: hitachiJP1AccessLevel
:

    Confirmation of the default class (Group):

    Export the default class (Group) to the LDIF file by executing the ldifde command. Specify the corresponding domain name for the domain name identification (DC) in the same manner as shown in step 2 above. 

    ldifde -f output-file-name -d CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=local

    Confirm that the JP1 operating permission class (hitachiJP1AccessLevel) is specified as an auxiliary class (auxiliaryClass) in the exported LDIF file. 

    :
auxiliaryClass: hitachiJP1AccessLevel
:

To Page Top

(2) Designating a linking directory server

In order to perform user authentication through linking with a directory server, it is necessary to set the common definition information on the authentication server. Because the directory server linkage function is not set in the common definition at initial settings, it is necessary to change the settings. If a secondary authentication server is installed, change the settings for both the primary and secondary authentication servers.

(a) Directory server linkage setting procedure

It is necessary to set the directory server linkage definition file and to register an information-search user to use a DS user. After the setting up, confirm the connection with the directory server using the jbschkds command.

  1. Edit the directory server linkage definition file (jp1bs_ds_setup.conf).

    The following explains the differences in editing the definition file in comparison with the operation to use a linkage user.

    ENABLE

    Specify whether to link with a directory server. Specify 00000002 for operation to use a DS user. Both a standard user and a DS user can be used.

    BASE_DN

    This parameter is used for specifying the identification name of the container object in which a JP1 user exists. The operation to use a DS user does not require the setting of this parameter.

    SEARCH_USER_DN

    Specify the identification name of the information-search user to access the directory server. You must specify this parameter for the operation to use a DS user.

    For details about the directory server linkage definition file, see Directory server linkage definition file (Windows only) in 16. Definition Files.

  2. Execute the jbssetcnf command.

    Specified contents are applied to the common definition information. For details about the jbssetcnf command, see jbssetcnfin 15. Commands.

  3. Register an information-search user and a password to the authentication server host.

    Register an information-search user and a password to use when logging in to the directory server to the JP1/Base password management information of the authentication server host. The length of the information-search user's password must be 1 through 64 bytes. Use the jbsmkpass command, the jbspassmgr command, or the jbsumappass command for the registration. The registration format of a user (information-search user) shall be aduser/information-search-user-name. For example, specify aduser/Groupcsearcher when you specified "CN=Groupcsearcher,OU=GroupC,DC=domain,DC=local" in SEARCH_USER_DN.

    It is necessary to register either of the following users because an information-search user needs to have permission to allow the collection of JP1 authentication information or the manipulation of JP1 operating permission attribute for the operation to use a DS user:

    • A user to have write permission into the user or group's JP1 operating permission

    For details about respective commands, see jbsmkpass (Windows only), jbspassmgr (Windows only), or jbsumappass (Windows only) in 15. Commands.

  4. Execute the jbschkds command.

    Confirm the settings of directory server linkage. For details about the jbschkds command, see jbschkds (Windows only) in 15. Commands.

(b) Changing the directory server to link

You can temporarily change the directory server to link when it becomes unusable due to failure. Create a file to define the information for a temporary change and execute the jbschgds command. Use the jbschgds command also to cancel a temporary change.

For details about the jbschgds command, see jbschgds (Windows only) in 15. Commands.

To Page Top

(3) Managing users (Setting operating permissions) when DS users are used

To manage users (set operating permissions) when DS users are used:

  1. Create a user (DS user) or security group on the directory server (Active Directory).

    Use the Active Directory Users and Computers management tool or Active Directory cmdlets in PowerShell to create a JP1 user (DS user) or security group on which you want to set operating permissions.

  2. Set operating permissions.

    Set operating permissions on the JP1 user (DS user) or security group that you created in step 1. You can use one of the following ways to grant JP1 operating permissions:

    • Use Active Directory to set operating permissions.

      On the directory server (Active Directory), use Attribute Editor# in the Active Directory Users and Computers management tool or Active Directory cmdlets in PowerShell to set operating permissions on the attribute hitachiJP1UserLevel of the JP1 user (DS user) or security group.

      The setting format is as follows:

      JP1-resource-group=JP1-permission-level:JP1-resource-group=JP1-permission-level:...

      For details on definition, see User permission definition file in 16. Definition Files.

      #: To use Attribute Editor, in the Active Directory Users and Computers management tool, select View and then Advanced Features.

    • Use JP1/Base commands to set operating permissions.

      On the authentication server (primary authentication server), use the JP1/Base jbssetacl command (with the -ds option) or the jbsrmacl command (with the -ds option) to set operating permissions on the JP1 user (DS user) or security group.

      For details on how to set operating permissions, see 8.1.3(3) Using a command to register operating permissions for individual JP1 users and 8.1.3(4) Using a command to delete operating permissions for individual JP1 users.

  3. Assign a security group on the directory server (Active Directory).

    JP1 operating permissions can be granted through a security group. By using the Active Directory Users and Computers management tool or Active Directory cmdlets in PowerShell, add the JP1 user (DS user) to a security group to which JP1 operating permissions are granted, or set the group of the JP1 user (DS user) to a security group to which JP1 operating permissions are granted.

  4. Apply JP1 operating permissions on the authentication server (primary authentication server).

    Restart JP1/Base or use the jbsaclreload command (with the -ds option) to apply operating permissions set in step 2 to the authentication server.

    For details on the jbsaclreload command, see jbsaclreload in 15. Commands.

    When a secondary authentication server exists, you must also apply operating permissions to the secondary authentication server in the same way.

To Page Top

(4) Changing the operation to the one to use a DS user

The following explains the procedure to change the operation from the one to use a standard or linkage user to the one to use a DS user.

  1. Set the Active Directory environment on the directory server.

    Extend the schema of the Active Directory to add JP1 operating permission attribute. Perform this step only once to the Active Directory. For details, see 8.2.2(1) Extending the schema of the Active Directory.

  2. Stop JP1/Base on the authentication server (primary authentication server).

    Stop JP1/Base to allow the settings for DS user use.

  3. Set JP1/Base environment on the authentication server (primary authentication server).

    Modify the directory server linkage definition file to allow the use of DS users. For details, see 8.2.2(2)(a) Directory server linkage setting procedure.

  4. Start JP1/Base on the authentication server (primary authentication server).

    Start JP1/Base in order to set JP1 operating permission to the Active Directory by using an authentication command.

  5. Set JP1 operating permission on the authentication server (primary authentication server).

    Set JP1 operating permission to the Active Directory.

    To change the operation from the one to use a standard user:

    1. Copy the JP1_UserLevel file on the authentication server host with an arbitrary file name.

    2. Change the standard user to a DS user name on the definition file.

    3. Execute the jbssetacl command (-ds option specified) designating the definition file.

    4. If the standard user is used in the user mapping, re-register the DS user together with a password.

    5. Delete the standard user and the operating permission registered before the change on the authentication server host.

    Use the jbsrmuser command to delete the standard user. Use the jbsrmacl command to delete the operating permission.

    To change the operation from the one to use a linkage user:

    1. Copy the JP1_UserLevel file on the authentication server host with an arbitrary file name.

    2. Execute the jbssetacl command (-ds option specified) designating the definition file of step 1 above.

    3. Delete the linkage user and the operating permission registered before the change on the authentication server host.

    Use the jbsrmuser command to delete the linkage user. Use the jbsrmacl command to delete the operating permission.

  6. Execute the jbsaclreload command on the authentication servers (primary and secondary authentication servers).

    Execute the jbsaclreload command (-ds option specified) to reload JP1 authentication information with the newly set operating permission.

  7. Verify JP1 authentication information on the authentication server (primary authentication server).

    Verify JP1 authentication information by using the jbslistuser command or the jbslistacl command.

To Page Top

(5) Notes on the operation to use a DS user

To Page Top

Copyright (C) 2019, 2021, Hitachi, Ltd.

Copyright (C) 2019, 2021, Hitachi Solutions, Ltd.