Enable the CA Agile Central On-Premises LDAP Module
This topic includes the following:
- Set up CA Agile Central for LDAP
- Set up your LDAP environment
- Enable LDAP for CA Agile Central On-Premises
- Run the LDAP sync
- Backup and restore LDAP settings
- CA Agile Central On-Premises LDAP Module worksheet
Make sure you have the following prerequisites:
- A CA Agile Central On-Premises instance, version 2011.3 or later.
- The CA Agile Central license key with the LDAP module enabled.
- If using an SSL connection to the LDAP server, you will need to upload the SSL certificate from the LDAP server to the CA Agile Central Java keystore.
- Access to an LDAP server with read-write permissions and the connection information. Refer to the CA Agile Central On-Premises LDAP module worksheet that can be sent to your LDAP administrator to provide the necessary information to connect to the LDAP server.
- An LDAP browser client is recommended to help with finding the correct locations of nodes within an LDAP directory (optional: a free client, LDAP Browser 4.5).
- Access to a machine with Ruby installed.
Set up CA Agile Central for LDAP
- Load the CA Agile Central On-Premises image into a VMware server.
- Install the new CA Agile Central license key, with the LDAP module enabled, from the Licensing page on the Control Panel.
- After the license has been installed, restore a current copy of your existing database using the Restore feature.
If you are installing CA Agile Central for the first time, restart CA Agile Central by clicking the CA Agile Central Services link, then click Restart for the new license key to be loaded.
- Ensure the DNS settings entries have been filled in and saved on the Network Settings tab so that the LDAP hostname will be properly resolved.
- Log in to CA Agile Central as a subscription administrator or use the default subscription administrator login, email@example.com, to create a new workspace in CA Agile Central.
Name this new workspace CA Agile Central LDAP (or whatever naming convention is acceptable in your environment). Go to Setup → Workspaces & Projects → Actions → New Workspace to create the new workspace.
- Click the (+) icon next to the CA Agile Central LDAP workspace you just created, then click the edit icon at the end of the sample project row to edit the name of the project.
- Rename the project to CA Agile Central LDAP Project (or whatever naming convention is acceptable in your environment). Click Save & Close.
- From the Users tab, create a new CA Agile Central user that is a subscription or workspace administrator (if your CA Agile Central subscription allows workspace administrators to add new users).
- Set the user name to any valid email address format.
Then set the email address to a valid email address so that the welcome email for this new user will be sent to you and a password can be set on the new account. The LDAP sync process will run as this user logs in to CA Agile Central and creates the new CA Agile Central users.
- Log out of CA Agile Central as the subscription administrator and log in to CA Agile Central as the new user. You should receive an email with a link to set the password.
- Click on the profile image in the upper-right corner, then select My Settings.
- Set the default workspace and project for the user to what you specified in steps 5 and 7.
This will be the default workspace and project to which newly created users will be assigned when the LDAP sync process is run. If this is not done, new users will be assigned to the first available workspace and project associated with the CA Agile Central user account used when running the CA Agile Central LDAP sync process. An existing CA Agile Central subscription or workspace administrator may be used for this process; however, it will be necessary to set the appropriate default workspace on this user account so new users are created with the appropriate initial workspace and project permissions.
Set up your LDAP environment
If you are an existing CA Agile Central On-Premises customer, follow these steps to update your CA Agile Central subscription with the LDAP usernames for existing users.
- Create a unique CA Agile Central group on your LDAP server.
- Update the LDAP server so the current CA Agile Central users are members of the newly created CA Agile Central LDAP group. These users should already exist in your CA Agile Central subscription.
- Before continuing, ensure the following are set up:
- A machine with Ruby 1.8.5 or higher running with the following Ruby Gems: rally_rest_api, fastercsv, and builder.
- Copy the user_load_script.rb to the machine containing Ruby. This should be available for download from the same location as the CA Agile Central On-Premises download or provided to you by the CA Agile Central Support team.
Example CSV format for the user_load_script.rb(email address,ldapname):
Only the username is copied to CA Agile Central; the Office Location value is typically set to None.
rally_url = https://<ip or host here>/slm (address of the CA Agile Central installation)
rally_user = CA Agile Central subscription administrator or account
rally_password = CA Agile Central password
filename = <filename of CSV> (Location and name of CSV file)
New users created from the LDAP sync script have read-only permissions on the workspace level.
Enable LDAP on CA Agile Central On-Premises
Before you enable LDAP, you will need information about the LDAP environment at your company. Use the CA Agile Central On-Premises LDAP module worksheet to send to your LDAP administrator to provide the necessary information to connect to the LDAP server.
- From the Control Panel, go to Server Settings → LDAP Settings.
- Make any necessary changes and click Save Settings & Restart CA Agile Central.
CA Agile Central is automatically restarted which will enable LDAP authentication. Once CA Agile Central has been restarted, all provisioned users will now be able to log in using their unique LDAP username and password.
For a detailed table of all the LDAP settings, go here.
Run the LDAP sync
The LDAP sync runs several services to update the CA Agile Central user accounts based on the specified LDAP group and the LDAP vendor.
The sync will first query LDAP for all the users in the specified LDAP group. It will then check to ensure all the users in that group are in CA Agile Central and that the accounts are enabled in CA Agile Central.
A check is performed for enabled CA Agile Central accounts that do not exist in the specified LDAP CA Agile Central user group. If there are accounts in CA Agile Central that are not in the LDAP group, the CA Agile Central accounts are disabled.
If you are using Active Directory, a second service (Service 2) is run to disable any CA Agile Central user accounts that have been disabled in Active Directory, regardless if they are in the specified CA Agile Central group in LDAP. The second service will not be run for Oracle LDAP servers.
An example of the log output when an LDAP sync is run using Active Directory is below.
An example of the output for the second service when running the sync against an Oracle LDAP server is below.
An example of multiple groups in the sync output is below.
Backup and restore LDAP settings
The LDAP settings are saved during a backup of the CA Agile Central On-Premises server. Once the LDAP module is enabled or if the LDAP settings are updated, perform a backup of the CA Agile Central On-Premises server from the Backup/Restore link on the Control Panel to ensure that the proper LDAP settings are captured and not overwritten by a restore containing outdated LDAP connection information.
CA Agile Central On-Premises LDAP Module worksheet
Fully-qualified Host a name of the LDAP server, such as directory.mycompany.com.
Port that LDAP server listens on. Typically 389, If LDAP over SSL, 636.
LDAP SSL-Enabled? ______
LDAP Vendor and Version: ________________________________________
Example: Oracle Identity Server 11g, Active Directory
LDAP SSL Certificate to Load into CA Agile Central Keystore? ______
LDAP Bind Username DN: _________________________________________
Example: CN=myLDAPUser, CN=Users, DC=mycompany, DC=com
LDAP Tree Base DN: _____________________________________________
Example: CN=Users, DC=mycompany, DC=com
LDAP User Name Attribute: ________________________________________
Example: sAMAccountName, uid
LDAP Groups Name for CA Agile Central Users: _________________________________
Example: CN=CA Agile CentralGroup, CN=Users, DC=rallydev, DC=com | CN=Ops, OU=Groups, DC=rallydev, DC=com | CN=CA Agile CentralGroup2, CN=Users, DC=rallydev, DC=com
LDAP Group Attribute: ___________________________________________
Example: member, memberof, s