Enable the CA Agile Central On-Premises LDAP Module

This topic includes the following:

Make sure you have the following prerequisites:

  • A CA Agile Central On-Premises instance, version 2011.3 or later.
  • The CA Agile Central license key with the LDAP module enabled.
  • If using an SSL connection to the LDAP server, you will need to upload the SSL certificate from the LDAP server to the CA Agile Central Java keystore.
  • Access to an LDAP server with read-write permissions and the connection information. Refer to the CA Agile Central On-Premises LDAP module worksheet that can be sent to your LDAP administrator to provide the necessary information to connect to the LDAP server.
  • An LDAP browser client is recommended to help with finding the correct locations of nodes within an LDAP directory (optional: a free client, LDAP Browser 4.5).
  • Access to a machine with Ruby installed.

Set up CA Agile Central for LDAP

  1. Load the CA Agile Central On-Premises image into a VMware server.
  2. Install the new CA Agile Central license key, with the LDAP module enabled, from the Licensing page on the Control Panel.
  3. After the license has been installed, restore a current copy of your existing database using the Restore feature.

    If you are installing CA Agile Central for the first time, restart CA Agile Central by clicking the CA Agile Central Services link, then click Restart for the new license key to be loaded.

  4. Ensure the DNS settings entries have been filled in and saved on the Network Settings tab so that the LDAP hostname will be properly resolved.
  5. Log in to CA Agile Central as a subscription administrator or use the default subscription administrator login, test@rallydev.com, to create a new workspace in CA Agile Central. 

    Name this new workspace CA Agile Central LDAP (or whatever naming convention is acceptable in your environment). Go to Setup → Workspaces & Projects → Actions → New Workspace to create the new workspace.

  6. Click the (+) icon next to the CA Agile Central LDAP workspace you just created, then click the edit icon at the end of the sample project row to edit the name of the project.
  7. Rename the project to CA Agile Central LDAP Project (or whatever naming convention is acceptable in your environment). Click Save & Close.
  8. From the Users tab, create a new CA Agile Central user that is a subscription or workspace administrator (if your CA Agile Central subscription allows workspace administrators to add new users).
  9. Set the user name to any valid email address format. 

    Then set the email address to a valid email address so that the welcome email for this new user will be sent to you and a password can be set on the new account. The LDAP sync process will run as this user logs in to CA Agile Central and creates the new CA Agile Central users.

  10. Log out of CA Agile Central as the subscription administrator and log in to CA Agile Central as the new user. You should receive an email with a link to set the password.
  11. Click on the profile image in the upper-right corner, then select My Settings.
  12. Set the default workspace and project for the user to what you specified in steps 5 and 7.

    This will be the default workspace and project to which newly created users will be assigned when the LDAP sync process is run. If this is not done, new users will be assigned to the first available workspace and project associated with the CA Agile Central user account used when running the CA Agile Central LDAP sync process.  An existing CA Agile Central subscription or workspace administrator may be used for this process; however, it will be necessary to set the appropriate default workspace on this user account so new users are created with the appropriate initial workspace and project permissions.

Set up your LDAP environment

If you are an existing CA Agile Central On-Premises customer, follow these steps to update your CA Agile Central subscription with the LDAP usernames for existing users. 

  1. Create a unique CA Agile Central group on your LDAP server.
  2. Update the LDAP server so the current CA Agile Central users are members of the newly created CA Agile Central LDAP group. These users should already exist in your CA Agile Central subscription.
  3. Before continuing, ensure the following are set up:
    • A machine with Ruby 1.8.5 or higher running with the following Ruby Gems: rally_rest_api, fastercsv, and builder.
    • Copy the user_load_script.rb to the machine containing Ruby. This should be available for download from the same location as the CA Agile Central On-Premises download or provided to you by the CA Agile Central Support team.
  4. Once CA Agile Central is started, log in as a subscription administrator or use the default subscription administrator login, test@rallydev.com.
  5. Go to Setup → Users and ensure All Users is selected in the drop-down box in the upper-left corner.
  6. Click the Page Tools drop-down and select Export as CSV.
  7. Edit the .csv file such that the user email addresses are in the first column and in the second column enter the users' LDAP usernames associated with this email. You must include all existing CA Agile Central users in the .csv file to avoid enable/disable errors. However, remove the test@rallydev.com user from this list if the user still exists in your CA Agile Central subscription. Remove any additional data left over from the edit. The file should be similar to the format in the example below.
  8. Example CSV format for the user_load_script.rb(email address,ldapname):

    user1@rallydev.com,fharrison
    user2@rallydev.com,sjohnson
    user3@rallydev.com,krobinson

    Only the username is copied to CA Agile Central; the Office Location value is typically set to None.

  9. Copy the CSV file created in the previous step to a machine with the user_load_script.rb installed. Prior to running the script, edit the user_load_script.rb and adjust the following values to fit your environment:
  10.  rally_url = https://<ip or host here>/slm (address of the CA Agile Central installation)
     rally_user = CA Agile Central subscription administrator or account
     rally_password = CA Agile Central password
     filename = <filename of CSV> (Location and name of CSV file)

  11. Execute the user_load_script.rb by running ruby user_load_script.rb. Once the script has completed, the CA Agile Central users are now associated with their corresponding LDAP login name. Verify this by checking that the On-Premises LDAP User Name field has been populated in the user's profile.
  12. New users created from the LDAP sync script have read-only permissions on the workspace level.

Enable LDAP on CA Agile Central On-Premises

Before you enable LDAP, you will need information about the LDAP environment at your company. Use the CA Agile Central On-Premises LDAP module worksheet to send to your LDAP administrator to provide the necessary information to connect to the LDAP server.

  1. From the Control Panel, go to Server Settings → LDAP Settings.
  2. Make any necessary changes and click Save Settings & Restart CA Agile Central.
  3. CA Agile Central is automatically restarted which will enable LDAP authentication. Once CA Agile Central has been restarted, all provisioned users will now be able to log in using their unique LDAP username and password.

    For a detailed table of all the LDAP settings, go here.

Run the LDAP sync

The LDAP sync runs several services to update the CA Agile Central user accounts based on the specified LDAP group and the LDAP vendor.

The sync will first query LDAP for all the users in the specified LDAP group. It will then check to ensure all the users in that group are in CA Agile Central and that the accounts are enabled in CA Agile Central.

A check is performed for enabled CA Agile Central accounts that do not exist in the specified LDAP CA Agile Central user group.  If there are accounts in CA Agile Central that are not in the LDAP group, the CA Agile Central accounts are disabled.

If you are using Active Directory, a second service (Service 2) is run to disable any CA Agile Central user accounts that have been disabled in Active Directory, regardless if they are in the specified CA Agile Central group in LDAP.  The second service will not be run for Oracle LDAP servers.

An example of the log output when an LDAP sync is run using Active Directory is below.

An example of the output for the second service when running the sync against an Oracle LDAP server is below.

An example of multiple groups in the sync output is below.

Backup and restore LDAP settings

The LDAP settings are saved during a backup of the CA Agile Central On-Premises server.  Once the LDAP module is enabled or if the LDAP settings are updated, perform a backup of the CA Agile Central On-Premises server from the Backup/Restore link on the Control Panel to ensure that the proper LDAP settings are captured and not overwritten by a restore containing outdated LDAP connection information.

CA Agile Central On-Premises LDAP Module worksheet

LDAP Hostname:________________________________________________
Fully-qualified Host a name of the LDAP server, such as directory.mycompany.com.

LDAP Port:_____________________________________________________
Port that LDAP server listens on. Typically 389, If LDAP over SSL, 636.

LDAP SSL-Enabled? ______

LDAP Vendor and Version: ________________________________________
Example: Oracle Identity Server 11g, Active Directory

LDAP SSL Certificate to Load into CA Agile Central Keystore? ______

LDAP Bind Username DN: _________________________________________
Example: CN=myLDAPUser, CN=Users, DC=mycompany, DC=com

LDAP Tree Base DN: _____________________________________________
Example: CN=Users, DC=mycompany, DC=com

LDAP User Name Attribute: ________________________________________
Example: sAMAccountName, uid

LDAP Groups Name for CA Agile Central Users: _________________________________
Example: CN=CA Agile CentralGroup, CN=Users, DC=rallydev, DC=com | CN=Ops, OU=Groups, DC=rallydev, DC=com | CN=CA Agile CentralGroup2, CN=Users, DC=rallydev, DC=com 

LDAP Group Attribute: ___________________________________________
Example: member, memberof, s

Important: Before the CA Agile Central administrator turns on LDAP, the LDAP administrator must:

  1. Add the CA Agile Central users to an LDAP CA Agile Central group.
  2. Make sure the LDAP server is set to accept connections from the CA Agile Central server.
  3. If LDAP is over SSL, provide LDAP server’s SSL certificate to the CA Agile Central administrator for import into keystore.

Feedback

Need more help? The CA Agile Central Community is your one-stop shop for self-service and support. To submit feedback or cases to CA Agile Central Support, find answers, and collaborate with others, please join us in the CA Agile Central Community.