Installing ApacheDS for Cognos Pt. 2
Date: 06/11/2013

BY NIKITA ATKINS, PRINCIPAL CONSULTANT

Installing and configuring ApacheDS for Cognos BI 10.2.1  - Part 2

Create Group Objects

The next step is to set up a group folder structure that you want to use in Cognos. It is always a good idea to think and design the structure before you start configuring. For this demo platform there is only a single group object of the type ""organizationalUnit"" within the default domain, this will map and work well in Cognos.

  1. Right click on the default domain ""dc=example,dc=com"" and select ""New"" and ""New Entry..."" to open the New Entry wizard.
  2. Select ""Create entry from scratch"", later on you can use existing entries as tempalte, and click ""Next"".
  3. Select the object class ""organizationalUnit"" in the Object Classes selection screen and click ""Next"".
  4. For the RDN (Relative Distinguished Name) select ""ou"" (the name) and type a name, in this case ""CognosUsers"", but you can pick anything. Below the RDN, you can then see the DN (Distinguished Name) that you can use to reference later on for this part of the DIT. Click ""Next"".
  5. In the last screen you can enter additional attributes like eg a description. Not in the picture. Click ""Finish"".
  6. You will then end up with a new organizationalUnit with the name CognosUsers in the DIT.

Create Users

Now we can add some users to ""CognosUsers"". The steps are similar to the above:

  1. Right click on ""CognosUsers"" and select ""New"" and ""New Entry.."" to open the New Entry wizard.
  2. Select ""Create entry from scratch"", later on you can use existing entries as template, and click ""Next"".
  3. Select the object class ""inetOrgPerson"" in the Object Classes selection screen and click ""Next"".
  4. For the RDN select ""uid"" (the user name) and type a name, in this case ""Administrator"", but you can pick anything. Keep in mind that by default this will be the log on name in IBM Cognos BI. This can be changed in Cognos Configuration. Do not add any more items here as they will then become part of the DN. This can be useful in some cases but not many. Click ""Next"".
  5. In the last screen you can again add additional fields. Note that ""cn"" (name) and ""sn"" (surname) have to have values. You can include others as well. You can stick to the default mappings from Cognos Configuration or oadd your own and add them as Custom properties in Cognos Configuration. Please refer to the pictures below for sample values. Click ""Finish"".
  6. Right click and select ""New Attribute""
  7. Change Attribute type to ""userPassword""
  8. Click Next and Finish
  9. Enter user password
  10. Click Finish
  11. You will then end up with the user added to the tree
  12. User will now appear in the tree

Bulk Loading of Users

If you want to load multiple users in the Apache Director Service you can use a standardised data interchange format, called LDIF.

  1. Open a new LDIF editor (File->New...->LDAP Browser->LDIF File).
  2. In the opened editor click the ""Browse ..."" button and select the connection.
  3. Then copy/paste the following content into the LDIF editor, ensure that there is an empty line at the end of the content.dn: uid=natkins,ou=CognosUsers,dc=example,dc=com
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    cn: Nikita Atkins
    sn: Atkins
    description: Nikita is Number 1 Employee
    employeeNumber: 10007
    givenName: Nikita
    telephoneNumber: (02) 9876 5432
    telephoneNumber: 0405 060 708
    uid: natkins
    userPassword:: password
  4. Finally click the green ""Execute LDIF"" button and the data slips into the LDAP server.

Configure Cognos

Configure A Namespace in IBM Cognos Configuration

By now there is a working LDAP and some test users available. The next task is to add ApacheDS as an Authentication provider that can be used in IBM Cognos BI. These are the steps:

  1. Open IBM Cognos Configuration
  2. Right click on ""Authentication"" in the tree to add a new namespace.
  3. In the New Resource"" windows, enter a name, this can be anything, and an LDAP type, select ""LDAP - General default values"".If you click the new namespace, you will see a number of variables on the right, some are prefilled and some are not.
  4. Enter or change the following parameters:Namespace ID: Can be anything you want, ""ApacheDS"" in this example.
    Host and port: This is the server name and the LDAP port number, ""localhost:10389"" in this case. If you don't know what to enter, go back to Apache Director Studio and check the LDAP connection properties.
    Base Distinguished Name: This should be the complete DN path up to the class entry-level that you want to include. In this example this is ""ou=CognosUsers,dc=example,dc=com'. Again if you don't know what to enter, go to the entry properties in Apache Directory Studio.
    User lookup: change this to ""uid=${userID}"". If you want to use something else for authentication then the uid, this will be different.
    Use external identity mapping?: Change to ""True"".
    Bind user DN and password: This should be the complete DN path of a user that will be used to search the namespace. In this case ""uid=Admin,ou=CognosUsers,dc=example,dc=com"" and the password, which is a user created previously. The exact DN can be found via the entry properties of that user in Apache Directory Server.
    User bind credentials for search?: Change to True
    Unique identifier: Change to uid
    Folder mappings (Advanced) Object class: change to organizationalUnit
    Group mappings (Advanced) Object class: change to groupOfUniqueNames
    Group mappings (Advanced) Member: change to uniqueMember
    Account mappings (Advanced) Account object class: change to inetOrgPerson
    Account mappings (advanced) Business phone: change to telephoneNumber
    Account mappings (Advanced) Content locale: change to preferredLanguage
    Account mappings (Advanced) Fax/Phone: change to facsimileTelephoneNumber
    Account mappings (Advanced) Given name: change to givenName
    Account mappings (Advanced) Home phone: change to homePhone
    Account mappings (Advanced) Postal address: change to postalAddress
    Account mappings (Advanced) Product local: change to preferredLanguage
    Time out in seconds (optional): in older versions of Cognos (v8) you change this setting to 300
  5. Right click on the newly created security namespace and go test.
  6. Right click on the server and select Start.

Add users in Cognos

Finally the new namespace can be configured in IBM Cognos Adminstration for use in Cognos Capabilities groups.

Remember that you can only search a namespace when you log on with a user from that namespace. This means that if you want to define an administrator you have to add the ""Everyone"" group temporarily to the systems administrators group in Cognos Administration. Because you need to be an admin to be able to do so, but no user in your new namespace is an admin.

  1. Log on with a new user.
  2. Go to Cognos Administration and configure a new admin.
  3. Test the new user and delete the everyone group again.
  4. If this is a new install, don't forget to disable anonymous access in Cognos Configuration (and restart).