Configuring the Active Directory settings
You can configure Rational® Test Control Panel to use the Active Directory security model by using IBM® Installation Manager during installation or by using the Modify option after the installation. You can also specify the settings by manually editing the security.config file.
Creating multiple Active Directory configurations
When you enable Rational® Test Control Panel to use the Active Directory, you can have multiple configurations by setting theconfiguration count
property on the IBM® Installation Manager GUI.
Each configuration can point to a different Active Directory domain
(optionally, on a different Active Directory server).When
you configure the Active Directory security model by editing the security.config file,
a second configuration is added by appending .1 to the end of each
property name, .2 for the third configuration, and so on. For example,
if url
is the property that sets the URL for the
first configuration, url.1
sets it for the second, url.2
for
the third, and so on.
Specifying user names at logins
While logging
in to Rational® Test Control Panel,
specify only your username if you are part of the first configuration
(Active Directory domain). For all the other configurations, specify
your username in the following format: domain\username
.
Setting up Active Directory domains
-
All configurations must have the
domain
property set; otherwise, they will not be used. If the properties are omitted from the additional configurations, they default to the value that is set in the first configuration. - Each Active Directory configuration must be for a specific Active
Directory domain that holds a unique name amongst a set of Active
Directory domains with which Rational® Test Control Panel is
configured. The requirement holds true even if the Active Directory
domains are on different servers. For example, you cannot have two
configurations for a single Active Directory domain called
DOMAIN
that are on different servers or on the same server with different values set for the other properties.
Editing the security.config file
- On Windows™ systems, the
folder is typically at
C:\IBM\RTCP-Workspace\security
. - On Unix-like systems, the folder is typically at
/var/rtcphqs/security
.
- If the backslash character
\
needs to be used in any property value, escape it with another backslash character:\\
. For example, if the value isC:\IBM
, specify it asC:\\IBM
. - Optional: If any of the characters
=
,:
,#
, or!
is used in a property value, escape it with a backslash. - Set the
credentialsStore
property toACTIVEDIRECTORY
. Unlike the other properties, you need to set this property only once and you cannot modify it for individual configurations (AD domains).
Property | Description | |
---|---|---|
Name in the IBM® Installation Manager GUI | Name in the security.config file | |
url |
url |
Address of the Active Directory host. For example, ldap://host_name:port . |
admin user |
adminuser |
An Active Directory user with group query permissions. This
is the user account that Rational® Test Control Panel uses
to log in to the Active Directory server to determine the groups to
which a particular user account belongs. In the security.config file,
specify this property in the following format: username@domain ,
where domain is the admin domain. |
password |
adminpassword |
The password for the admin user. This is stored in the security.config
file in an obfuscated form. To keep this password secure, restrict the access to the
security.config file. Only the user account under which Rational® Test Control Panel will run,
and those users of the host computer who are trusted to edit it need access to it. If you are
editing the security.config file, ensure that you encrypt the password. For
details, see Configuring the security settings after installation by updating the security.config file. For
example, adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5 . |
admin domain |
NA | The domain to which the admin user belongs. This value is required
for logging in as the admin user to get the information about groups.
In the security.config file, this is specified
as part of the adminuser property in the format username@domain . |
default domain |
domain |
The domain to which the users belong. Typically, this is the same as the admin domain. |
group search base |
searchBase |
The base location where the directory group searches should
begin - for example, dc=mycompany,dc=local . This
value is a Distinguished Name (DN) for an Active Directory object
that contains all groups to be used to control the roles within Rational® Test Control Panel. For
example, if you have groups named Specifying a more specific (longer) group search-base narrows down the list of groups to select from in the IBM® Installation Manager GUI for assigning roles to groups, and could marginally speed up certain operations. Specifying a less specific (shorter) group search base will make more groups available for assigning roles. |
user search base |
userSearchBase |
This is a Distinguished Name (DN) for an Active Directory object
that contains all users who need to log in at any level. It is not
necessary that they are immediate child objects. For example, if
you have two organizations in your server, one represented by For
a user to be able to log in, they must match the user search base
and they must be in an Active Directory group that has been assigned
the role |
group filter |
allGroupsFilter |
The filter expression for user groups. The default expression (objectClass=group) returns
all groups. Use this property to control the number of groups available,
to which the roles are assigned. |
Directory Groups and Rational® Test Control Panel
Roles |
groupMappings |
In the IBM® Installation Manager GUI,
drag groups on to roles to create mappings and drag them off to remove.
All users in a group assume roles that are assigned to that group. For
users to be able to log in, the following conditions must be met: The
groupMappings property in the security.config file
holds a comma-separated list of group=role pairs.
The group is identified by its CN Active Directory
attribute value. |
credentialsStore=ACTIVEDIRECTORY
url=ldap\://ad.mycompany.example.com
adminuser=admin@DOMAIN1
adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5
domain=DOMAIN1
searchBase=OU\=Testing,DC\=DOMAIN1,DC\=domain
userSearchBase=DC\=DOMAIN1,DC\=domain
allGroupsFilter=(objectClass\=group)
groupMappings=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
credentialsStore=ACTIVEDIRECTORY
url=ldap\://ad.mycompany.example.com
adminuser=admin@DOMAIN1
adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5
domain=DOMAIN1
searchBase=OU\=Testing,DC\=DOMAIN1,DC\=domain
userSearchBase=DC\=DOMAIN1,DC\=domain
allGroupsFilter=(objectClass\=group)
groupMappings=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
url.1=ldap\://ad.mycompany.example.com
adminuser.1=admin@DOMAIN2
adminpassword.1=#com.ghc.1!b2b312954AC84469E34BA2E5
domain.1=DOMAIN2
searchBase.1=OU\=Testing,DC\=DOMAIN2,DC\=domain
userSearchBase.1=DC\=DOMAIN2,DC\=domain
allGroupsFilter.1=(objectClass\=group)
groupMappings.1=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
credentialsStore=ACTIVEDIRECTORY
url=ldap\://ad.mycompany.example.com
adminuser=admin@DOMAIN1
adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5
domain=DOMAIN1
searchBase=OU\=Testing,DC\=DOMAIN1,DC\=domain
userSearchBase=DC\=DOMAIN1,DC\=domain
allGroupsFilter=(objectClass\=group)
groupMappings=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
domain.1=DOMAIN2