HP SIM 5.2 or greater and HP Select Access (408295-004, January 2009)
3
Configuration
In HP Select Access, add a
User Location
for the same Windows domain used for HP SIM. Log in
to the HP Select Access Policy Builder. From the menu, select
Tools
User Location
Configuration
to add
a user location in the
User location name
field. Specify the Windows
domain controller as the directory server. Port 389 is the standard port for LDAP, and port 636 is the
standard port for LDAP using SSL that ensures the communication is encrypted over th
e network.
Specify an account and password that can read and write data on the directory server, such as a
domain administrator account. Click
Browse
to locate the user tree on the directory server. For
example, cn=users, dc=hp, dc=com.
Figure
2
: HP Select Access New User Location screen
After creating the user location for the Windows domain, it can be added to an Authentication Server
in HP Select Access by selecting
Tools
Authentication Servers
. Select either
Password
or
NT
LM
as the authentication method. You can use
Known Users
as the location for user lookups, or
a specific user location.
The Authentication Server can now be used for authentication with other HP Select Access
-
protected
products (not HP SIM) specifying the
same Windows user group used for HP SIM. As an example,
consider Microsoft Internet Information Services (IIS), for which HP Select Access provides an enforcer
plug
-
in. After configuring a resource for the IIS server, you could enable
Select ID
using the
A
uthentication Server created above. Using the Policy Matrix, you can then create a policy to enable
access to the IIS resource for the Windows user group (available under the user location created for
the Windows domain.) Because policies are inherited by
default, all members of the user group
inherit the allow access policy.
Creating new users and groups
Using the HP Select Access Policy Builder, you can create or modify users and user groups. These
users and user groups are available for use by HP SIM bec
ause these changes are made directly on
the directory server, for example, the Windows domain.