If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Active Directory on Win 2003 server

Started by rogersm, 11 Jan 2006 12:56:39 PM

Previous topic - Next topic

rogersm

Hi,

I want to use our Active Directory Server for authentication for ReportNet (V1.1 MR2) and PPES (Series 7 V3 MR2).Ã,  I believe that PPES needs to have the AD schema extended and ReportNet can use either the extended schema or the existing oneÃ,  (apologies if the terminology isn't right).

I also know that on WIN 2003 server, I need to set the dsHeuristics value to 0000000 to allow Anonymous Binding when I extend the schema.

My Ops guys are a little wary about leaving this dsheuristics value set to allow Anonymous binding so once I've extended the schema successfully using Configuration Manager, can we just set it back to the original setting of 0000002 or will this stop the Cognos components from communicating?

Also, are my Ops guys being over cautious - are the implications of allowing Anonymous binding significant?

Thanks for any help

Matt



smiley

#1
As from 7.3, you no longer have to write into the AD schema.

7.1: You needed to add the cognos namespace into the existing MS AD schema. That required schema admin rights, and made people very nervous. (not used so often because of that)

7.2 MR2: Allowed the cognos namespace in Sun One directory server to pull data from the MS AD. Still requires schema admin rights in AD, so also was not popular.

7.3 MR1: Links theÃ,  the cognos namespace in Sun One directory server to the MS AD (called external user linking). No longer requires schema admin, so AD administrators can relax a bit. The cognos Sun One Diretcory Server is still in the picture.
(requires the sun ONE to be at version 5.2 which comes with 7.3, and the cognos accman from 7.3)

8.0: Direct AD user linking using impersonation technology; ie a valid AD user account is used for the polling of users and groups. Sun one is out of the picture. (this is allready present in the current 1.1 Reportnet technology)

rogersm

Thanks Smiley,

Are you saying that for PPES 7.3 MR2 I have to use Sun ONE Directory Server to link through to AD?  I really don't want to use Sun ONE if possible and the documentation seems to indicate that I can use either Sun ONE or AD so I'm a little confused

Also I thought External User support is when you are using the Access Manager namespace (based on either Sun ONE or AD) but also need to access authentication info from a secondary namespaces as well?

Any thoughts on the need to keep the dsheuristics setting?

Thanks again

Matt

cognosfreelancer

We use PPES 7.3 with ReportNet 1.1 MR2 on a Microsoft Active Directory Service with single signon enabled. All this on a Windows 2003 server.

You do not need a separate authentication process for logging into Powerplay Web nor do you need a separate LDAP directory as an intermediary.

We integrated both. Powerplay metedata is now stored in the content store along with ReportNet metedata.

Never had to deal with dsHeuristics ...

HTH
NKT

rogersm

Thanks Cognosfreelancer

I'm happier now you say you've done this - according to Cognos documentation, the dsheuristics setting is only if you have AD on Win 2003 server so maybe that's the reason you didn't have to deal with it?

Didn't know you could store PowerPlay metadata in the ReportNet Content Store though - how does that work?  Surely the PowerPlay metadata is the transformer model - unless I'm getting my terminologies mixed up?

Thanks again

Matt

smiley

Quote from: rogersm on 12 Jan 2006 08:19:20 AM
Are you saying that for PPES 7.3 MR2 I have to use Sun ONE Directory Server to link through to AD?Ã,  I really don't want to use Sun ONE if possible and the documentation seems to indicate that I can use either Sun ONE or AD so I'm a little confused

Sorry for this. I was focussing on the non schema admin rights part to much. If that is no problem, you can still use the old way, by writing directly into the AD schema (skipping the sun one). That is what they mean in the manuals.

cognosfreelancer

It was a little tricky to get the OS signon working.

I would recommned that you use AD rather than LDAP. Performance was better with the former.

What I meant by Powerplay metadata was that when Powerplay reports are published to CRN, the metadata about the published reports is now stored in the content store instead of on the file system of the PPES server.

NKT