Configuring External Policy

Policy settings can be applied to an existing LDAP (or other external) directory and then enabled for use with an HPCA environment.

When using an external policy store, the default behavior in the Core CSDB is:

Implementing an External Policy Store

The policy configuration default values for an external policy store are set to connect to an LDAP directory, and manage policies using the fully qualified domain name of the HPCA agent-managed machines. To manage policies using different parameters, adjust the ZMTHPRMS attribute in the LDAP_RESOLVE method, as discussed in To implement an external LDAP policy store.

By default, configuring the Core for an external directory service results in the Portal also being configured to use (for policy) the same external directory service. The external directory service connection is derived from the Base DN.

To implement an external LDAP policy store:

  1. Configure the Core so that the Policy service can connect to the external directory service that is used for policy.
  2. Enable and configure full-service Satellites to connect to the external directory service.
  3. Use the LDIF file that was generated at the Policy page of the Core Console (and which contains the schema changes) to modify your directory schema so that the HPCA policy settings are used.

    The command to backup an existing LDAP is:

    LDIFDE -f OutputFileName

    The command to update the external directory service is:

    LDIFDE -i -f HPCAExtensions.ldif –v

    Note: The LDIFDE command is applicable to Windows server platforms only. For additional information, see the Microsoft Knowledge Base article, Using LDIFDE to import and export directory objects to Active Directory.

    For more information, see the HP Client Automation Enterprise Policy Server Reference Guide.

  4. If necessary, modify the LDAP_RESOLVE method in the PRIMARY.SYSTEM.ZMETHOD Class of the Core Configuration Server Database.

    By default, the CSDB is pre configured to use the LDAP_RESOLVE method and manage policies by the fully qualified domain name of the machine. The ZMTHPRMS attribute defines this:

    ZMTHPRMS = ldap:\\\<ADINFO.COMPDN>>

    This requires that the machine be a member of the domain that corresponds to the directory in which policy has been defined. If the machine is not a member of the domain, ADINFO.COMPDN will be blank.

    1. Adjust the ZMTHPRMS value to manage policy using a different value. To do this, see Configuring the LDAP Method in the HP Client Automation Enterprise Policy Server Reference Guide.
    2. IMPORTANT: If you adjust the ZMTHPRMS value in the Core CSDB, always perform a synchronization with the Satellite to bring down the new value to each Satellite that is enabled for Configuration and Policy.

Following Policy Server configuration, use the Management tab to add, administer, and query the policy entitlements in your LDAP policy store.


© 2003 - 2012 Hewlett-Packard Development Company, L.P.