Configuring LDAP group retrieval during authentication
You can set up your LDAP configuration in Remedy Single Sign-On to retrieve LDAP groups during authentication. This configuration enables authentication calls to retrieve user group and role details in addition to user information.
For more information about LDAP authentication in Remedy SSO, see LDAP authentication process .
To configure LDAP group retrieval in the console
- From the console, access the Realm tab.
- Click on your realm ID.
- Click Authentication.
- From the Authentication Type list, choose LDAP.
- Select Enable Group Retrieval.
In the following optional fields, provide group retrieval details:
Field Description Base DN for group search Provide the starting location within the LDAP directory for performing group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the Base DN should be the DN of the node containing the groups. If no value is specified, the base DN for the user search value is used.
Example: CN=Groups,DC=004331dc,DC=local
Group Filter Provide the filter expression to determine additional group memberships beyond primary groups (nested groups).
Default: (&(objectClass=group)(CN={})) This default works for Active Directory and OpenLDAP group retrieval. If you are using a different directory service, use the filter for that service.
- Click Save.
Comments
For the group filter, the RSSO docs say to use: (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=$DN$))
In my case, where we use a lot of nested groups, this worked much better.
Hi Stan,
I checked the RSSO docs and this filter expression works for RSSO 9.1.03 and later. This release of BAO doesn't support RSSO 9.1.03 yet.
Thanks!
Log in or register to comment.