Synchronizing users with LDAP servers
Most large organizations rely on external systems such as LDAP servers to manage user accounts. BMC Server Automation lets you synchronize users maintained in specific LDAP groups with users in the RBAC database by mapping one or more LDAP groups and subgroups to an RBAC role.
By performing the synchronization through the BLCLI, you can synchronize with either Active Directory or LDAP and you can enable users for any authentication type. If you perform the synchronization through the BMC Server Automation UI, you can synchronize users only with Active Directory, because the created users are enabled only for Domain Authentication or ADK Authentication.
When you synchronize users, they are added to the RBAC user database and assigned to a role. You can reassign users to different roles as needed.
Before you begin
This procedure is typically performed by the RBACAdmins user. To perform this procedure using a role with a minimal set of authorizations, see Minimum authorizations for synchronizing users.
Before you perform this procedure, you can specify whether existing users should be subject to synchronization by setting the User participates in directory synchronization option in the New User wizard. For more information, see User - General Information.
If you plan to synchronize LDAP user information regularly, you may want to perform that task using the
syncUsers BLCLI command instead of this procedure. Using this BLCLI command, you can also optionally specify the authentication type if you want the synchronized RBAC users to be enabled for authentication using an authentication type other than the default Active Directory authentication. This enables you to perform user synchronization on a wide range of LDAP server types. This capability is available only through the CLI, and not through the UI.
RBACRole syncUsers <roleName> <authenticationType>
Similarly, if you want user names appended with a suffix that differs from the default @domainName defined for RBAC users (for example, @differentDomainName or @dnsName), use the
syncUsersWithNameSuffix BLCLI command to specify the user name suffix. This capability is available only through the CLI, and not through the UI.
RBACRole syncUsersWithNameSuffix <roleName> <userNameSuffix>
For more complex synchronizations with Active Directory (for example, if you want to synchronize users in groups that contain members from multiple domains), you can use the
syncUsersWithAd BLCLI command.
RBACRole syncUsersWithAd <roleName> <domainServer> <groupDN> <userAttributeFlag> <operation> <userNameSuffix>
To synchronize users
- Ensure that the LDAP server has a certificate installed for secure LDAP communication.
- Create an automation principal that represents the credentials required to access the LDAP server.
For more information about creating an automation principal, see Creating automation principals.
When defining an automation principal, the value you set for Principal ID must be a user's distinguished name for a privileged directory user. For example, you might enter
When defining an automation principal, the Domain field is ignored. You must provide a passphrase for the directory user.
- Set up an LDAP connection to use to connect to the LDAP server.
To set up an LDAP connection, you must have the host name or IP address of the LDAP server and a certificate that can be used to validate the certificate of LDAP server. For example, if the server MyLDAPServer.mycompany.domain.com hosts the LDAP server, then enter
MyLDAPServer.mycompany.domain.comas the name of the server. Browse to the certificate file that has either the certificate for MyLDAPServer.mycompany.domain.com or the CA certificate that signed it.
The procedure for setting up an LDAP connection is described in Creating an LDAP connection.
The procedure for obtaining a certificate is described in Obtaining a certificate used to trust the LDAP server.
- Set up an LDAP query for the groups and users that must be queried and ultimately registered in RBAC.
You must set up at least two queries: one for identifying an LDAP group and another for identifying LDAP users. For example, if the LDAP server has a group called LDAPsyncTestGroup in the OU Test, you must determine the distinguished name of this group and enter it as the Base Distinguished Name of the LDAP query. Set Attribute equal to member and Filter equal to
objectClass=group. For the user query, set Attribute equal to
userPrincipalName. Leave Base Distinguished Name and Filter set to their default values, or you can set Filter to
objectClass=userfor a faster search.
The process for setting up LDAP queries is described in Creating an LDAP query.
The process of mapping these values to a role is described in Role - Group Mappings. Create the RBAC role that should be synchronized with an LDAP group if the role does not already exist. Associate an automation principal, an LDAP connection, and an LDAP group and user query with the role.
- In the RBAC Manager folder, select Roles and then select the role to which you have mapped an LDAP connection and LDAP queries (that is, the role set up in step 5.
- Right-click and select Synchronize.
The synchronization process begins. Users in the LDAP registry are added to the RBAC database and assigned to this role. Depending on how you have set up the Group Mappings options for the role, any existing users can be deleted, disabled, or removed from the role.