Configuring LDAP group lookup for an Analyzer or a Collector
Unlike the authentication-only approach, where you must specify the user roles, when you implement LDAP authentication and authorization, you can assign different access levels to groups of users registered on the LDAP server.
To perform this procedure, you must have Administrator-level access, or higher.
To configure LDAP group lookup for an Analyzer or a Collector
On the Administration page of the Real User Analyzer or Real User Collector, select General Settings > Accounts and LDAP management, and select the LDAP settings view.
In the LDAP group lookup for authorization section, add information to enable the Analyzer or Collector to look up users that are registered on the LDAP server:
- In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. An LDAP directory is arranged in tree fashion, with a root and branches off this root. The base DN indicates at which node to start the search.
- In the Filter box, enter the query string that will return the records that you want to see.
- In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
- Subtree searches all entries at all levels under and including the specified base DN.
- One Level searches all entries that are one level under the base DN (excludes the base DN).
- Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
- In the Group name attribute box, enter an LDAP group attribute that the group uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
- In the Member attribute box, enter the name of the member attribute that contains the list of users in the group.
- (Optional) Click Test lookup.
If the server and lookup are configured correctly, a list of LDAP groups appears in a new window.
Where to go from here
Unless you map LDAP groups to system roles, all users are logged in with the permission defined as the catch-all role. To enable users to log on with roles mapped to their LDAP groups or to define the catch-all role, see Configuring role-mapping rules for an Analyzer or a Collector.