This documentation applies to the 8.1 version of Remedy Action Request System, which is in "End of Version Support."

To view the latest version, select the version from the Product version menu.

Configuring the AREA LDAP plug-in

To configure the AREA LDAP plug-in, use the AREA LDAP Configuration form in the AR System Administration Console. The settings you specify in the form are saved in the ar.cfg or ar.conf file. BMC Remedy AR System supports multiple AREA LDAP configurations.

Note

The form is added to your system when you install the plug-in. If you did not install the plug-in during installation of the AR System server, you can install it by rerunning the AR System server installer and selecting the AREA LDAP plug-in installation option. See the Installing section.


Before configuring the AREA LDAP plug-in, set up user and group information in an LDAP directory service. Then, use the following procedure to enter the settings into the AREA LDAP Configuration form.

To configure settings for the AREA LDAP plug-in

  1. In the AR System Administration Console, click System > LDAP > AREA Configuration.
    The AREA LDAP Configuration form appears.

    AREA LDAP configuration form
    (Click the image to expand it.)

    If any AREA LDAP adapters are configured for your AR System server, they are displayed in the Configuration List at the top of the form. When BMC Remedy AR System attempts to authenticate a user, it searches each LDAP adapter configuration in the list.
  2. In the Configuration List, perform one of these actions:
    • To create a configuration, click Clear Fields. All fields in the form are cleared.
    • To modify a configuration, select it in the list. The fields in the form are populated with data from that configuration.
  3. In the Directory Service Information section, fill in (for new configuration) or change (for modified configuration) the values in these fields:
    • Host Name — Name of one or more servers on which the directory service is hosted.
    • Port Number — Number of the port on which the directory service is listening.
    • Bind User — Distinguished name for this configuration. The distinguished name is the name for a user account that has read permissions and can search the directory service for user objects.
    • Bind Password — Password for the distinguished name specified for the Bind user.
    • Use Secure Socket Layer? — Yes/No toggle field. To specify an SSL connection to the directory service, select Yes to enable the Certificate Database field.
    • Certificate Database — Name of the directory containing the certificate database file.
    • Failover Timeout — Number of seconds in which the directory service must respond to the plug-in server before an error is returned. Minimum value is 0 (connection must be made immediately). This value cannot be higher than the value of the External-Authenticaion-RPC-Timeout parameter.
    • Chase Referral — Yes/No toggle field. When the AREA LDAP plug-in sends a request to a directory server, the server might return a referral to the plug-in if some or all of the requested information is stored in another server. Attempting to chase the referral by connecting to the other server can cause authentication problems. By default, referrals are not chased. Yes enables automatic referral chasing by the LDAP client. No prevents referral chasing.

      Note

      This option is only for Microsoft Active Directory servers. Select No for all other directory servers.

      Important

      BMC Remedy AR System does not support referrals that use a domain name rather than a host name as a reference. When Active Directory automatically configures referrals (such as when a trust or parent/child domain relationship is created), it uses a domain name in the referral. Therefore, such referrals do not work in BMC Remedy AR System even when Chase Referral is set to Yes.

      For more information, see AREA-LDAP-Chase-Referral and AREA-LDAP-Disable-Referral in ar.cfg or ar.conf options A-B.

  4. In the User and Group Information section, fill in or change the values in these fields:
    • User Base — Base name of the search for users in the directory service (for example, o=remedy.com ).
    • User Search Filter — Search criteria for locating user authentication information. You can enter the following keywords in this field. At run time, the keywords are replaced by the values they represent.
      $\USER$ — Name of the user logging in (for example, uid=$\USER$ ).
      $\DN$ — Distinguished name of the user logging in.
      $\AUTHSTRING$ — Value users enter in the Authentication String field when they log in.
      $\NETWORKADDR$ — IP address of the AR System client accessing the AR System server.
    • Group Membership — If this user belongs to a group, select Group Container; otherwise, select None. When None is selected, the Group Base, Group Search Filter, and Default Group(s) fields are disabled.
    • Group Base — Base name of the search for groups in the directory service that includes the user who is logging in
      (for example, ou=Groups ).
    • BMC Remedy AR System performs a subtree search within the group you specify.
    • Group Search Filter — Search criteria for locating the groups to which the user belongs. For the user's distinguished name, enter the keyword $\DN$ (for example, uniqueMember=$\DN$ ). At run time, $\DN$ is replaced with the distinguished name.
    • Default Group(s) — If the search finds no matching groups, the group specified in this field is used.
  5. In the Defaults and Mapping Attributes to User Informationsection, perform these actions:
    1. In the LDAP Attribute Name column, enter the corresponding LDAP attribute names for the following AR System fields.
    2. In the Default Value If Not Found In LDAPcolumn, select or enter a default value for each field if no value is found in the directory service.
      • License Mask— Number for the license mask. The license mask specifies whether the AREA plug-in overrides existing information from the User form for write and reserved licenses. It also specifies which license types are overridden by the value returned by the plug-in. Use a number from the following table. An X in a license type column means that the value returned from the plug-in overrides that license in the User form for the specified user.

        License mask number Overridden license types
        Application FTS Reserved Write
        0 - - - -
        1 - - - X
        2 - X - -
        3 - X - X
        4 - - X -
        5 - - X X
        6 - X X -
        7 - X X X
        8 X - - -
        9 X - - X
        10 X X - -
        11 X X - X
        12 X - X -
        13 X - X X
        14 X X X -
        15 X X X X
      • Write License — Type of AR System license assigned to the user (Read, Floating, or Restricted Read).
      • Full Text Search License — Type of FTS license assigned to the user.
      • Reserved License — License type to select for a reserved license.
      • Application License — Name of the application license granted to the user.
      • Email Address — Default email address for notifications sent to the user.
      • Default Notification Mechanism — Notification method used in your environment (none, alert, email, or default).
      • Roles List — Name of the LDAP attribute that lists the user roles. For example, the roledn attribute contains role definitions for some LDAP systems. Add any default roles to the Default Value If Not Found In LDAP field.
  6. Click Save Current Configuration.
    The system updates the ar.cfg or ar.conf files with the parameters you specified in this form.
  7. (optional) To change the order in which BMC Remedy AR System searches the listed configurations when attempting to authenticate a user, do this:
    1. In the Configuration List, select the appropriate configuration.
    2. Click one of these buttons:
      • Decrease Order — Moves the selected configuration down in the authentication attempt order.
      • Increase Order— Moves the selected configuration up in the authentication attempt order.

        Note

        For the changes to take effect, restart your AR System server.

        Note

        You can add multiple configurations for the AREA LDAP plug-in. The AREA LDAP plug-in tries to connect to each of the configurations as per the order specified until the authentication is successful. You can change the authentication attempt order of the configurations by clicking Decrease Order or Increase Order on the AREA LDAP Configuration form.

To delete configurations for the AREA LDAP plug-in

  1. In the AR System Administration Console, click System > LDAP > AREA Configuration.
    The AREA LDAP Configuration form appears.
  2. In the Configuration List, select the configuration to delete.
  3. Click Delete Configuration.
    The system removes the corresponding parameters from the ar.cfg or ar.conf files.

    Note

    For the changes to take effect, restart your AR System server.

    Important

    BMC Atrium Single Sign-On provides a solution for Authentication and Authorization. However, using BMC Atrium Single Sign-On is not mandatory for LDAP authentication.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments

  1. Sameer Alomari

    hi 

    just 1 Question Please

    suppose i want my users to be authentication from LDAP

    is the above Configuration is enough without using SSO?

    is SSO is must for LDPA authentication? or EA tab in remedy can do the job ?

    Regards,,

    Apr 28, 2015 02:11
    1. Chinmay Gadre

      Hello,

      I will check this with the SME and get back to you as soon as possible.

      Thanks & Regards,

      Chinmay 

      Apr 28, 2015 02:57
  2. Chinmay Gadre

    Hello Sameer,

    SSO provides a full-fledged solution to address all types of Authentication and Authorization tasks. However, using SSO is not mandatory for LDAP authentication. So, you can authenticate your users using AREA-LDAP plugin. Hope this completely answers your query.

    Thanks & Regards,

    Chinmay

    Apr 29, 2015 04:51
  3. Muhamad Djunaedi

    Hi,

    Say you you want to update the password used to access the LDAP. After updating the password field in AREA LDAP Config Form, do you still need to restart the AR server?

    Thanks,

    Djunaedi

    Aug 28, 2015 03:25
    1. Poonam Morti

      Hi,

      We need to restart the AR server after updating the password field in the AREA LDAP Config Form.

      Or at least we need to kill the main Java Plugin Server process, if the restart is not possible at that point.

      Thanks,

      Poonam

      Aug 31, 2015 01:05
  4. Vikas Bohra

    Hello,

    I have AREA LDAP authentication like above already working.

    Now I have integrated Atrium SSO with AR Server and the current LDAP based authentication has stopped working.

    I want to setup SAML based authentication in ASSO if we are using the public URL(LB URL) for Midtier.

    for the internal Users of the same Midtier using via internal URL, I still want it authenticate them using AREA LDAP config above or LDAP authentication 

    how to achieve this and where exactly and what all we need to configure.

    Thanks & Regards,

    Vikas Bohra

    May 20, 2018 12:52
    1. Onkar Telkikar

      Hello Vikas,

      Apologies for the delay in responding to your questions.

      What you are trying to achieve is not possible using Atrium SSO 8.1. When you are using an external URL, you will need to use SAML-based authentication. On the other hand, when you are using an internal URL, you will need to use LDAP-based authentication.

      Please note that Atrium SSO is currently deprecated. You can use a feature in Remedy SSO where you can authenticate an external URL via SAML and authenticate an external URL with a bypass option via AR authentication.

      For more information, see  Remedy Single Sign-On 19.08 documentation.

      Regards,
      Onkar

      Sep 18, 2019 04:57
  5. Servicio Cliente

    Could you help me with a question? Does this have a profile limit? or I can configure the number of profiles you want

    Nov 30, 2018 04:03
    1. Anagha Deshpande

      Hello Servicio,

      We are working on your query. We will respond soon.

      Regards,

      Anagha


      Dec 02, 2018 09:15
      1. Onkar Telkikar

        Hello Servicio,

        Apologies for the delayed response.

        There is no profile limit. You can configure any number of profiles.

        Regards,
        Onkar

        Sep 17, 2019 05:05
  6. Deepak S

    For the User Base can we use multiple values using seperator ? For example I have requirement to query for 2 User bases in same LDAP server. OU=Users,OU=ABC,DC=iit,DC=remedy,DC=com OU=Users,OU=XYZ,DC=iit,DC=remedy,DC=com

    Feb 05, 2019 05:09
    1. Anagha Deshpande

      Hello Deepak,

      We are checking on your query. We will provide an update shortly.

      Regards,

      Anagha

      Feb 05, 2019 09:40
      1. Onkar Telkikar

        Hello Deepak,

        Apologies for the delayed response.

        Multiple values for a user base are not supported.

        Regards,
        Onkar

        Sep 17, 2019 05:11
  7. Suresh Mayampully

    Can we configure multiple domains through AREA LDAP for sso authentication? Any documentation on how to do this? Thanks, Suresh.

    Aug 08, 2019 12:41
    1. Onkar Telkikar

      Hello Suresh,

      We are working on your query. We will get back to you on this shortly.

      Thanks,
      Onkar

      Sep 17, 2019 11:06
      1. Onkar Telkikar

        Hello Suresh,

        Please let us know if your question is for Atrium SSO 8.1 or for Remedy SSO 9.1.

        Regards,
        Onkar

        Sep 18, 2019 05:08