LDAP is commonly used to access user or group information in a corporate directory. Using your corporate LDAP infrastructure to authenticate users can reduce the number of administrative tasks that you need to perform in BMC Atrium Discovery. LDAP groups can be mapped to BMC Atrium Discovery groups and hence assigned permissions on the system. The way in which BMC Atrium Discovery integrates with your LDAP infrastructure depends on the schema that is implemented in your organization.
If you are using LDAP authentication there is no need to set up local user accounts for LDAP users on BMC Atrium Discovery.
The following terms are used in the sections describing BMC Atrium Discovery LDAP configuration:
An example Directory Information Tree is shown below.
dc=tideway,dc=com ou=engineering cn=Timothy Taylor telephoneNumber=1234 email=t.taylor@bmc.com ou=test cn=Sam Smith telephoneNumber=2345 email=s.smith@bmc.com ou=product management cn=John Smith telephoneNumber=3456 email=j.smith@bmc.com
When a user attempts to log in through the user interface, BMC Atrium Discovery first checks to see whether the username represents a local account. If no local account exists, and LDAP has been configured correctly, BMC Atrium Discovery attempts to authenticate against the directory and then performs an account lookup to return the group memberships of that account. If the group mappings have been enabled, and configured correctly, then authentication takes place and the user is logged in with the local BMC Atrium Discovery rights as defined in the group mapping.
The Global Catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
To configure the LDAP settings:
From the Security section of the Administration tab, select LDAP.
The LDAP page is displayed showing the LDAP tab.
The options on this page are described below:
Field Name |
Details |
---|---|
LDAP Support |
Select Enabled or Disabled to enable or disable LDAP support for this appliance. |
Connection Status |
Displays a message regarding the status of the connection to the LDAP server. For example: |
Server URI |
The address of the LDAP server to connect to. For example: |
LDAPS |
Displays a message regarding the CA certificate and provides controls enabling you to upload, remove or replace a certificate. Many large enterprises have their own CAs that will provide a root CA certificate which will allow the appliance to trust the LDAP server's certificate it receives over the network. |
Bind Username |
The user name with which to connect to the LDAP server. For example, user01@bmc.com. |
Bind Password |
The password that corresponds to the user name entered in the Bind Username field. Check the box to modify the password. |
Bind Timeout |
The length of time that the appliance will wait before the login is assumed to have failed. |
Search Base |
The location in the directory from which the LDAP search begins. For example: dc=bmc,dc=com. This restricts the search to the bmc container in the directory information tree. When you are not using group mapping (see #LDAP Group Mapping) any BMC Atrium Discovery group you enter, must be entered in lower case. |
Search Template |
Specifies the template to use to search for the user name in the LDAP database. For example: (userPrincipalName=%(username)s) |
Search Timeout |
If no response is received from the server in this length of time, the query times out. Select a timeout value from the drop-down list. |
Search Scope |
Defines how deep to search within the search base. "Base", or zero level, indicates a search of the base object only. "One level" indicates a search of objects immediately subordinate to the base object, but does not include the base object itself. This is typically used to search for objects immediately contained in the search base level. "Sub Tree" indicates a search of the base object and the entire subtree of which the base object distinguished name is the topmost object. Select the required scope from the drop-down list. |
User Cache Timeout |
The appliance queries the LDAP server for user information and caches the results to avoid overloading the LDAP server. Select a timeout value from the drop-down list. |
Group Cache Timeout |
The appliance queries the LDAP server for group information and caches the results to avoid overloading the LDAP server. Select a timeout value from the drop-down list. |
Group Mode |
The group mode determines the way that the LDAP server is queried for group information, it should match the LDAP server used by your organization. Select one of the following LDAP server types from the drop-down list: |
Group Attribute on User node |
The LDAP attribute name to search for when running a group query. The attribute |
Group Query |
The LDAP query that is used to find Group objects. It is usual to match the nodes' Object Class, for example: (objectclass=group). This field is user editable when the Other Group Mode is selected from the Group Mode drop-down. When any other mode is selected the field is automatically populated. |
Membership Attribute on Group node |
The LDAP attribute name to search for to determine whether an individual is a member of a group. The attribute is on the Group nodes, and provides a list of names of users. For example, the attribute might be called "member". This field is user editable when the Other Group Mode is selected from the Group Mode drop-down. When any other mode is selected the field is automatically populated. |
Depending on how your LDAP servers are configured, user authentication via Atrium SSO may work, but then user authorization in BMC Atrium Discovery fails. This occurs because Atrium SSO sends BMC Atrium Discovery the first part of the user's DN as their userid.
For example, for a DN of the following format:
dn: CN=ADDM QA. TEST,CN=Users,DC=addmsqa,DC=bmc,DC=com
The part that must be matched by the search that BMC Atrium Discovery runs is:
ADDM QA. TEST
To do this, for the example above, set the Search Base to:
cn=users,dc=addmsqa,dc=bmc,dc=com
and the Search Template to:
(cn=%(username)s)
When you reconfigure BMC Atrium Discovery to use LDAP when it was previously configured to use LDAPS, you must remove the CA Certificate, and change the URI in a single step otherwise you will encounter a Cannot use LDAPS without a CA Certificate warning. To do this:
ldap://
URI. Do not click Apply button yet.When you reconfigure BMC Atrium Discovery to use LDAPS when it was previously configured to use LDAP, you must add a CA certificate before you attempt to enter an ldaps://
URI.
The LDAP group mapping enables you to assign membership of BMC Atrium Discovery groups to LDAP groups. If you do not use group mapping, users will be only be assigned to groups in BMC Atrium Discovery which are exactly the same as the the LDAP groups that they are members of, that is, in LDAP form dc=tideway,dc=com,ou=engineering...
If you receive a "Can't Contact LDAP Server error" in the Connection Status field, this might be caused by certificate problems rather than simple connectivity (wrong URI, port and so forth). Check that the certificate you are using is the one you received from your LDAP administrator.
If the login fails when attempting LDAP authentication, set the security log /usr/tideway/log/tw_svc_security.log
level to debug.
Where the account used to bind to the directory fails to authenticate look for messages similar to the following:
-1285350512: 2010-08-13 10:00:46,843: security.authenticator.ldap: DEBUG: Attempt to auth bind as username "administrator" -1285350512: 2010-08-13 10:00:47,117: security.authenticator.ldap: DEBUG: LDAP passwd for "CN=Administrator,CN=Users,DC=generic,DC=com" not valid
If you are using group mapping and are experiencing login failures, check that group mappings have been correctly defined for one or more LDAP groups to which the user belongs. See To add or edit LDAP Group Mapping starting from a username.
1 Comment
David Heydecker
Love that lookup tool for checking the Group Mapping!