Configuring LDAP for tenant users

This procedure describes how a tenant administrator configures the BMC Application Management Console to authenticate or authenticate and authorize tenant user accounts in your LDAP server. 

• When you configure the Console to authenticate user accounts with your LDAP server, all users are logged on with the Observer role. 
• When you configure the Console to authenticate and authorize user accounts with your LDAP server, you specify access roles by mapping your LDAP groups to the user roles of the Console. This option is useful when you have many users and your LDAP groups can easily map to the tenant user roles.

After you configure the Console to authenticate user accounts on your LDAP server, you must then enable LDAP authentication on the Console. 

To perform this procedure, you must have Access Manager access.

To configure LDAP for tenant users

1. On the Console, select System Access > LDAP > Settings to access the LDAP Settings page.

2. In the Actions menu, select Edit LDAP Settings.
3. Under Directory Server, add information specific to your LDAP server:
   
   1. Provide IP or the DNS name of the LDAP server.
   2. Specify port or leave the default value of 389.
   3. Specify authentication type, Simple (username & password) or Anonymous.
   4. If you selected simple authentication, complete the following steps; otherwise, proceed to step 3e:
      • In the Search username (bind DN) box, enter the name of the user account permitted to search the LDAP directory within the defined search base. Use the DN format — for example, cn=Administrator,cn=Users,dc=domain,dc=com.
      • In the Password box, enter the password for the account specified in the Search User Name (bind DN) box.
   5. In the Connection Security Level list, select the type of communication, Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
   6. (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
   7. In the Connection timeout box, specify the length of time that the system waits before it declares an error on the connection.
   8. (Optional) Click Test Server.
      A message indicates success or failure because of errors.
4. In the User Lookup for Authentication section, add information to enable the BMC Application Management Console to look up users that are registered on the LDAP server:

   1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. 

      Note

      If the Base DN contains leading or trailing spaces, or any of the following special characters, you must escape them appropriately for your LDAP implementation: , \ / # + < > " ' =. For example, if you use Microsoft Active Directory, and the Base DN contains an ampersand (&), enter \&.

   2. In the Filter box, enter the query string that will return the records that you want to see.
   3. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
   4. In the User Name Attribute box, enter a single LDAP user attribute that the system uses for the lookup.

5. To enable user authorization for your LDAP users, proceed to the next step; otherwise, click Save, and skip to Step 8. 

6. In the Group Lookup for Authorization section, add information to enable the BMC Application Management Console to look up groups that are registered on the LDAP server. 
   1. Click Enable LDAP Authorization.

   2. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory.

      Note

      If the Base DN contains leading or trailing spaces, or any special characters, you must escape them appropriately for your LDAP implementation.

   3. In the Filter box, enter the query string that will return the records that you want to see.
   4. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
   5. In the Group Name Attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
   6. In the Member Attribute box, enter the name of the member attribute that contains the list of users in the group.
7. Click Save.
8. On the LDAP Settings page, click LDAP Authentication. 

Where to go from here

To associate groups of LDAP users to the user roles on the APM Console, see Mapping LDAP groups to user roles in the Console.

Related topic

Using LDAP authentication and authorization