Page tree

Skip to end of metadata
Go to start of metadata

BMC Release Process Management (RPM) supports Lightweight Directory Access Protocol (LDAP), an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. You can use LDAP, LDAP over SSL (LDAPS), and Active Directory (AD) with RPM.

To enable LDAP(S) or AD authentication

  1. Navigate to System > Settings > General.
  2. Under the Authentication panel, select LDAP Authentication.
  3. Enter details in the following fields:
    • LDAP Host: Enter the host name of your LDAP server.
    • LDAP Port: Enter the port number of your LDAP server.
      Depending on your LDAP server settings, you can use the default 389 LDAP port or any other network port. The default port for secure LDAP is 636.
    • LDAP Type: Select the type of LDAP that you want to use (either LDAP or LDAPS).
    • (Optional) LDAP Group Search Base: Enter the path to the LDAP group base for creating LDAP group mapping.
      The value entered in this box will be used to automatically fill in the Search base box on the group page each time you create LDAP group mapping and has no effect on LDAP authentication setup.
      Example: OU=SomeOrganizationUnit11,OU=SomeOrganizationUnit1,DC=example,DC=com.
    • LDAP Auth Type: Select one of the following LDAP authentication types:
      • Directory  (default): Authenticate users from the LDAP directory specified in LDAP Search String.
      • Groups: Authenticate users from the LDAP user group specified in LDAP Search String.
    • LDAP Search String: Enter the path to the LDAP object. This is necessary to authenticate RPM users through LDAP.
      • For the Directory authentication type, enter the path name for the LDAP directory that stores the user information. 
        Example: OU=SomeOrganizationUnit1,OU=SomeOrganizationUnit2,DC=example,DC=com
      • For the Groups authentication type, enter the path names for the LDAP groups, separated by a semi-column.
        Only users who belong to the specified groups are allowed to be authenticated.
        Example: CN=GroupCommonName111,OU=SomeOrganizationUnit11,OU=SomeOrganizationUnit1,DC=example,DC=com;CN=GroupCommonName121,OU=SomeOrganizationUnit12,OU=SomeOrganizationUnit1,DC=example,DC=com
    • LDAP Bind Base:
      • For the Directory authentication type, this field is not available.
      • For the Groups authentication type, enter the LDAP directory of the highest level, where all the user groups specified in the LDAP Search String box are located. 
        Example: OU=SomeOrganizationUnit1,DC=example,DC=com
    • LDAP Bind User: Enter the user name of the LDAP server if you are using a non-anonymous connection to LDAP.
    • LDAP Bind Password: Enter the password of the LDAP server if you are using a non-anonymous connection to LDAP.
    • LDAP Account Attribute: Enter the name of the LDAP attribute that is used as an RPM user authentication login.
      The cn value is default for this parameter, if you leave the field empty.
    • LDAP First Name Attribute: Enter the name of the LDAP attribute that is used as the first name of an RPM user.
      The displayName value is default for this parameter, if you leave the field empty.
    • LDAP Last Name Attribute: Enter the name of the LDAP attribute that is used as the last name of an RPM user.
      The sn value is default for this parameter, if you leave the field empty.
    • LDAP Mail Attribute: Enter the name of the LDAP attribute that is used as an email of an RPM user.
      The mail value is default for this parameter, if you leave the field empty.
    • To verify the LDAP connection, click Test Connection.
  4. Click Save.

After enabling LDAP(S) or AD authentication

  • (LDAP users) Log in to RPM by using your LDAP user name and password.
  • (Root users) Log in to RPM by using your RPM user name and password.
  • If the LDAP or AD user exists in RPM, then after login, the user is taken to the Dashboard page of the application.
  • If the LDAP or AD user does not exist in RPM, then after login, the user must enter first name, last name, and email address. The User role is assigned to this new user.
  • If the LDAP or AD user does not exist in RPM but belongs to an LDAP or AD group that is mapped to an existing group in RPM, then after login, the user must enter first name, last name, and email address. The user inherits roles and permissions from the mapped group.

Related topic

Creating LDAP group mapping

Setting the external authentication