Page tree

Unsupported content

   

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Skip to end of metadata
Go to start of metadata

The LDAP (Lightweight Directory Access Protocol) tab allows you to configure LDAP integration with BMC TrueSight Capacity Optimization. BMC TrueSight Capacity Optimization can use LDAP for user authentication as well as to aid and assist role-based access control (RBAC).

To know how to add and manage global LDAP configurations, and to learn in detail about important LDAP concepts in BMC TrueSight Capacity Optimization, refer to the sections that follow.

To add and manage global LDAP configurations in BMC TrueSight Capacity Optimization

To add one or more global LDAP configurations in BMC TrueSight Capacity Optimization, perform the following task:

  1. Go to Administration > System > Global configuration > LDAP, click Edit, and enter the following properties:

     

    PropertyDescription
    LDAP Domain List

    Lists all existing LDAP configurations. If there are zero previously set LDAP configurations, the domain list is empty.

    To manage your LDAP configurations from this section:

    • Click Edit to begin adding new, or to modify existing LDAP configurations.
    • Click Add to add a new, or another LDAP configuration.
    • Click Apply to apply the new LDAP Domain names immediately to the properties below.
    • Click  to delete an LDAP configuration.
    Accounts and Roles Managing

    Select any one:

    • Native: BMC TrueSight Capacity Optimization manages the user's password and authenticates the user on login.
    • LDAP managed: BMC TrueSight Capacity Optimization forwards the user's login request to an LDAP server for authentication.
    Native
    LDAP Provider URLDefault LDAP server URL. For example, ldap://127.0.0.1:389
    Bind method
    • (Default) Bind directly with BCO user account: Select this option if the LDAP implementation allows all users to bind and search against the LDAP server.
    • Search LDAP user through separate accountSelect this option if the LDAP implementation allows only certain users to bind and search against the LDAP server. Selecting this option opens up the following sub-properties:
      • Search account DN: Domain name of the account to use in the search.
      • Search account password: Password of the account used in the search.
      • Search to retrieve user account: Enter a search string of type uid=%USERNAME%
    LDAP Authentication Using userPrincipalName

    Select any one:

    • Disabled: Do not authenticate using User Principal Name (UPN).
    • Enabled, using the following domain: Users can log in using an email address-style name like jdoe@marketing.example.com. Click Apply when done entering the email ID.
    LDAP ContextStart searching at this node. Example value, dc=bmc,dc=com
    LDAP User AttributeThe attribute whose value should match the login name. Example value, cn
    LDAP User QuerySyntax to guide the search. Example value, OU=Domain Users, OU=Security
    LDAP Managed

    LDAP User Fullname Attribute

    The attribute of the LDAP user whose value should be used as the full name of the BMC TrueSight Capacity Optimization user.
    LDAP User Email AttributeThe attribute of the LDAP user whose value should be used as the email address of the BMC TrueSight Capacity Optimization user.
    LDAP User Description AttributeThe attribute of the LDAP user whose value should be used as the description field of the BMC TrueSight Capacity Optimization user profile.
    LDAP Group Name AttributeThe attribute whose value must match the External name for a role or access group in BMC TrueSight Capacity Optimization.
    LDAP Group Members AttributeThe attribute of the group, whose value must lead to the DN of the LDAP user.
    LDAP Group Members Matching ModeThe attribute of the LDAP user whose value must match the login name of the BMC TrueSight Capacity Optimization user. Select any one:
    • distinguished name: Use the distinguished name of the group member.
    • user attribute: Use the user name of the group member.
  2. Click Save.
    Repeat this task to add as many LDAP configurations as you need.

To learn in detail about LDAP attributes and properties mentioned in the preceding task, and other important concepts, refer to the following sections in this topic:

Authentication using LDAP

The BMC TrueSight Capacity Optimization administrator can choose to set up authentication for BMC TrueSight Capacity Optimization users, roles and access groups in two ways:

Authentication

How it works

Local

BMC TrueSight Capacity Optimization manages the user's password and authenticates the user on login.

LDAP

BMC TrueSight Capacity Optimization forwards the user's login request to an LDAP server for authentication.

This choice is made when setting up the user accounts; see Accounts. To set up a user account for local or LDAP authentication, the administrator needs to clear the External LDAP authentication checkbox, so that the user is either assigned a password, or is forced to choose a password when they log in. To set up a user account for LDAP authentication, the administrator needs to select the External LDAP authentication checkbox.

LDAP directories have schemas that can be set up in a variety of ways. In order to find the user in the LDAP directory, BMC TrueSight Capacity Optimization needs to be told how to search the particular LDAP schema. The LDAP domain configuration in BMC TrueSight Capacity Optimization has three options that control how to search for the user:

Option

Example value

Meaning

LDAP context

DC=adprod,DC=bmc,DC=com

Start searching at this node

LDAP user attribute

cn

The attribute whose value should match the login name

LDAP user query

OU=Domain Users,OU=Security

Syntax to guide the search

Some LDAP implementations (for example, Microsoft Active Directory) can be set up to use User Principal Names (UPNs), where users can log in using an email address-style name like jdoe@marketing.example.com. For integrating with this kind of LDAP implementation, there is no need to set the above options to control search. Instead, use the following options:

Option

value or example

Meaning

LDAP Authentication Using userPrincipalName (UPN)

enabled

Use UPN to log in

domain name to use

(example) marketing.example.com

User does not need to type the portion after the @ sign

Bind method

bind directly with BMC TrueSight Capacity Optimization user account

The LDAP implementation allows all users to bind and search against the LDAP server

LDAP domains in BMC TrueSight Capacity Optimization

In order to make LDAP authentication work, the BMC TrueSight Capacity Optimization instance must be configured with at least one LDAP domain, which is a set of information associated with an external LDAP server in the environment. The LDAP server might maintain information about a large number of people in the enterprise. In addition to authentication, the information in the LDAP server can also be used to automatically authorize the user in BMC TrueSight Capacity Optimization. The sections below explain how to set up these domains.

One of these domains is designated the default LDAP domain. When an LDAP-authenticated user tries to log in, the login request is forwarded to one of these LDAP domains. If the user logs in with a simple user name, e.g., jdoe, then the default LDAP domain is used. If the user logs in a with a domain-qualified user name, e.g., marketing\jdoe, then the qualifying domain (marketing) is used.

User profile management using LDAP domain setting

Each LDAP domain can be set up either as an "LDAP managed" domain or as a "native" domain. This setting determines how the user's BMC TrueSight Capacity Optimization profile is maintained and authorized:

LDAP domain setting

User profile

User authorization

Native

The BMC TrueSight Capacity Optimization administrator must have created a user profile (account) in BMC TrueSight Capacity Optimization, which will be maintained just as for a locally authenticated user. The LDAP server is used to authenticate the user, but the user's full name and email address are configured manually by the BMC TrueSight Capacity Optimization administrator.

The BMC TrueSight Capacity Optimization account will already have been authorized by the administrator by assigning it roles and access groups; additional authorization may be performed using LDAP groups (see below).

LDAP managed

The BMC TrueSight Capacity Optimization administrator does not need to create a user profile in BMC TrueSight Capacity Optimization. On the first successful login authenticated with the LDAP server, BMC TrueSight Capacity Optimization will query the LDAP server for the user's attributes including full name and email address, and BMC TrueSight Capacity Optimization will automatically create a BMC TrueSight Capacity Optimization account with the login user name and these attributes.

Authorization will be performed using LDAP groups (see below).

To find the LDAP user's profile information, BMC TrueSight Capacity Optimization needs to traverse the LDAP schema. The following options are provided to control this traversal:

Option

Example value

Meaning

LDAP user fullname attribute

displayName

The attribute of the LDAP user whose value should be used as the full name of the BMC TrueSight Capacity Optimization user

LDAP user email attribute

mail

The attribute of the LDAP user whose value should be used as the email address of the BMC TrueSight Capacity Optimization user

LDAP user description attribute

description

The attribute of the LDAP user whose value should be used as the description field of the BMC TrueSight Capacity Optimization user profile

User authorization using LDAP groups

Each BMC TrueSight Capacity Optimization role or access group is used for authorization in one of two ways, determined by the BMC TrueSight Capacity Optimization administrator by editing the role or access group:

  • Manual: If the "External name" field is left empty, then the only way to authorize a user for that role or access group, is for the BMC TrueSight Capacity Optimization administrator to explicitly assign the role or access group to that user.
  • Mapped: If the "External name" field is filled with an LDAP group name (or a semicolon-separated list of LDAP group names), then the only way to authorize a user for that role or access group is for that user to be authenticated by an LDAP server, and for that user to be a member of one or more of the LDAP groups listed.

After each successful login authentication with an LDAP server, BMC TrueSight Capacity Optimization will search for all the LDAP groups that are mapped by being mentioned as External names in BMC TrueSight Capacity Optimization roles or access groups. Any such groups that the LDAP user is a member of, will automatically update the authenticated BMC TrueSight Capacity Optimization user account with authorizations for these roles or access groups in BMC TrueSight Capacity Optimization.

There are three options to guide the search for LDAP groups:

Option

Example value

Meaning

LDAP group name attribute

cn

The attribute whose value must match the External name for a role or access group in BMC TrueSight Capacity Optimization

LDAP group members attribute

member

The attribute of the group, whose value must lead to the DN of the LDAP user

LDAP group members matching mode

distinguished name

The attribute of the LDAP user whose value must match the login name of the BMC TrueSight Capacity Optimization user

Connecting to an LDAP server

Each LDAP domain in BMC TrueSight Capacity Optimization represents a different method of integrating with an LDAP server. Different LDAP domains may integrate with different LDAP servers, or with the same LDAP server. The LDAP domain offers configuration options for integrating with the LDAP server:

Option

Value

Meaning

Bind method

bind directly with BMC TrueSight Capacity Optimization user account

Use this setting if the LDAP implementation allows all users to bind and search against the LDAP server.

 

use separate account to search LDAP

Use this setting if the LDAP implementation allows only certain users to bind and search against the LDAP server. Choosing this option opens up another sub-option to specify LDAP credentials for an authorized user.

Related topics

Users

Roles

Security