Obtain the following information from the LDAP administrator: In the left navigation pane of the Add Realm or Edit Realm page, click Authentication. In the Authentication Type field, click LDAP, and enter the following LDAP details: The IP address or host name of the LDAP sever. To use SASL, enter the host name (not the domain name). If you have LDAP failover configuration, add several LDAP server hosts. This will help to handle a situation when one of the servers is down, and the other server is up and running. If the connection to the first server fails, BMC Helix SSO will automatically redirect the request to another server. Type the distinguished name (DN) of an LDAP user. This is the bind distinguished name for querying LDAP, and hence this account must have privileges to search the directory. Enter the password of the LDAP user with the Bind DN. Starting location within the LDAP directory for performing user searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the Base DN should be the DN of the node containing the users. EnablesBMC Helix SSO to retrieve the groups list of an authenticated user as a part of the login process. Groups retrieval might be required by applications such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) to support BMC Helix SSOauthorization. Select a preset to fill the LDAP filters with predefined values for the most common LDAP implementations. To search within nested groups, select AD Hierarchical. You can clear the filters, and type queries for User Authentication and Group Support fields. Select to enable SASL. Note that if you select Use SASL as the first field, after switching to the Authentication window (omitting all other fields), the fields Bind DN, Bind Password, and Users Base DN are disabled. Additionally, if Bind DN and Users Base DN are disabled, then you must manually populate the User Search Filter and Get All Users Filter filters, and do not use the Preset button. If you click the Preset button, the fields Bind DN and Bind Password are enabled and are marked as required. Select a SASL authentication method. Enter the LDAP query to search for the user to be authenticated and if found to display the user's distinguished name. User is specified by Enter the attribute to be used as a user name. It will be later provided as a user's name to the integrated systems with Remedy SSO. This field is not displayed if selected the Use SASL check box. Enter the LDAP query to display all LDAP users. The filter can be used by integrated application for administration purposes to browse all users in LDAP to be considered as authorization subjects. Enter the LDAP query to return the groups list for a particular group. The group is specified by the Groups information can be used by an integrated application for administration and authorization purposes. Enter a Base DN for a group search. If you do not specify any value, users Base DN is used. Enter the LDAP query to display the list of all groups. The filter can be used by an integrated application for administration purposes to browse all groups to be considered as authorization subjects. Enter the attribute to be used as group name. In this field, enter the LDAP query to return the list of groups for a particular user. The user is specified by the The value that you specify in this field can be used by an integrated application for administration purposes, such as browsing for groups of a particular user. Click Save.Before you begin
To configure the LDAP authentication
Field Description Example LDAP server information Server Host(s) Not applicable Server Port Port number of the LDAP server. 389
Use TLS connection To enable TLS communication with the LDAP server, select this check box. Not applicable User information If you plan to use SASL authentication with the LDAP server, you do not need to specify the following fields: Bind DN CN=User,CN=Users,DC=example,DC=com
Bind Password Not applicable Users Base DN CN=Users,DC=example,DC=com
Server search and filtering options Page Size The page size of the LDAP server. By default, this value is set to 2000 entries. If your LDAP server is configured to return less than 2000 entries, you need to modify this value accordingly. 2000
Enable Group Retrieval Not applicable Search Scope Specify the scope for search by selecting one of the available options. LDAP Filter preset SASL configuration Use SASL Not applicable SASL Mechanism Quality of Protection Specify the integrity and privacy protection that SASL mechanism should support. User Authentication User Search Filter $USER$
macro, for example - (&(objectCategory=user)(sAMAccountName=$USER$))
.Not applicable Identity Attribute sAMAccountName
Get All Users Filter (objectCategory=user)
Group Support Users of Group Filter $GROUP$
macro.(&(objectCategory=user)(memberOf=$GROUP$))
Groups Base DN Not applicable Group Search Filter (objectCategory=group)
Group Name Attribute cn
Groups of User Filter $DN$
macro.(&(objectCategory=group)(member=$USER$))
To enable authentication chaining mode for the realm, see Enabling authentication chaining mode.
To enable AR for bypassing authentication, see Enabling AR authentication for bypassing other authentication methods.
To transform the User ID value, see Transforming userID to match login ID.