Downloading and configuring the LDAP sync agent

To be able to run the sync, you first download the LDAP sync agent and configure the application.properties file.

The application.properties file contains configuration details such as information for connecting to the LDAP server and sync configuration options such as objects to be synced, sync schedule, search filters, object mapping, and so on.

Important

BMC Helix Portal supports LDAP and LDAPS to sync the users and groups.

To download and configure the LDAP sync agent

  1. From the Configure menu, select LDAP sync agent.
  2. Download and save the bmc_helix_identity_sync_agent.zip agent file into a temporary directory.
  3. Extract and open the bmc_helix_identity_sync_agent.zip file.
  4. Go to the config folder and edit the application.properties file.
  5. Provide the following values for the configuration parameters and save the file.

    ParameterDescription
    Sync configuration

    ldap object type



    Type of LDAP objects that you want to sync.

    Valid values:

    • groups: Sync groups only.
    • users: Sync users only.
    • all: Sync groups and users along with their mapping.

    Default: groups

    Important

    To limit the users or groups that you want to sync, use the Group search filter and User search filter options (listed below).

    Before you sync, verify the objects and the total number of objects that will be synced by running the dryrun command. For more information, see Running the LDAP sync agent.

    Based on the preview results, you can modify the number of objects that you want to sync by updating the search filter. 

    ade.user.group.mapping.replace

    Applies only if you set ldap.object.type=all.

    Indicates whether you want to replace the user and user group mapping in BMC Helix Portal with the LDAP user and group mapping.

    Valid values:

    • true
    • false

    Default: false

    LDAP connection details
    ldap.connect.timeout

    Time (in milliseconds) to wait for establishing a connection with the LDAP server.

    Default: 2000

    ldap.read.timeout

    Time (in milliseconds) to wait for getting a response from the LDAP server.

    Read timeouts can occur only after the connection to the LDAP server is established.

    Default: 30000

    ldap.url


    URL of the LDAP server that includes the scheme, address, and port.

    Example: ldap.URL=ldap://HostABC.com:389

    URL of the LDAPS server that includes the scheme, address, and port.

    Example: ldaps.URL=ldaps://HostABC.com:636

    ldap.base

    Base search for entries with distinguished names.

    Example: ldap.base=DC=HostABC,DC=com

    ldap.usernameUser name with which your want to connect with the LDAP server. Example: ldap.username=CN=Admins,DC=ldap,DC=com
    ldap.password

    Password for connecting with the LDAP server.

    You can specify the password in one of the following ways:

    • as plain text
    • at the prompt when running the agent. For this, set the parameter value to <PROMPT>.
      The  ldap.password.encrypt.key.file parameter should be blank for plain text and prompt options.
    • in encrypted format

    Run the following command:

    • (Windows) ldap-agent.bat -e <ldap password>
    • (Linux) sh ldap-agent.sh -e <ldap password>
      The output contains the encryption key and encrypted password.
      1. Save the encryption key in a file and set the file path as the value for ldap.password.encrypt.key.file parameter.

      2. Set the encrypted password as the value for ldap.password parameter.

    Group search filter and mapping (applies if you set ldap.object.type=groups or ldap.object.type=all)
    ldap.groups.search.filter

    Search filter for groups.

    Use this parameter to narrow the search and sync only those groups that need access to the various integrated products on BMC Helix Portal.

    Example to search for a single group:

    ldap.groups.search.filter=(&(objectClass=group)(cn=Admins))

    To include multiple groups in your search, enter the group names as shown in this example:

    ldap.groups.search.filter=(&(objectClass=group)(|(cn=tally)(cn=quality)))

    ldap.groups.attribute.name

    LDAP attribute name that you want to map to the Group name field specified while creating a group on BMC Helix Portal.

    Example: ldap.groups.attribute.name=cn

    ldap.groups.attribute.description

    LDAP attribute name that you want to map to the Description field specified while creating a group on BMC Helix Portal.

    Example: ldap.groups.attribute.description=description

    ldap.groups.nested.search.enabled

    LDAP attribute to sync nested groups. If set to true, the nested groups are fetched.

    To fetch the nested groups through the LDAP agent, the ldap.base parameter must be set to the root of LDAP.

    Alternatively, you can use the ldap.groups.base.dn parameter to update the base LDAP at runtime while searching for nested groups.

    User search filter and mapping (applies if you set ldap.object.type=users or ldap.object.type=all)
    ldap.users.search.filter

    Search filter for users.

    Use this parameter to narrow the search and sync only those users that need access to the various integrated products on BMC Helix Portal.

    Example to search for a single user: ldap.users.search.filter=(&(objectClass=user)(givenName=Mike))

    Examples to search for a multiple users: 

    ldap.users.search.filter=(&(objectClass=user)(memberOf=CN=tally,OU=finance,DC=idmad,DC=secops,DC=bmc,DC=com))

    ldap.users.search.filter=(&(objectClass=user)(|(memberOf=CN=tally,OU=finance,DC=idmad,DC=secops,DC=bmc,DC=com)(memberOf=CN=quality,OU=RnD,DC=idmad,DC=secops,DC=bmc,DC=com)))

    ldap.users.attribute.first_name

    LDAP attribute name that you want to map to the First name field specified while creating a user on BMC Helix Portal.

    Example: ldap.users.attribute.first_name=givenName

    ldap.users.attribute.last_name

    LDAP attribute name that you want to map to the Last name field specified while creating a user on BMC Helix Portal.

    Example: ldap.users.attribute.last_name=sn

    ldap.users.attribute.email

    LDAP attribute name that you want to map to the Email field specified while creating a user on BMC Helix Portal.

    Example: ldap.users.attribute.email=mail

    ldap.users.attribute.principal_id


    LDAP attribute name that you want to map to the Login ID field specified while creating a user on BMC Helix Portal.

    Example: ldap.users.attribute.principal_id=name

    Group and user mapping search filter (applies if you set ldap.object.type=all)

    ldap.groups.attribute.distinguishedName

    Search and map the groups and the associated users on BMC Helix Portal.

    This parameter is left blank and a value is required only when the distinguished name parameter is not distinguishedName in LDAP.

    Example: ldap.groups.attribute.distinguishedName=dN

    By default, the user and group mapping is done based on the LDAP distinguished name, which contains the complete path along with Organization Units (OU). 

    For example: CN=groupName,OU=Rnd,OU=Finance,OU=Common Services,DC=bmc,DC=com

    Sync schedule and TLS configuration
    ldap.sync.cron.schedule

    Cron schedule based on which the LDAP sync must happen.

    Example: ldap.sync.cron.schedule=0 0 0 * * * (syncs daily, at midnight)

    ldap.tls.enabled

    Indication of whether the LDAP server should be authenticated by validating the TLS certificate.

    Valid values:

    • true
    • false

    Default: false

    BMC Helix Portal details

    helix.portal.endpoint

    Tenant URL of the BMC Helix Portal console.

    helix.portal.access.key

    Access key for authenticating into BMC Helix Portal.

    helix.portal.access.secret.key

    Secret key corresponding to the access key. You can specify the secret keys in one of the following ways:

    • as plain text
    • at the prompt when running the agent. For this, set the parameter value to <PROMPT>.
      The helix.portal.access.secret.key.encrypt.key.file should be blank for plain text and prompt options.
    • in encrypted format

      Run the following command:

      • (Windows) ldap-agent.bat -e helix.portal.access.secret.key=<secret key>
      • (Linux) sh ldap-agent.sh -e helix.portal.access.secret.key=<secret key>

      The output contains the encryption key and encrypted password.

      1. Save the encryption key in a file and set the file path as the value for helix.portal.access.secret.key.encrypt.key.file parameter.
      2. Set this encrypted secret key as the value for helix.portal.access.secret.key parameter.

    For information about copying the secret key, see Setting up access keys for programmatic access.

    Search size
    ldap.search.page.size

    Number of entries to retrieve from the LDAP server in response to a search request.

    Default: 1000

Where to go from here

Run the LDAP sync agent commands to start the sync. For more information, see Running the LDAP sync agent

Was this page helpful? Yes No Submitting... Thank you

Comments