Configuring LDAP authentication

You can configure BMC Helix SSO server to authenticate end users through the Lightweight Directory Access Protocol (LDAP). You can also configure LDAP authentication for external administrators, and to see Configuring the BMC Helix SSO server for details.

You can define groups to identify users who can access the BMC Helix SSO Admin Console by using REST API or the user interface. For more information about restricting access, see Configuring authentication for BMC Helix SSO administrators.

BMC Helix SSO supports strong LDAP bind with Simple Authentication and Security Layer (SASL). In SASL, a challenge-response authentication protocol enables data exchange between the client and the server. Data exchange supports authentication and establishes a security layer for communications.

Related topics

LDAP v3 also uses SASL for pluggable authentication. By using pluggable authentication, you can select an authentication mechanism that enables a strong bind. For example, a mechanism such as External with SSL and client certificate establishes a strong bind. The mechanism gets the client certificate from the client (browser), and passes it to BMC Helix SSO server. The client certificate is then used to create an SSL connection to the LDAP server.

BMC Helix SSO supports providing additional information about LDAP users and groups. The additional information can be used by an integrated application such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) for administration and authorization.


BMC Helix SSO does not follow LDAP referrals. 

Before you begin

  • Add a realm for LDAP authentication. For information about how to add a realm, see Adding and configuring realms.
  • You must have the LDAP server configured.
  • Obtain the following information from the LDAP administrator:

    • Host name of the LDAP server
    • Port number of the LDAP server
    • Distinguished name of the bind LDAP user
    • Password of the bind LDAP user
    • Starting location within the LDAP directory for performing user searches
    • User attribute on which search is performed.
  1. (Optional) Click Test to verify the settings.

Where to go from here

To enable authentication chaining mode for the realm, see Enabling authentication chaining mode.

To enable AR for bypassing authentication, see Enabling AR authentication for bypassing other authentication methods.

To transform the User ID value, see Transforming userID to match login ID.

Was this page helpful? Yes No Submitting... Thank you