This documentation supports the 9.1 version of Remedy IT Service Management Suite.

To view the latest version, select the version from the Product version menu.

LDAP Authentication


Note

This topic is applicable for BMC Remedy Smart Reporting version 9.1.03 and later.

BMC Remedy Smart Reporting has two methods of authentication configurable from the Admin Console; BMC Remedy Smart Reporting Authentication, or LDAP Authentication. BMC Remedy Smart Reporting Authentication means that the user's credentials (user ID and password) are stored in BMC Remedy Smart Reporting and checked to authenticate a user logging into the system. LDAP Authentication means that BMC Remedy Smart Reporting references an external directory (LDAP) or database to perform the authentication - a user will enter their user ID and password (or this will be passed by Single Sign On) and BMC Remedy Smart Reporting will authenticate these details with those in the LDAP directory.

Using LDAP means that BMC Remedy Smart Reporting access can be controlled externally, and organisation-wide, simply and quickly. Users can use their existing intranet password for BMC Remedy Smart Reporting, and reports can be given access restrictions which include or exclude users in specific LDAP groups. In addition, removal/lockout of the user in the LDAP directly will automatically flow through to BMC Remedy Smart Reporting, as BMC Remedy Smart Reporting has to authenticate via the directory for every login request, minimising the manual effort of mananaging users.

LDAP Preparation

Prior to setting up the LDAP parameters in BMC Remedy Smart Reporting, the following will have to be completed:

  1. Create a BMC Remedy Smart Reporting User (or specify an existing user) within the LDAP directory to allow BMC Remedy Smart Reporting to connect and search for Users and Groups.
  2. Create a 'BMC Remedy Smart Reporting User' Group within the LDAP directory (or specify one) which will be used to determine which users will have access to BMC Remedy Smart Reporting.
  3. Ensure network connectivity between the BMC Remedy Smart Reporting server and the LDAP server.
  4. Define the default BMC Remedy Smart Reporting Role for LDAP users.

Defining the Default Role

For BMC Remedy Smart Reporting to provision users automatically it has to assign a role to them. This role is defined as a BMC Remedy Smart Reporting 'Default' Role. In the Roles page, define one Role as the Default.

  1. Navigate to Administration > General > Role Management.
  2. Select the Role you wish to make Default.
  3. Tick the Default Role box and Save.

Note

If no role is set as default the users will not be provisioned correctly into BMC Remedy Smart Reporting and the process will fail.

BMC Remedy Smart Reporting LDAP Configuration

To provision users from the LDAP directory and to use LDAP Authentication the required attributes must be defined on the Configuration page. The attributes required by BMC Remedy Smart Reporting include:

Property

Description

LDAP Host

LDAP server hostname or IP address

LDAP Port

TCP/IP port that the LDAP server is listening on

EncryptionThe encryption method implemented by the LDAP server. (None, TLS, SSL)

LDAP Base Distinguishing Name (DN)

The LDAP node that all users and groups are contained within.

LDAP (BMC Remedy Smart Reporting User) Group

LDAP Group Name that identifies which users can log into BMC Remedy Smart Reporting. This group exists in the LDAP directory, not BMC Remedy Smart Reporting. Only members of this group will be able to login to BMC Remedy Smart Reporting.

LDAP Bind User

This is an LDAP User that the BMC Remedy Smart Reporting application uses to connect to the LDAP directory for search access, it must have rights to search the LDAP directory.

LDAP Bind Password

The LDAP Password required for the BMC Remedy Smart Reporting application to connect to the LDAP directory, associated with the LDAP Bind User defined above.

LDAP Search Attribute

This is a unique User Name field that LDAP users will login to BMC Remedy Smart Reporting with.

LDAP First Name Attribute

This maps to the First Name attribute of the user within the LDAP directory. This is so BMC Remedy Smart Reporting can match the user to a name and create an internal user account.

LDAP Surname Attribute

This maps to the surname attribute of the user within the LDAP directory. This is so that BMC Remedy Smart Reporting can match the user to a name and create an internal user account.

LDAP Email Attribute

This maps to the email address attribute of the user within the LDAP directory. This is so that BMC Remedy Smart Reporting can match the user to an email address for broadcast reports.

LDAP Role Attribute

This maps to a BMC Remedy Smart Reporting Role to be assigned to the user instead of the Default Role. See RoleCode in OrgRole table.

LDAP Group Filtering CriteriaCriteria used to filter a list of LDAP groups. Only groups returned in the filtered list will be passed to BMC Remedy Smart Reporting.
OrderingThis order in which internal authentication is performed. (LDAP Authentication First, Internal Authentication First)

Once defined, BMC Remedy Smart Reporting will automatically provision users as they attempt to login to BMC Remedy Smart Reporting for the first time.

Note

If the users in LDAP exceed the number of licences purchased, any new users will not be provisioned into the system.

Example

SettingParameter
LDAP Host192.168.4.241
LDAP Port389
LDAP Base DNcn=Users,dc=i4,dc=local
LDAP GroupCN=BMC Remedy Smart Reporting Users,CN=Users, CD=i4,CD=local
LDAP Bind Usercn=Administrator,cn=Users,dc=i4,dc=local
LDAP Bind Password*********
LDAP Search AttributeemployeeID
LDAP First Name AttributegivenName
LDAP Surname AttributelastName
LDAP Email AttributeuserPrincipleName
LDAP Role AttributeWriter
OrderingLDAP Authentication First

Description:

  • Connect to LDAP host 192.168.4.241 on port 389
  • Users will be searched from cn=Users, dc=i4, and dc=local
  • Users will be allowed to access BMC Remedy Smart Reporting if they are a member of cn=BMC Remedy Smart Reporting Users, cn=Users, dc=i4, or dc=local
  • The user search will be conducted with user cn=Administrator, cn=Users, dc=i4, dc=local bound to the LDAP server with the password defined.
  • The user will use employeeID as their login ID and BMC Remedy Smart Reporting will load their given name, surname, and email from the LDAP directory attributes givenName, lastName, and userPrincipleName respectively.

Note

If a user is not found in the LDAP directory, it will look for the username as a standard BMC Remedy Smart Reporting user.

BMC Remedy Smart Reporting Security & LDAP

Once LDAP Authentication is enabled, the Group Management screens will include a new group option called LDAP. This will source groups from the LDAP directory for use as normal BMC Remedy Smart Reporting Groups. BMC Remedy Smart Reporting Groups can also be created based on a variety of sources including mixtures of LDAP and BMC Remedy Smart Reporting groups, where LDAP groups can be either included or excluded in the new group.

  1. Open the Add LDAP Group drop down
  2. A list of LDAP groups will be displayed. Select the group to be used to create members for the BMC Remedy Smart Reporting Group
  3. Click Add to add the LDAP Group members into the BMC Remedy Smart Reporting Group

BMC Remedy Smart Reporting has two methods of authentication configurable from the Admin Console; BMC Remedy Smart Reporting Authentication, or LDAP Authentication. BMC Remedy Smart Reporting Authentication means that the user's credentials (user ID and password) are stored in BMC Remedy Smart Reporting and checked to authenticate a user logging into the system. LDAP Authentication means that BMC Remedy Smart Reporting references an external directory (LDAP) or database to perform the authentication - a user will enter their user ID and password (or this will be passed by Single Sign On) and BMC Remedy Smart Reporting will authenticate these details with those in the LDAP directory.

Using LDAP means that BMC Remedy Smart Reporting access can be controlled externally, and organisation-wide, simply and quickly. Users can use their existing intranet password for BMC Remedy Smart Reporting, and reports can be given access restrictions which include or exclude users in specific LDAP groups. In addition, removal/lockout of the user in the LDAP directly will automatically flow through to BMC Remedy Smart Reporting, as BMC Remedy Smart Reporting has to authenticate via the directory for every login request, minimising the manual effort of mananaging users.

LDAP Preparation

Prior to setting up the LDAP parameters in BMC Remedy Smart Reporting, the following will have to be completed:

  1. Create a BMC Remedy Smart Reporting User (or specify an existing user) within the LDAP directory to allow BMC Remedy Smart Reporting to connect and search for Users and Groups.
  2. Create a 'BMC Remedy Smart Reporting User' Group within the LDAP directory (or specify one) which will be used to determine which users will have access to BMC Remedy Smart Reporting.
  3. Ensure network connectivity between the BMC Remedy Smart Reporting server and the LDAP server.
  4. Define the default BMC Remedy Smart Reporting Role for LDAP users.

Defining the Default Role

For BMC Remedy Smart Reporting to provision users automatically it has to assign a role to them. This role is defined as a BMC Remedy Smart Reporting 'Default' Role. In the Roles page, define one role as the Default.

  1. Navigate to Administration > General > Role Management.
  2. Select the Role you wish to make Default.
  3. Tick the Default Role box and Save.

Note

If no role is set as default the users will not be provisioned correctly into BMC Remedy Smart Reporting and the process will fail.

BMC Remedy Smart Reporting LDAP Configuration

To provision users from the LDAP directory and to use LDAP Authentication the required attributes must be defined on the Configuration page. The attributes required by BMC Remedy Smart Reporting include:

Property

Description

LDAP Host

LDAP server hostname or IP address

LDAP Port

TCP/IP port that the LDAP server is listening on

EncryptionThe encryption method implemented by the LDAP server. (None, TLS, SSL)

LDAP Base Distinguishing Name (DN)

The LDAP node that all users and groups are contained within.

LDAP (BMC Remedy Smart Reporting User) Group

LDAP Group Name that identifies which users can log into BMC Remedy Smart Reporting. This group exists in the LDAP directory, not BMC Remedy Smart Reporting. Only members of this group will be able to login to BMC Remedy Smart Reporting.

LDAP Bind User

This is an LDAP User that the BMC Remedy Smart Reporting application uses to connect to the LDAP directory for search access, it must have rights to search the LDAP directory.

LDAP Bind Password

The LDAP Password required for the BMC Remedy Smart Reporting application to connect to the LDAP directory, associated with the LDAP Bind User defined above.

LDAP Search Attribute

This is a unique User Name field that LDAP users will login to BMC Remedy Smart Reporting with.

LDAP First Name Attribute

This maps to the First Name attribute of the user within the LDAP directory. This is so BMC Remedy Smart Reporting can match the user to a name and create an internal user account.

LDAP Surname Attribute

This maps to the surname attribute of the user within the LDAP directory. This is so that BMC Remedy Smart Reporting can match the user to a name and create an internal user account.

LDAP Email Attribute

This maps to the email address attribute of the user within the LDAP directory. This is so that BMC Remedy Smart Reporting can match the user to an email address for broadcast reports.

LDAP Role Attribute

This maps to a BMC Remedy Smart Reporting Role to be assigned to the user instead of the Default Role. See RoleCode in OrgRole table.

LDAP Group Filtering CriteriaCriteria used to filter a list of LDAP groups. Only groups returned in the filtered list will be passed to BMC Remedy Smart Reporting.
OrderingThis order in which internal authentication is performed. (LDAP Authentication First, Internal Authentication First)

Once defined, BMC Remedy Smart Reporting will automatically provision users as they attempt to login to BMC Remedy Smart Reporting for the first time.

Note

If the users in LDAP exceed the number of licences purchased, any new users will not be provisioned into the system.

Example

SettingParameter
LDAP Host192.168.4.241
LDAP Port389
LDAP Base DNcn=Users,dc=i4,dc=local
LDAP GroupCN=BMC Remedy Smart Reporting Users,CN=Users, CD=i4,CD=local
LDAP Bind Usercn=Administrator,cn=Users,dc=i4,dc=local
LDAP Bind Password*********
LDAP Search AttributeemployeeID
LDAP First Name AttributegivenName
LDAP Surname AttributelastName
LDAP Email AttributeuserPrincipleName
LDAP Role AttributeWriter
OrderingLDAP Authentication First

Description:

  • Connect to LDAP host 192.168.4.241 on port 389
  • Users will be searched from cn=Users, dc=i4, and dc=local
  • Users will be allowed to access BMC Remedy Smart Reporting if they are a member of cn=BMC Remedy Smart Reporting Users, cn=Users, dc=i4, or dc=local
  • The user search will be conducted with user cn=Administrator, cn=Users, dc=i4, dc=local bound to the LDAP server with the password defined.
  • The user will use employeeID as their login ID and BMC Remedy Smart Reporting will load their given name, surname, and email from the LDAP directory attributes givenName, lastName, and userPrincipleName respectively.

Note

If a user is not found in the LDAP directory, it will look for the username as a standard BMC Remedy Smart Reporting user.

BMC Remedy Smart Reporting Security & LDAP

Once LDAP Authentication is enabled, the Group Management screens will include a new group option called LDAP. This will source groups from the LDAP directory for use as normal BMC Remedy Smart Reporting Groups. BMC Remedy Smart Reporting Groups can also be created based on a variety of sources including mixtures of LDAP and BMC Remedy Smart Reporting groups, where LDAP groups can be either included or excluded in the new group.

  1. Open the Add LDAP Group drop down
  2. A list of LDAP groups will be displayed. Select the group to be used to create members for the BMC Remedy Smart Reporting Group
  3. Click Add to add the LDAP Group members into the BMC Remedy Smart Reporting Group.
Was this page helpful? Yes No Submitting... Thank you

Comments