Configuring LDAP authentication users

You can configure Remedy SSO server to authenticate users through the LDAP server. The following flow shows the tasks that you need to perform to configure the LDAP authentication in Remedy SSO.

Remedy SSO provides the following support with different releases:

• Remedy SSO supports a strong LDAP bind with Simple Authentication and Security Layer (SASL). In SASL, a challenge-response protocol enables data exchange between the client and the server. Data exchange supports authentication and establishes a security layer for communications.
• In addition, LDAP v3 uses SASL for pluggable authentication. By using pluggable authentication, you can select an authentication mechanism that enables strong bind. For example, a mechanism such as External with SSL and client certificate establishes a strong bind. The mechanism gets the client certificate from the client (browser), and passes it to Remedy SSO server. The client certificate is then used to create SSL connection to the LDAP server.
• Remedy SSO supports providing additional information about LDAP users and groups. The additional information can be used by an integrated application such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) for administration and authorization.

Before you begin

• Ensure that you have performed Remedy SSO server configuration. If you want to use SASL, you must set up the SP similar to that of SAML. For more information about server configuration, see Configuring the Remedy SSO server.
• Configure a realm for the authentication. For more information about realm configuration, see Configuring Realms.
• Ensure that the LDAP server is configured.

• If you want to use TLS/SSL connection to the LDAP server, import the certificates (cacerts) for the LDAP server to the truststore (JavaHome \jre\lib\security) of Apache Tomcat used by Remedy SSO. You can use third-party utilities such as KeyStore Explorer to import the certificates.

  Note:

  If your Remedy SSO server and the integrated application both use invalid TLS/SSL certificates for HTTPS connection, you may experience difficulties with login in Microsoft Edge and Safari browsers. The certificate confirmation dialog breaks the flow, and the login request is redirected to an empty rsso/start URL.
  BMC recommends that you use another browser to log on or open the application URL again after confirming the exception for the certificate.

  
  

• Obtain the following information from the LDAP administrator:
  • Host name of the LDAP server
  • Port number of the LDAP server
  • Distinguished name of the bind LDAP user
  • Password of the bind LDAP user
  • Starting location within the LDAP directory for performing user searches
  • User attribute on which search is performed
• Note that Remedy SSO does not follow referrals. 
  

To configure the LDAP authentication

1. In the left navigation pane of the Add Realm or Edit Realm page, click Authentication.

2. In the Authentication Type field, click LDAP.

3. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR System authentication for bypass.

4. Enter the following LDAP details.

   Field	Description
   Server Host(s)	The IP address or host name of the LDAP sever. To use SASL, enter the host name (not the domain name). If you have LDAP failover configuration, you can add several LDAP server hosts to support LDAP authentication in the failover mode. This will help to handle a situation when one of the servers is down, and the other server is up and running. If the connection to the first server fails, Remedy SSO will automatically redirect the request to another server.
   Server Port	Port number for the LDAP server, for example, 389.
   Use TLS connection	Select to enable TLS to connect to the LDAP server.
   Bind DN	Type the distinguished name (DN) of an LDAP user. For example, CN=User, CN=Users, DC=example, DC=com. This is the bind distinguished name for querying LDAP and hence this account must have privileges to search the directory. To use SASL, leave the field as blank as it will be disabled when you select SASL.
   Bind Password	Enter the password for LDAP user with the bind distinguished name. To use SASL, leave the field as blank as it will be disabled when you select SASL.
   Users Base DN	Starting location within the LDAP directory for performing user searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the Base DN should be the DN of the node containing the users. For example, CN=Users, DC=example, DC=com. To use SASL, leave the field as blank as it will be disabled when you select SASL.
   Page Size	By default, the page size is set to 2000 entries. You might need to change this value if your LDAP server is configured to return less than 2000 entries.
   Enable Group Retrieval	Select the check box to enable Remedy SSO to display the groups list for the authenticated user as a part of the login process. It is used by applications such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) for supporting authorization based on Remedy SSO.
   Search Scope	Select one of the options (One Level, Subtree) to provide the scope for search.
   Use SASL	Select to enable SASL. The fields SASL Mechanism and Quality of Protection are displayed. Note that if you select Use SASL as the first field, after switching to the Authentication window (omitting all other fields), the fields Bind DN, Bind Password, and Users Base DN are disabled. Additionally, if Bind DN and Users Base DN are disabled, then manually populate the filters - User Search Filter and Get All Users Filter, and do not use the Preset button. When the Preset button is clicked, the fields Bind DN and Bind Password are enabled and are marked as required.
   SASL Mechanism	Select a SASL authentication method. You can select one of the following methods: DIGEST-MD5 GSSAPI This field is displayed only if you select Use SASL.
   Quality of Protection	Specify the integrity and privacy protection that SASL mechanism should support. You can select one of the following options: Authentication only Authentication with integration protection Authentication with integrity and privacy protection This field is displayed only if you select Use SASL.
   LDAP Filter preset	Select a preset to fill the LDAP filters with predefined values for the most common LDAP implementations. To search within nested groups, select AD Hierarchical. You can change filters to tune queries as well.
   User Authentication
   User Search Filter	Enter the LDAP query to search for the user to be authenticated and if found to display the user's distinguished name. User is specified by $USER$ macro, for example - (&(objectCategory=user)(sAMAccountName=$USER$)).
   Identity Attribute	Enter the attribute to be used as a user name. It will be later provided as a user's name to the integrated systems with Remedy SSO. For example, sAMAccountName. This field is not displayed if you had selected Use SASL.
   Get All Users Filter	Enter the LDAP query to display all LDAP users, for example (objectCategory=user). The filter can be used by integrated application for administration purposes to browse all users in LDAP to be considered as authorization subjects.
   Group Support
   Users of Group Filter	Enter the LDAP query to return the groups list for a particular group. The group is specified by $GROUP$ macro, for example - (&(objectCategory=user)(memberOf=$GROUP$)). Groups information can be used by an integrated application for administration and authorization purposes.
   Groups Base DN	Enter Base DN for group search. If this is not specified, Users Base DN is used.
   Group Search Filter	Enter the LDAP query to display the list of all groups, for example - (objectCategory=group). The filter can be used by an integrated application for administration purposes to browse all groups to be considered as authorization subjects.
   Group Name Attribute	Enter the attribute to be used as group name. For example, cn.
   Groups of User Filter	Enter the LDAP query to return the list of the groups for a particular user. The user is specified by $DN$ macro. For example, (&(objectCategory=group)(member=$USER$)). When the Enable Group Retrieval check box is selected, this is a required field. This field (Groups of User Filter) can be used by an integrated application for administration purposes to browse the groups for a particular user. In addition, an administrator may use the keyword $DN$.

5. (Optional) Click Test to verify the settings.
6. (Optional) Click Enable Chaining Mode and perform the following steps to enable authentication chaining. For more information about the authentications that you can chain with LDAP, see Authentication fallback.
   1. Click Add Authentication.
   2. Select the required authentication type and enter the authentication details.
   3. Repeat steps a through b to add more authentications for the realm.

7. Click Save.

Related videos

Watch the video on how to configure LDAP in Remedy SSO.

 https://www.youtube.com/watch?v=ClbpS_acLuQ?rel=0

Where to go from here

Configuring the Remedy SSO server