Using LDAP (Active Directory) for authentication
BMC Atrium Single Sign-On provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.
Before you begin
If you plan to enable SSL access, import the certificates and restart the Tomcat server before setting up LDAP (AD) authentication. For more information, see Installing and managing certificates in BMC Atrium Single Sign-On.
To set up LDAP (AD) for authentication
- On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
- On the Main tab (default), select a User Profile type.
The User Profile applies to all authentication methods used for authentication.
- In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit.
- Provide the parameters for the method and Save.
- Set the flag for the authentication method.
If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. For more inforamtion, see Installing and managing certificates in BMC Atrium Single Sign-On.
LDAP (AD) parameters
When adding or editing an LDAP module, the following options are available:
- Save to save your modifications.
- Reset to remove your modifications and stay on the editor.
- Help launches a browser that provides you with online help.
- Cancel to cancel and return to the launch page.
Primary LDAP Server
(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
If the LDAP server is not listening on the default port (389), specify the port number.
Secondary LDAP Server
The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.
If the secondary server is not listening on the default LDAP port, specify the port number.
Set Recheck Primary Server Interval (minutes)
(Optional)The interval at which the Secondary LDAP Server checks whether the Primary LDAP Server is available. If the Primary LDAP Server is available, the communication is redirected to the Primary LDAP Server.
User Account for Search
Distinguished Name, Password, Confirm Password
(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation.
For example, you can use the Distinguished Name as
Attributes for User Search
Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.
For example, you can
DN to Start Search
Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users.
Attribute for User Profile Name
This parameter maps an LDAP attribute to the user profile name.
Where to go from here
- In Administering, see managing users, user groups, and authentication modules.