Out of support

 

This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Using LDAP (Active Directory) for authentication

BMC Atrium Single Sign-On provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication. Support for LDAP also includes using external Active Directory (AD) servers for authentication. The Active Directory authentication must be configured for the enterprise environment.

Before you begin

If you plan to enable SSL access, import the certificates and restart the Tomcat server before setting up LDAP (AD) authentication. For more information, see Installing and managing certificates in BMC Atrium Single Sign-On.

To set up LDAP (AD) for authentication

  1. On the BMC Atrium SSO Admin Console, click Edit BMC Realm.
  2. On the Main tab (default), select a User Profile type.

    Note

    The User Profile applies to all authentication methods used for authentication.

  3. In the Realm Authentication panel, click Add for a new authentication method and select the method. Alternatively, if you want to edit an existing module, select the module and click Edit.
  4. Provide the parameters for the method and Save.
  5. Set the flag for the authentication method.

Note

If you enabled SSL Access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication. For more inforamtion, see Installing and managing certificates in BMC Atrium Single Sign-On.


LDAP (AD) parameters

When adding or editing an LDAP module, the following options are available:

  • Save to save your modifications.
  • Reset to remove your modifications and stay on the editor.
  • Help launches a browser that provides you with online help.
  • Cancel to cancel and return to the launch page.

Field

Parameter

Description

Primary LDAP Server

Name

(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.

 

Port

If the LDAP server is not listening on the default port (389), specify the port number.

 

Use SSL

Secondary LDAP Server

Name

The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.

 

Port

If the secondary server is not listening on the default LDAP port, specify the port number.

 

Use SSL

 

Set Recheck Primary Server Interval (minutes)

(Optional)The interval at which the Secondary LDAP Server checks whether the Primary LDAP Server is available. If the Primary LDAP Server is available, the communication is redirected to the Primary LDAP Server.

User Account for Search

Distinguished Name, Password, Confirm Password

(Required) The DN is the login name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation.

For example, you can use the Distinguished Name as CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com  and choose the password of your choice.

Attributes for User Search

Attribute Name

Add attribute names using the Attribute name parameter or or remove the attribute from the attribute list.

For example, you can add CN as attribute name for User Search.

DN to Start Search

Base DN

Add base DN name and remove the name from the attribute list. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an Object search is specified, then the DN should be the DN of the node containing the users.

For example, CN=bsmuser,CN=users,DC=bsmdsl,DC=bmc,DC=com

 

Attribute for User Profile Name

This parameter maps an LDAP attribute to the user profile name.

Where to go from here

  • In Administering, see managing users, user groups, and authentication modules.
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Boris Ioffe

    It would be more usefull if you publish example screenshots and example values for LDAP (AD) parameters

    Jun 04, 2013 02:56
  2. Keith Linehan

    In the DN to Start Search, the Attribute Name is a DN from which the LDAP directory will be searched. The description isn't appropriate for the field and should be updated to reflect the expected value. Thanks, Adam.

     

    Jul 11, 2013 12:08
  3. Darmawan Chia

    Hi,

    Can give us some screenshots with sample values? i don't quite understand what should I fill in Attributes for User Search and Attribute for User Profile Name parameters, thanks.

    Feb 08, 2015 10:12
    1. Abhay Chokshi

      Thank you for your comment, Darmawan.

      The table contains some of the basic examples needed to configure LDAP. However, I will get in touch with the SME and try add a few more examples with a screenshot.

      Thanks!

      -Abhay

      Feb 09, 2015 07:27
  4. Joshua Skirde

    The description for "Attribute for User Profile Name" is wrong. I don't believe it has anything to do with searching but instead maps an ldap attribute to the display name for the user login.

    Apr 01, 2015 03:22
    1. Kamalakannan Srinivasan

      Hi Joshua,

      Thank you for your comment. I made the relevant changes to the topic.

      Regards,
      Kamal

       

       

      Apr 08, 2015 07:15
  5. Kamalakannan Srinivasan

    Hi Joshua,

    Thank you for your comment. I will verify this with the concerned SME and get back to you.

    Regards,

    Kamal

    Apr 01, 2015 05:14