Enabling LDAP for user authentication
You must enable LDAP for single sign-on user authentication. On enabling LDAP, the id and password entered by the user are validated against the id and password stored in the LDAP directory.
To set up LDAP (AD) for authentication
- On the BMC Atrium Single Sign-On Admin Console, click Edit BMC Realm.
On the Main tab (default), select a User Profile type.
Note
The User Profile applies to all authentication methods used for authentication.
- In the Realm Authentication panel,
- From the UserId Transformer drop-down list, select one of the following:
- To UPPER - converts all the characters in the user ID to upper case
To lower - converts all the characters in the user ID to lower case
Note
You can add add more options using customized plug-ins. For information about creating customized plug-ins, see Configuring a new user ID transformation.
You can also select No Transform option, if you do not want to select any transformation for the user ID.
- Click Add to add LDAP/Active Directory as the new authentication method. Enter the parameters for LDAP/Active Directory as mentioned in the parameters options.
- From the UserId Transformer drop-down list, select one of the following:
- Verify the authentication using the following URL template: https://<fully.qualified.domain.name>:<port>/atriumsso/UI/Login?realm=<realm>.
For example, open the URL using default realm: https://sample.bmc.com:8443/atriumsso/.
Note
If you have enabled SSL access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication.For more information, see Managing certificates in BMC Atrium Single Sign-On.
LDAP (AD) parameters
When adding or editing an LDAP module, the following options are available:
The following tables describe the fields on the LDAP (Active Directory) Editor:
General tab
Field | Parameter | Description |
---|---|---|
Primary LDAP Server
|
| Enter the host's Fully Qualified Domain Name (FQDN) for the primary LDAP server. |
| If the LDAP server is not listening on the default port (389), specify the port number. | |
| (Optional) Enable to use Secure Sockets Layer (SSL) to connect to the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be imported to the Apache Tomcat used by BMC Atrium Single Sign-On truststore. For more information about importing certificates into the BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore. If the remote LDAP server requires client authentication for SSL, you might need to import the BMC Atrium Single Sign-On server certificate into the LDAP server truststore. | |
User Account for Search |
| The DN (for example, cn=svc_remedy, ou=Service accounts, dc=hds, dc=int) is the logon name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation. |
DN to Start Search
|
| Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users. |
| Enter the attribute for searching for a user profile name. | |
Attributes for User Search |
| Add the user attribute names on which to perform the search, to the attribute list. |
Advanced tab
Field | Parameter | Description |
---|---|---|
Secondary LDAP Server
|
| The secondary LDAP server is used only when the primary server is unavailable. It is not used in parallel or when a user fails to authenticate with the primary server. |
| If the secondary server is not listening on the default LDAP port, specify the port number. | |
| (Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established, you must import the certificates for the LDAP servers (primary and secondary) to the Apache Tomcat used by BMC Atrium Single Sign-On truststore. For more information about importing certifications into the BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore. If the remote LDAP server requires client authentication for SSL, you might need to import the BMC Atrium Single Sign-On server certificate into the LDAP server truststore. | |
Import SSL Certificate | When Use SSL is selected, you can select Import SSL Certificate to ensure that the SSL certificate is automatically imported to the truststore. When you save the changes on the LDAP Editor, if the certificate is not imported, the LDAP Editor displays a warning, and the certificate is then imported into the truststore. | |
| (Optional) This parameter represents the amount of time for which the server uses the secondary server before attempting to reconnect with the primary server can be configured. | |
Timeouts | LDAP Operations | (Optional) Enter a timeout value (in milliseconds) for all LDAP operations, such as search and authentication, that you perform on the database. If an operation is not completed within this time, the application connection is canceled and the operation is attempted on another connection. |
Stale connection | (Optional) To avoid a stale-connection error, enter the connection staleness value (in milliseconds). This value discards the LDAP connection when the connection is left unused in the connection pool longer than the stale connection timeout value. A stale connection exception or error suggests that the connection to the database is no longer valid or has gone bad. This error can occur due to the following reasons:
|
Comments
It is unclear here on configuring the 'Distinguished Name' under User Account for search, It would help if documentation is given with an example like below
Distinguished Name should be given as
cn=svc_remedy,ou=Service accounts,dc=hds,dc=int
if you give just give the name 'svc_remedy' it does not work ,it expects ou and dc names too
Also another question on the advanced tab ,why cant we configure more than two LDAP serves here? at AR level we can do as many as want .
Regards,
Vishnu
Verify the authentication using the following URL template: https://<fully.qualified.domain.name>:<port>/atriumsso/UI/Login?realm=<realm>.
For example, open the URL using default realm: https://sample.bmc.com:8443/atriumsso/.
The "For example" does not look like the actual instruction...
Log in or register to comment.