×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.
BMC Atrium Single Sign-On 9.0 ... Installing Configuring after installation Using LDAP (Active Directory) for authentication

Enabling LDAP for user authentication

You must enable LDAP for single sign-on user authentication. On enabling LDAP, the id and password entered by the user are validated against the id and password stored in the LDAP directory.

To set up LDAP (AD) for authentication 

  1. On the BMC Atrium Single Sign-On Admin Console, click Edit BMC Realm.

  2. On the Main tab (default), select a User Profile type.

    Note

    The User Profile applies to all authentication methods used for authentication.

  3. In the Realm Authentication panel,
    • From the UserId Transformer drop-down list, select one of the following:
      • To UPPER - converts all the characters in the user ID to upper case

      • To lower - converts all the characters in the user ID to lower case

        Note

        You can add add more options using customized plug-ins.  For information about creating customized plug-ins, see Configuring a new user ID transformation.

        You can also select No Transform option, if you do not want to select any transformation for the user ID.

    • Click Add to add LDAP/Active Directory as the new authentication method. Enter the parameters for LDAP/Active Directory as mentioned in the parameters options.
  4. Verify the authentication using the following URL template: https://<fully.qualified.domain.name>:<port>/atriumsso/UI/Login?realm=<realm>.

    For example, open the URL using default realm: https://sample.bmc.com:8443/atriumsso/.

Note

If you have enabled SSL access to the LDAP Server, import the certificates and restart the Tomcat server before enabling LDAP authentication.For more information, see Managing certificates in BMC Atrium Single Sign-On.

LDAP (AD) parameters

When adding or editing an LDAP module, the following options are available:

Unknown macro: {multi-excerpt-include}

 

The following tables describe the fields on the LDAP (Active Directory) Editor:

General tab

Field

Parameter

Description

Primary LDAP Server

 

 

Name

Enter the host's Fully Qualified Domain Name (FQDN) for the primary LDAP server.

Port

If the LDAP server is not listening on the default port (389), specify the port number.

Use SSL

(Optional) Enable to use Secure Sockets Layer (SSL) to connect to the LDAP servers. In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be imported to the Apache Tomcat used by BMC Atrium Single Sign-On truststore. For more information about importing certificates into the BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore. If the remote LDAP server requires client authentication for SSL, you might need to import the BMC Atrium Single Sign-On server certificate into the LDAP server truststore.

Note: If you enabled SSL access to the LDAP server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing certificates in BMC Atrium Single Sign-On for more information.

User Account for Search

Distinguished Name, Password, Confirm Password

The DN (for example, cn=svc_remedy, ou=Service accounts, dc=hds, dc=int) is the logon name that is used to connect to the LDAP server. A user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the user, the password, and the password confirmation.

DN to Start Search

 

Base DN

Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users.

Attribute for User Profile Name

Enter the attribute for searching for a user profile name.

Attributes for User Search

Attribute Name

Add the user attribute names on which to perform the search, to the attribute list.

Advanced tab

FieldParameterDescription

Secondary LDAP Server

 

 


 

Name

The secondary LDAP server is used only when the primary server is unavailable. It is not used in parallel or when a user fails to authenticate with the primary server.

Port

If the secondary server is not listening on the default LDAP port, specify the port number.

Use SSL

(Optional) Enable to use SSL to connect with the LDAP servers. In addition, before communications can be established, you must import the certificates for the LDAP servers (primary and secondary) to the Apache Tomcat used by BMC Atrium Single Sign-On truststore. For more information about importing certifications into the BMC Atrium Single Sign-On truststore, see Importing a certificate into the truststore. If the remote LDAP server requires client authentication for SSL, you might need to import the BMC Atrium Single Sign-On server certificate into the LDAP server truststore.

Note: If you enabled SSL access to the LDAP server, import the certificates and restart the Tomcat server before enabling LDAP authentication. See Managing certificates in BMC Atrium Single Sign-On for more information.

Import SSL Certificate

When Use SSL is selected, you can select Import SSL Certificate to ensure that the SSL certificate is automatically imported to the truststore. When you save the changes on the LDAP Editor, if the certificate is not imported, the LDAP Editor displays a warning, and the certificate is then imported into the truststore.

Set Recheck Primary Server Interval (minutes)

(Optional) This parameter represents the amount of time for which the server uses the secondary server before attempting to reconnect with the primary server can be configured.

TimeoutsLDAP Operations(Optional) Enter a timeout value (in milliseconds) for all LDAP operations, such as search and authentication, that you perform on the database. If an operation is not completed within this time, the application connection is canceled and the operation is attempted on another connection.
Stale connection

(Optional) To avoid a stale-connection error, enter the connection staleness value (in milliseconds). This value discards the LDAP connection when the connection is left unused in the connection pool longer than the stale connection timeout value.

A stale connection exception or error suggests that the connection to the database is no longer valid or has gone bad. This error can occur due to the following reasons:

  • The LDAP server closes the idle connections without notifying the BMC Atrium Single Sign-On server.
  • A firewall terminates the connection without notifying the BMC Atrium Single Sign-On server.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Kamalakannan Srinivasan on Feb 09, 2015
ldap authentication configuration

Comments

  1. Vishnuprasad Kottapally

    It is unclear here on configuring the 'Distinguished Name' under User Account for search, It would help if documentation is given with an example like below

    Distinguished Name  should be given as 

    cn=svc_remedy,ou=Service accounts,dc=hds,dc=int

    if you give just give the name 'svc_remedy' it does not work ,it expects ou and dc names too

    Also another question on the advanced tab ,why cant we configure more than two LDAP serves here? at AR level we can do as many as want .

    Regards,

    Vishnu

     

    Mar 17, 2015 05:46
  2. Andy Wheildon

    Verify the authentication using the following URL template: https://<fully.qualified.domain.name>:<port>/atriumsso/UI/Login?realm=<realm>.

    For example, open the URL using default realm: https://sample.bmc.com:8443/atriumsso/.

     

    The "For example" does  not look like the actual instruction...

    Jan 26, 2017 05:22

Log in or register to comment.

Checking connection to LDAP Server
Enabling LDAP to authenticate users with SSL
© Copyright 2024 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.