×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.
BMC Atrium Single Sign-On 9.0 ... Using Using an external LDAP user store

Mapping membership using attribute values

When integrating an LDAP User Store with BMC Atrium Single Sign-On, you must configure the user to group membership for the BMC Atrium Single Sign-On system to provide that user’s group membership to the integrated BMC products. You must configure these parameters correctly or you will not be able to retrieve the group membership information from external LDAP user store.

You must perform the following tasks for ensuring correct retrieval of the group information:

  • The expected LDAP structure for this membership should be expressed by an attribute that is part of the either the user or the group entity.  This attribute should contain the base DN of the other entity. For example, if you are adding an attribute for user entity, the attribute must contain the DN for the group entity.  
  • You may use multiple attributes for expressing multiple memberships.  Alternatively, you can also map attributes to membership entity using the attribute values. For example, attribute "groupid" of user entity maps to attribute "id" of group entity.
  • You must provide the Search Base DN for the configuration of the user or group search in the LDAP User Store. This value should be identical to the user and group entities as it helps in limiting the search for better performance.
  • In addition, you must enter proper objectclass for the user and group entities to further help the search by filtering out LDAP entities other than users and groups.
  • The next step is to specify the attributes used for the userid and group names. You should specify the user attribute as userid in the authentication module and specify group attribute as the name of the group.
  • The last item is configuring how the group membership is expressed in the LDAP structure.

    Note

    Only configure the User Store with membership configuration if the LDAP structure supports the configuration. For example, if the user entities do not have an attribute for group members, do not enter the value. If you enter a value, the information is not retrieved correctly.

If user entities are stored within an entity in the base DN, enter this information into the User Store configuration. If group membership is expressed using an attribute of the user entity which contains the DN of the group entity, enter the attribute value in the member configuration for the user. When the membership mapping is using attribute values, add this relationship by entering the source and destination attributes into the member configuration using template "src:dest". For example, "groupid:id" would suggest that the value of the attribute groupid of the user entity maps to the id attribute of groups that user.

You should configure the groups in the similar way. If the group entities are stored within a containing entity under the base DN, the Group Container configuration should be entered. If group entities contain an attribute which contains the DN of user entities that are a member of the group, this attribute name should be configured in the member configuration of the group search. When the membership mapping from group entity to user entity is expressed using linked attribute values, the same template can be used to configure the source to destination attribute names.

If all of the user entities or group entities are not within this containing entity, do not enter these configuration items as the user or group searches will result in errors.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Abhay Chokshi on Jun 12, 2014

Comments

  1. Patrick Mischler

    Please provide some examples.

    Jan 15, 2016 02:32
    1. Kamalakannan Srinivasan

      Hi Patrick,

      Thank you for your comment. I will check with the technical team and provide the necessary details.

      Regards,

      Kamal

      Jan 15, 2016 02:40
  2. Olaide Awofisayo

    Hi Kamal,

    An example will really make this clearer. It will also be nice to know in which instance this function can be used.

    Cheers

    Lyde

    May 19, 2016 10:39

Log in or register to comment.

Using an external LDAP user store
Authenticating to the correct realm automatically
© Copyright 2024 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.