This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Using an external LDAP user store

This topic describes the process and options available to an BMC Atrium Single Sign-On administrator when using an external Lightweight Directory Access Protocol (LDAP) server to provide group and attribute values for authenticated users. Users and groups cannot be managed from the BMC Atrium Single Sign-On server because the LDAP server access is read-only.

Configuring an external user store is primarily needed when access to group membership information is required. The LDAP authentication module can be used to retrieve user attributes without configuring an external user store. For more information, see Using LDAP (Active Directory) for authentication.

An external LDAP server is used to augment the information available to BMC products. For more information about the configuration options available with the LDAP user store, see the OpenAM documentation.

To create an external LDAP user store

  1. Log on to the BMC Atrium SSO Admin Console
  2. Click Edit BMC Realm.
  3. On the User Store panel, click Add and select LDAPv3 User Store.
  4. On the General tab, provide the LDAP server configuration parameters.
  5. On the Search tab, provide the user and group attributes used for searching.
  6. Click Save.

To modify an existing external LDAP user store

  1. Log on to the BMC Atrium SSO Admin Console
  2. Click Edit BMC Realm.
  3. On the User Store panel, select the LDAPv3 user store and click Edit.
  4. On the General tab, modify your LDAP server configuration parameters.
  5. On the Search tab, modify your user and group attributes used for searching.
  6. Click Save.

Note

You do not need to restart the BMC Atrium Single Sign-On server after modifying the configuration. After saving the configuration, the changes are applied immediately.

LDAPv3 User Store parameters

The LDAPv3 user store uses Active Directory as the user store type. The General tab contains parameters for the LDAP server configuration. The Search tab contain parameters to search for user and group attributes.

The expected LDAP structure for this membership should be expressed by an attribute that is part of the either the user or the group entity.  This attribute should contain the base DN of the other entity. For example, if you are adding an attribute for user entity, the attribute must contain the DN for the group entity. 

General tab

Field

Parameter

Description

LDAP Server

Name

(Required) Enter the host's Full Qualified Domain Name (FQDN) for the primary LDAP server is required.

 

Port

If the LDAP server is not listening on the default port (389), specify the port number.

 

Use SSL

(Optional) Enable SSL to connect to the LDAP servers.

Before enabling SSL:

  • The certificates for the LDAP servers (primary and secondary) must be imported into the JVM truststore and the Tomcat truststore. For more information on importing certifications into BMC Atrium Single Sign-On truststore, see Importing a certificate into cacerts.p12. If client authentication is required, the BMC Atrium Single Sign-On server's certificate might need to be imported into the LDAP server's truststore.

User Account for Search

Distinguished Name, Password, Confirm Password

(Required) The Distinguished Name (DN) is the login name that is used to connect to the LDAP server. A root user must have privileges to perform searches on the primary and secondary LDAP servers. Enter the DN for the root user, the password, and the password confirmation.

Connection Pool

Minimum Size

The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.

 

Maximum Size

The connection pool attributes adjust the performance of BMC Atrium Single Sign-On and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.

Attribute Mapping

External Attribute
Atrium SSO Attribute

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external data store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the External Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.

 

Search tab

Field

Parameter

Description

Search Base DN

 

Starting location within the LDAP directory for performing user and group searches. The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the DN should be the DN of the node containing the users.

You must provide the Search base DN for the entities search for the configuration of the user or group search in the LDAP User Store. This base DN value should be identical to the user and group entities as it helps in limiting the search for better performance.

Search Timeout (seconds)

 

Number of seconds the search is performed before it times out.

Max Search Results

 

Maximum number of results that are returned.

A threshold value is needed to prevent numerous search results on account of an incorrect or a unqualified query.

If you do not want to restrict the search results, set a high value that would not be met for the search result.  For example, if the company has 1000 employees, then the search result must not return 1500 user records from LDAP.

Users

Search Attribute

User attribute on which to perform the search.

 

Search Filter

Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail. For example, (objectclass=person).

Enter the proper objectclass for the user and group entities to further help the search by filtering out LDAP entities other than users and groups.

Users - Status

Status Attribute

Attribute that indicates the user status. For example, userAccountControl.

 

Active Value

Identifies the value of the attribute when the account is active.

 

Inactive Value

Identifies the value of the attribute when the account is inactive.

Users - People Container

Container Attribute

Defines the LDAP attribute used to distinguish the container holding the people.

 

Attribute Value

Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank.

Users

Attribute Name for Group

Specifies the attribute of the user which identifies the group to which the user belongs. For example, memberOf.

Groups

Search Attribute

Contains the name of the attribute which holds the name of the group. This attribute value is used in searches for user groups.

 

Search Filter

Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name. For example, (objectclass=group).

Groups - Groups Container

Container Attribute

Defines the LDAP attribute used to distinguish the container holding the groups.

 

Attribute Value

Specifies the value for LDAP Groups Container attribute value. If groups are not within a container (relative to the user), then these values should be blank.

Groups

Attribute Name for User

The attribute name of a group within the LDAP system that contains the names of the users that belong to the group.

Caching

Max Age (seconds)

The maximum time that a cached value will continue to be used before the cached value is updated from the external LDAP server.

Caching ensures that BMC Atrium Single Sign-On does not access LDAP directory every time LDAP users and groups are requested. Instead, the cache buffer is used with the specified parameters.

 

Cache Size (bytes)

The number of bytes of memory that will be used to hold cached search items from the external LDAP server.

Note

The user can configure multiple search criteria inside each search filter by using a standard LDAP query syntax and any logical operation.

Was this page helpful? Yes No Submitting... Thank you

Comments