Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring LDAP authentication

Use this procedure to configure the Authentication Server so that it can perform LDAP authentication. For information about configuring LDAP with different types of directory servers, see the following topics:

To configure the Authentication Server for LDAP authentication

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To identify LDAP servers, including any servers used for high availability configurations, do the following:

    1. To specify URLs of LDAP servers, enter the following command:

      set Ldap LdapServerURLs <serverList>

      where <serverList> is a list of one or more URLs. URLs must point to LDAPv3 servers that support the StartTLS extension. Separate URLs with commas or other delimiters.

    2. To specify the amount of time to wait for an LDAP server to respond before terminating the connection, enter the following command:

      set Ldap ConnectionTimeoutMs <#>

      where <#> is the number of milliseconds to wait. In a high availability configuration, this is the amount of time the service waits for a response from one URL before trying the next URL in the list you provided in step 2a.
      For more information about high availability configurations in LDAP, see High availability configurations.

  3. To set up a trust store for X.509 certificates, do the following:

    1. Provision a trust store with X.509 certificates, either by adding certificates from individual LDAP servers or by importing a certificate from a PEM file. To provision a trust store, use the blcred utility.
      For example, to add the certificate for an LDAP server called ldap1.mycompany.com with a port number of 389, use the following blcred command:

      blcred -x ldapTrustStore.pkcs12 cert -add -host ldap1.mycompany.com:389 -protocol ldap

    2. To identify the PKCS#12 trust store containing trusted certificates, enter the following command:

      set Ldap TrustStore <storeLocation>

      where <storeLocation> is the local path to a trust store.

    3. To check that common name (CN) of the certificate matches with the fully qualified domain name (FQDN) of the LDAP server, enter the following command:

      set Ldap IsHostValidationEnabled True

      Setting this value to true causes the Authentication Server to reject X.509 certificates if the FQDN of the LDAP server is not contained in one of the alternative names or the CN.
      For more information about X.509 certificates and setting up trust stores, see Certificate trust store.

      Warning

      Note

      The Authentication Server only reads its certificate store when it starts up. If you change the certificate trust store, be sure to restart the Authentication Server.

  4. To define an LDAP distinguished name template, enter the following command:

    set AuthServer LdapUserDnTemplate "<text> {0}<text>"

    where <text> represents any distinguished name objects that should be included in the template. See Distinguished names for more information about using a distinguished name template.

  5. To enable LDAP authentication, enter the following commands:

    set AuthServer IsLdapAuthEnabled true

    By default LDAP authentication is not turned on.

  6. Restart the Authentication Server.

Related topic

Configuring-the-Authentication-Server-to-refresh-LDAP-session-credentials

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Decision Support for Server Automation 8.2