Configuring LDAP authentication

This topic provides instructions for configuring the Authentication Service so it can perform LDAP authentication.

To configure LDAP authentication

1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
2. To identify LDAP servers, including any servers used for high availability configurations, do the following:

   1. To specify URLs of LDAP servers, enter the following:

      set Ldap LdapServerURLs <serverList>

      where <serverList> is a list of one or more URLs. URLs must point to LDAP version 3 servers that support the StartTLS extension. Separate URLs with commas or other delimiters (see Specifying-multiple-values-for-a-parameter).

   2. To specify the amount of time to wait for an LDAP server to respond before terminating the connection, enter the following:

      set Ldap ConnectionTimeoutMs <#>

      where <#> is the number of milliseconds to wait. In a high availability configuration, this is the length of time the service waits for a response from one URL before trying the next URL in the list you provided in step a.
      For more information about high availability configurations in LDAP, see Overview-of-LDAP-configuration-tasks.

3. To set up a trust store for X.509 certificates, do the following:

   1. Provision a trust store with X.509 certificates, either by adding certificates from individual LDAP servers or by importing a certificate from a PEM file. To provision a trust store, use the blcred utility, as described in Obtaining-a-certificate-used-to-trust-the-LDAP-server. For example, use the following command:

      blcred -x ldapStore.pem -cert -add -host <host>:<port> -protocol ldap

   2. To identify the trust store containing trusted certificates, enter the following:

      set Ldap TrustStore <certificateStore>

      where <certificateStore> is the local path to a trust store.

   3. To check that the certificate's common name matches the LDAP server's fully qualified name, enter the following:

      set Ldap IsHostValidationEnabled true

      Setting this value to true causes the Authentication Server to reject X.509 certificates if the LDAP server's fully qualified domain name (FQDN) is not contained in one of the alternative names or the common name (CN). See Overview-of-LDAP-configuration-tasksfor more information about the certificate trust store.

      Warning

      Note

      The Application Server only reads its certificate store when it starts up. If you change the certificate trust store, be sure to restart the Application Server.

4. To define an LDAP distinguished name template, enter the following:

   set AuthServer LdapUserDnTemplate "<text> \{0\} <text>"

   where <text> represents any distinguished name objects that should be included in the template. See Overview-of-LDAP-configuration-tasks for more information about distinguished names.

5. To enable LDAP authentication, enter the following:

   set AuthServer IsLdapAuthEnabled true

   By default, LDAP authentication is not turned on.

6. Restart the Application Server (see Restarting a specific Application Server).
7. Cross-register LDAP users with the users in the RBAC user database.

8. Set up authentication profiles using LDAP authentication on the BMC Server Automation client.
   See Authentication-profiles and Managing-authorizations.

   Warning

   Note

   The blasadmin utility provides two additional commands for the LDAP component that are not documented here: DefaultUser and DefaultPassword. These commands are only used by BMC BladeLogic Decision Support for Server Automation.