Skip to Content

Overview of LDAP configuration tasks

This topic provides an overview of the concepts you should understand and the tasks you must perform to set up LDAP-based authentication. See Configuring-LDAP-authentication for a step-by-step procedure describing how to set up LDAP authentication.

  1. Specify the LDAP servers, including any servers used for high availability purposes.

    More on high availability

    When the Authentication Service must authenticate a user by connecting to an LDAP server, you might want to provide a list of LDAP servers that it can potentially contact. Listing multiple servers helps to ensure high availability and failover capability. When a list of multiple LDAP servers is available, LDAP connects to the first functional LDAP server in the list.

    For details on how to specify LDAP servers to the Authentication Server, see step 2 in Configuring-LDAP-authentication.

  2. Provision the Authentication Server with trusted certificates for all LDAP servers.

    More on the certificate trust store

    The Authentication Service uses TLS to encrypt its connection to the LDAP server.
    The Authentication Service sends the user’s credential to the LDAP server only if it can validate the LDAP server’s certificate. LDAP servers are authenticated using X.509 certificates that LDAP servers provide during the TLS handshake. When configuring LDAP, you must identify a file that contains trusted X.509 certificates. This file is the trust store. When provisioning X.509 certificates for the Authentication Server’s trust store, you can use one of the following approaches:

    • Install certificates for all LDAP servers. You must repeat this procedure each time an LDAP server’s certificate is updated.
    • Install the certificate of the trusted Certificate Authority that issued certificates to the LDAP servers. Since all CA-issued certificates are trusted, all current and future LDAP certificates are automatically trusted. If the common names (CN) specified in the issued certificates are set to the directory server’s fully qualified domain names, be sure to also set IsHostValidationEnabled to True.
      To add X.509 certificates to the Authentication Server’s trust store, use the blcred utility. For more information, see the blcred man page.

    For details on how to configure the Authentication Server to use a trust store for certificates, see step 3 in Configuring-LDAP-authentication.

  3. Define a distinguished name template.

    More distinguished names

    LDAP users are uniquely identified by distinguished names (DN), such as CN=admin, ou=dev, o=bladelogic. To authenticate a user, the Authentication Service requires a full DN and a corresponding password. Rather than entering a full DN, however, users only have to enter the part of a DN that is unique to their accounts. The name the user provides is transformed to a full DN by the use of a distinguished name template. A DN template is a static string containing a {0} substring, which is replaced with the name the user provides when logging in. For example, with a DN template of CN={0}, ou=dev, o=bladelogic, the user only enters a string such as “qatest3”, which replaces the {0} substring. Consequently, the user’s DN becomes CN=qatest3, ou=dev, o=bladelogic.
    DN templates can be defined in two places: the Authentication Service and LDAP authentication profiles. The two templates can be used together or by themselves. For example, the authentication profile DN template might be CN={0}, CN=Users, DC=sub1, and the Authentication Service DN template might be {0}, DC=bladelogic, DC=com. If the user enters “admin” as a user name when logging in, the profile template transforms the name to CN=admin, CN=Users, CN=sub1 before sending it to the Authentication Service. There it is transformed into CN=admin, CN=Users, DC=sub1, DC=bladelogic, DC=com before it is used to contact the LDAP server.

    For details on how to set up a distinguished name template for the Authentication Server, see step 4 in Configuring-LDAP-authentication.

  4. On the BMC Server Automation client:
    1. Set up a distinguished name template, if necessary.
    2. Set up an authentication profile for LDAP authentication.
      For more information, see Authentication-profiles and Setting-up-an-authentication-profile.

  5. Cross-register LDAP users with the users in the RBAC user database.

    More on cross registering

    Users must be registered in both LDAP registries and the BMC Server Automation RBAC-based user database. Cross-registration enables users to be authorized for RBAC roles.
    When cross-registering users, be sure to enter the users full distinguished name in both RBAC and the LDAP registry.
    Only users authorized to use BMC Server Automation should be entered into the BMC Server Automation database. Use RBAC to add users to the BMC Server Automation database. For information about adding users to RBAC, see Creating-users.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.2