Synchronizing users with LDAP servers
Most large organizations rely on external systems such as LDAP servers to manage user accounts. BMC Server Automation lets you synchronize users maintained in specific LDAP groups with users in the RBAC database by mapping one or more LDAP groups and subgroups to an RBAC role.
Currently, BMC Server Automation only supports synchronization with Active Directory.
When you synchronize users, they are added to the RBAC user database and assigned to a role. You can reassign users to different roles as needed.
Before you begin
This procedure is typically performed by the RBACAdmins user. To perform this procedure using a role with a minimal set of authorizations, see Minimum-authorizations-for-synchronizing-users.
Before you perform this procedure, you can specify whether existing users should be subject to synchronization by setting the User participates in directory synchronization option in the New User wizard. For more information, see User-General-Information.
If you plan to synchronize LDAP user information regularly, you may want to perform that task using a BLCLI command instead of this procedure. The BLCLI command is:
To synchronize users
- Ensure that the LDAP server has a certificate installed for secure LDAP communication.
- Create an automation principal that represents the credentials required to access the LDAP server.
For more information about creating an automation principal, see Creating-automation-principals.
When defining an automation principal, the value you set for Principal ID must be a user's distinguished name for a privileged directory user. For example, you might enter
CN=Administrator,CN=Users,DC=company,DC=com
When defining an automation principal, the Domain field is ignored. You must provide a passphrase for the directory user. - Set up an LDAP connection to use to connect to the LDAP server.
To set up an LDAP connection, you must have the host name or IP address of the LDAP server and a certificate that can be used to validate the certificate of LDAP server. For example, if the server MyLDAPServer.mycompany.domain.com hosts the LDAP server, then enter MyLDAPServer.mycompany.domain.com as the name of the server. Browse to the certificate file that has either the certificate for MyLDAPServer.mycompany.domain.com or the CA certificate that signed it.
The procedure for setting up an LDAP connection is described in Creating an LDAP connection.
The procedure for obtaining a certificate is described in Obtaining a certificate used to trust the LDAP server. - Set up an LDAP query for the groups and users that must be queried and ultimately registered in RBAC.
You must set up at least two queries: one for identifying an LDAP group and another for identifying LDAP users. For example, if the LDAP server has a group called LDAPsyncTestGroup in the OU Test, you must determine the distinguished name of this group and enter it as the Base Distinguished Name of the LDAP query. Set Attribute equal to member and Filter equal to objectClass=group. For the user query, set Attribute equal to userPrincipalName. Leave Base Distinguished Name and Filter set to their default values, or you can set Filter to objectClass=user for a faster search.
The process for setting up LDAP queries is described in Creating an LDAP query. - Create the RBAC role that should be synchronized with an LDAP group if the role does not already exist. Associate an automation principal, an LDAP connection, and an LDAP group and user query with the role.
The process of mapping these values to a role is described in Role - Group Mappings. - In the RBAC Manager folder, select Roles and then select the role to which you have mapped an LDAP connection and LDAP queries (that is, the role set up in step 5.
- Right-click and select Synchronize.
The synchronization process begins. Users in the LDAP registry are added to the RBAC database and assigned to this role. Depending on how you have set up the Group Mappings options for the role, any existing users can be deleted, disabled, or removed from the role.