Configuring LDAP authentication

You can configure BMC Helix SSO server to authenticate end users through the Lightweight Directory Access Protocol (LDAP). You can also configure LDAP authentication for external administrators, and to see Configuring-the-BMC-Helix-SSO-server for details.

You can define groups to identify users who can access the BMC Helix SSO Admin Console by using REST API or the user interface. For more information about restricting access, see Configuring-authentication-for-BMC-Helix-SSO-administrators.

BMC Helix SSO supports strong LDAP bind with Simple Authentication and Security Layer (SASL). In SASL, a challenge-response authentication protocol enables data exchange between the client and the server. Data exchange supports authentication and establishes a security layer for communications.

Related topics

Roles-and-permissions


LDAP v3 also uses SASL for pluggable authentication. By using pluggable authentication, you can select an authentication mechanism that enables a strong bind. For example, a mechanism such as External with SSL and client certificate establishes a strong bind. The mechanism gets the client certificate from the client (browser), and passes it to BMC Helix SSO server. The client certificate is then used to create an SSL connection to the LDAP server.

BMC Helix SSO supports providing additional information about LDAP users and groups. The additional information can be used by an integrated application such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) for administration and authorization.

Important

BMC Helix SSO does not follow LDAP referrals. 


Before you begin

  • Add a realm for LDAP authentication. For information about how to add a realm, see Adding-and-configuring-realms.
  • You must have the LDAP server configured.
  • Obtain the following information from the LDAP administrator:
    • Host name of the LDAP server
    • Port number of the LDAP server
    • Distinguished name of the bind LDAP user
    • Password of the bind LDAP user
    • Starting location within the LDAP directory for performing user searches
    • User attribute on which search is performed.
  1. In the left navigation pane of the Add Realm or Edit Realm page, click Authentication.

  2. In the Authentication Type field, click LDAP, and enter the following LDAP details:

    Field

    Description

    Example

    LDAP server information

    Add a hostname

    Enter the IP address or host name of the LDAP sever.

    To use SASL, enter the host name (not the domain name).

    If you have LDAP failover configuration, add several LDAP server hosts. This will help to handle a situation when one of the servers is down, and the other server is up and running. If the connection to the first server fails, BMC Helix SSO will automatically redirect the request to another server.

    Not applicable

    Server Port

    Enter the port number of the LDAP server.

    389

    Use TLS connection

    Select to enable TLS communication with the LDAP server.

    Not applicable

    Connection timeout, millis

    Enter an integer value, in milliseconds, greater than zero to time out a connection request. 

    If the LDAP provider cannot establish a connection with the server within this time period, the connection attempt is stopped. 

    If this value is blank, the server waits for the connection to be established until the underlying network times out. 

    1000

    Read timeout, millis

    Enter an integer value, in milliseconds, greater than zero to time out a read request. 

    If the LDAP provider does not get an LDAP response within this time period, the read attempt is stopped.

    If this value is blank, the server waits for the response until it is received.

    1000

    User information

    If you plan to use SASL authentication with the LDAP server, you do not need to specify the following fields:

    Bind DN

    Type the distinguished name (DN) of an LDAP user.

    This is the bind distinguished name for querying LDAP, and hence this account must have privileges to search the directory.

    Best Practice: We recommend that the user is a low-privilege user.

    CN=User,CN=Users,DC=example,DC=com

    Bind Password

    Enter the password of the LDAP user with the Bind DN.

    Not applicable

    Users Base DN

    Enter the starting location within the LDAP directory for performing user searches.

    The search DNs should be as specific as possible for performance reasons. The depth of the search that is performed can be configured. If an object search is specified, then the Base DN should be the DN of the node containing the users.

    CN=Users,DC=example,DC=com

    Server search and filtering options

    Page Size

    Enter the page size of the LDAP server.

    By default, this value is set to 2000 entries. If your LDAP server is configured to return less than 2000 entries, you need to modify this value accordingly.

    2000

    Enable Group Retrieval

    To enable BMC Helix SSO to retrieve the groups' list of an authenticated user as a part of the login process, select this check box.

    Group retrieval might be required by applications such as TrueSight Orchestration (formerly BMC Atrium Orchestrator) to support BMC Helix SSOauthorization.

    Not applicable

    Search Scope

    Specify the scope of the search by selecting one of the available options.

    • One Level
    • Subtree

    LDAP Filter preset

    Select a preset to fill the LDAP filters with predefined values for the most common LDAP implementations.

    To search within nested groups, select AD Hierarchical. You can clear the filters, and type queries for User Authentication and Group Support fields.

    • Active Directory
    • AD Hierarchical

    SASL configuration

    Use SASL

    Select to enable SASL.

    Note that if you select Use SASL as the first field, after switching to the Authentication window (omitting all other fields), the fields Bind DN, Bind Password, and Users Base DN are disabled.

    Additionally, if Bind DN and Users Base DN are disabled, then you must manually populate the User Search Filter and Get All Users Filter filters, and do not use the Preset button.

    If you click the Preset button, the fields Bind DN and Bind Password are enabled and are marked as required.

    Not applicable

    SASL Mechanism

    Select a SASL authentication method.


    • DIGEST-MD5
    • GSSAPI

    Quality of Protection

    Specify the integrity and privacy protection that the SASL mechanism should support.

    • Authentication only
    • Authentication with integration protection
    • Authentication with integrity and privacy protection

    User Authentication

    User Search Filter

    Enter the LDAP query to search for the user to be authenticated and if found to display the user's distinguished name.

    User is specified by $USER$ macro, for example - (&(objectCategory=user)(sAMAccountName=$USER$)).

    Not applicable

    Identity Attribute

    Enter the attribute to be used as a user name. It will be later provided as a user's name to the integrated systems with Remedy SSO.

    This field is not displayed if the Use SASL check box is selected.

    sAMAccountName

    Get All Users Filter

    Enter the LDAP query to display all LDAP users.

    The filter can be used by integrated applications for administration purposes to browse all users in LDAP to be considered as authorization subjects.

    (objectCategory=user)

    Group Support

    Users of Group Filter

    Enter the LDAP query to return the groups list for a particular group.

    The group is specified by the $GROUP$ macro.

    Group information can be used by an integrated application for administration and authorization purposes.

    (&(objectCategory=user)(memberOf=$GROUP$))

    Groups Base DN

    Enter a Base DN for a group search.

    If you do not specify any value, the user's Base DN is used.

    Not applicable

    Group Search Filter

    Enter the LDAP query to display the list of all groups.

    The filter can be used by an integrated application for administration purposes to browse all groups to be considered as authorization subjects.

    (objectCategory=group)

    Group Name Attribute

    Enter the attribute to be used as the group name.

    cn

    Groups of User Filter

    Enter the LDAP query to return the list of groups for a particular user.

    The user is specified by the $DN$ macro.

    The value that you specify in this field can be used by an integrated application for administration purposes, such as browsing for groups of a particular user.

    (&(objectCategory=group)(member=$USER$))

  3. (Optional) Click Test to verify the settings.
  4. Click Save.


Where to go from here

To enable authentication chaining mode for the realm, see Enabling-authentication-chaining-mode.

To enable AR for bypassing authentication, see Enabling-AR-authentication-for-bypassing-other-authentication-methods.

To transform the User ID value, see Transforming-userID-to-match-login-ID.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*