This documentation supports the 21.05 (12.2) version of BMC Discovery.To view an earlier version of the product, select the version from the Product version menu.

Managing LDAP

LDAP is commonly used to access user or group information in a corporate directory. Using your corporate LDAP infrastructure to authenticate users can reduce the number of administrative tasks that you need to perform in BMC Discovery. LDAP groups can be mapped to BMC Discovery groups and hence assigned permissions on the system. The way in which BMC Discovery integrates with your LDAP infrastructure depends on the schema that is implemented in your organization.

Related topics

Managing users and security

LDAP group mapping


Note

If you are using LDAP authentication, there is no need to set up local user accounts for LDAP users on BMC Discovery.

LDAP Terms

The following terms are used in the sections describing BMC Discovery LDAP configuration:

  • Directory Information Tree (DIT)—The overall tree structure of the data directory queried using the LDAP protocol. The structure is defined by the schema. Each entry in a directory is an object; one of the following types:
    • Containers—A container is like a folder: it contains other containers or leaves.
    • Leaves—A leaf is an object at the end of a tree. Leaves cannot contain other objects.
  • Domain Component (dc)—Each element of the Internet domain name of the company is given individually.
  • Organizational Unit (ou)—Organizations in the company.
  • Common Name (cn)—The name of a person.
  • Distinguished Name (dn)—The complete name for a person, including the domain components, organizational unit, and common name.

An example Directory Information Tree is shown below.

dc=tideway,dc=com
      ou=engineering
            cn=Timothy Taylor
                  telephoneNumber=1234
                  email=t.taylor@bmc.com
      ou=test
            cn=Sam Smith
                  telephoneNumber=2345
                  email=s.smith@bmc.com
      ou=product management
            cn=John Smith
                  telephoneNumber=3456
                  email=j.smith@bmc.com

The login procedure

When a user attempts to log in through the user interface, BMC Discovery first checks to see whether the username represents a local account. If no local account exists, and LDAP has been configured correctly, BMC Discovery attempts to authenticate against the directory and then performs an account lookup to return the group memberships of that account. If the group mappings have been enabled, and configured correctly, then authentication takes place and the user is logged in with the local BMC Discovery rights as defined in the group mapping.

The Global Catalog

The Global Catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

Configuring LDAP

To configure the LDAP settings:

  1. From the main menu, click the Administration Settings icon.   

    The Administration page opens.

  2. In the Security section, click LDAP

    The LDAP page is displayed showing the LDAP tab.
    ldap.png

    The options on this page are described below:

  3. To save the LDAP settings, click Apply.

Configuring LDAP for use with BMC Atrium SSO

Depending on how your LDAP servers are configured, user authentication via Atrium SSO may work, but then user authorization in BMC Discovery fails. This occurs because Atrium SSO sends BMC Discovery the first part of the user's DN as their userid.

For example, for a DN of the following format:

dn: CN=ADDM QA. TEST,CN=Users,DC=addmsqa,DC=bmc,DC=com

The part that must be matched by the search that BMC Discovery runs is:

ADDM QA. TEST

To do this, set the Search Base to:

cn=users,dc=addmsqa,dc=bmc,dc=com

and the Search Template to:

(cn=%(username)s)

Changing from LDAPS to LDAP

When you reconfigure BMC Discovery to use LDAP when it was previously configured to use LDAPS, you must remove the CA Certificate, and change the URI in a single step otherwise you will encounter a Cannot use LDAPS without a CA Certificate warning. To do this:

  1. Edit the URI to point to the LDAP server's ldap:// URI. Do not click Apply yet.
  2. Select Remove CA Certificate.
  3. Click Apply.

Changing from LDAP to LDAPS

When you reconfigure BMC Discovery to use LDAPS when it was previously configured to use LDAP, you must add a CA certificate before you attempt to enter an ldaps:// URI.

LDAP group mapping

The LDAP group mapping enables you to assign membership of BMC Discovery groups to LDAP groups. If you do not use group mapping, users will be only be assigned to groups in BMC Discovery which are exactly the same as the the LDAP groups that they are members of, that is, in LDAP form dc=tideway,dc=com,ou=engineering...

To enable or disable LDAP group mapping

  1. From the LDAP page, select the Group Mapping tab.
    SecurityLDAPGroupMapping.png

    The LDAP Group Mapping page lists the LDAP groups that are assigned to BMC Discovery security groups. For each LDAP group, the appliance security groups to which it is assigned are listed. Links for each action that you can perform are provided for each group.
  2. Select Enabled or Disabled from the list.

To add or edit LDAP Group Mapping starting from a username

  1. From the LDAP page, select the Group Mapping tab.
  2. Click Lookup User.
  3. In the LDAP User Lookup dialog, enter the Username and click OK.
    The system looks up the username in LDAP and displays the results.
    GroupMappingLookupSuccess.png

    LDAP Groups—For each LDAP group of which the user is a member, displays existing group mappings and provides an add link or an edit link.
     Mapped Groups—Displays the final list of mapped groups for this user.
     Details—Displays whether the information was obtained from the local cache and the total number of groups to which this user belongs.
  4. Click Add to create a new group mapping or Edit to modify an existing group mapping.
  5. Select the appliance security groups to which you want to assign the LDAP group.
  6. To save the mapping, click Apply.

To add an LDAP Group Mapping starting from an LDAP group name

  1. From the LDAP page, select the Group Mapping tab.
  2. Click Add.
  3. On the Add LDAP Group Mapping page, enter a search term for the common name into the LDAP Group field and click Search.
    A list of matches is displayed. If more than ten entries match, the first ten are shown and a label is displayed at the bottom of the list showing how many additional matches there are.
  4. Select the matching LDAP group from the list.
    The LDAP groups field is not case sensitive. All LDAP groups returned from the LDAP server are displayed in lower case.
  5. Select the appliance security groups to which you want to assign the LDAP group.
  6. To save the mapping, click Apply.

To edit an LDAP Group Mapping starting from an LDAP group name

  1. From the LDAP page, select the Group Mapping tab.
    For each LDAP group listed, an edit link and a delete link are provided.
  2. Click Edit.
  3. Select the appliance security groups to which you want to assign the LDAP group.
  4. To save the mapping, click Apply.

To delete an LDAP Group Mapping

  1. From the LDAP page, select the Group Mapping tab.
    For each LDAP group listed, an edit link and a delete link are provided.
  2. To remove an LDAP group mapping, click Delete.

Troubleshooting

If you receive an error, Can't Contact LDAP Server in the Connection Status field, this might be caused by certificate problems rather than simple connectivity (wrong URI, port and so forth). Check that the certificate you are using is the one you received from your LDAP administrator.

If the login fails when attempting LDAP authentication, set the security log /usr/tideway/log/tw_svc_security.log level to debug.

Where the account used to bind to the directory fails to authenticate look for messages similar to the following:

-1285350512: 2010-08-13 10:00:46,843: security.authenticator.ldap: DEBUG: Attempt to auth bind as username "administrator"
-1285350512: 2010-08-13 10:00:47,117: security.authenticator.ldap: DEBUG: LDAP passwd for "CN=Administrator,CN=Users,DC=generic,DC=com" not valid

If you are using group mapping and are experiencing login failures, check that group mappings have been correctly defined for one or more LDAP groups to which the user belongs. See To add or edit LDAP Group Mapping starting from a username.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*