Configuring LDAP authentication for the Console

When you configure the BMC Application Performance Management Console to authenticate users with your LDAP server, all users are authenticated with the Observer role, unless you map LDAP groups to user roles.

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

Note

You cannot override the role of a single user in a group that is mapped to a role.

To configure LDAP authentication for the Console

  1. On the BMC Application Performance Management Console, select System Access > LDAP > Settings to access the LDAP Settings page.
  2. Click LDAP Authentication
  3. Under Directory Server, add information specific to your LDAP server:
    1. Provide IP or the DNS name of the LDAP server.
    2. Specify port or leave the default value of 389.
    3. Specify authentication type, Simple (username & password) or Anonymous.
    4. If you selected simple authentication, complete the following steps; otherwise, proceed to step 3e:
      1. In the Search username (bind DN) box, enter the name of the user account permitted to search the LDAP directory within the defined search base. Use the DN format — for example, cn=Administrator,cn=Users,dc=domain,dc=com.
      2. In the Password box, enter the password for the account specified in the Search User Name (bind DN) box.
    5. In the Connection Security Level list, select the type of communication, Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
    6. (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
    7. In the Connection timeout box, specify the length of time that the system waits before it declares an error on the connection.
    8. (Optional) Click Test Server.
       A message indicates success or failure because of errors.
  4. In the User Lookup for Authentication section, add information to enable the BMC Application Performance Management Console to look up users that are registered on the LDAP server:

    1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. 

      Note

      If the Base DN contains leading or trailing spaces, or any of the following special characters, you must escape them appropriately for your LDAP implementation: , \ / # + < > " ' =. For example, if you use Microsoft Active Directory, and the Base DN contains an ampersand (&), enter \&.

    2. In the Filter box, enter the query string that will return the records that you want to see.
    3. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
    4. In the User Name Attribute box, enter a single LDAP user attribute that the system uses for the lookup.
  5. In the Group Lookup for Authentication section, add information to enable the BMC Application Performance Management Console to look up groups that are registered on the LDAP server:

    1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. 

      Note

      If the Base DN contains leading or trailing spaces, or any special characters, you must escape them appropriately for your LDAP implementation.

    2. In the Filter box, enter the query string that will return the records that you want to see.
    3. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
    4. In the Group Name Attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
    5. In the Member Attribute box, enter the name of the member attribute that contains the list of users in the group.
  6. Click Save.
  7. On the Action menu, click Edit LDAP Settings.
  8. Enable the system to automatically log on users with the Observer role:
    1. On the System Access tab, select Security Policies.
    2. In the Authentication section, select Allow Automatic Ldap Login

Result

The system creates a temporary user account on the Real User Analyzer that is enabled with the same role as the account on the Console, which enables users to access the Real User Analyzer from the Console. 

 

Where to go from here

To associate groups of LDAP users to BMC Real End User Experience Monitoring roles on the Console, see Mapping-LDAP-groups-to-user-roles-for-the-Console.

Related topic

LDAP-accounts

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*