Configuring authorization through LDAP

Unlike in hybrid approach (authentication only), where users acquire Observer accounts, when you use the full LDAP (authentication and authorization), you can assign different access levels to groups of users registered on the LDAP server.

To get a list of valid LDAP groups from the Lightweight Directory Access Protocol (LDAP) server, configure authorization through LDAP.

To configure LDAP authorization

1. On the Administration page of the

   The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

   , click Accounts and LDAP management and select the LDAP settings view.
2. In the Directory Server section, add information specific to your LDAP server:
   1. In the Host box, enter the name of the server where the LDAP directory resides.
   2. In the Port box, enter the TCP port of the host server (indicated in the Host box). The standard port for LDAP is port 389 for non-SSL connections and 636 for SSL connections.
   3. Authentication list, select the authentication for the system to use, Simple (username & password) or Anonymous.
   4. If you selected simple authentication, continue with the following steps; otherwise, skip to step 4:
      • In the Search username (bind DN) box, enter the user name of the account that is permitted to search the LDAP directory within the defined search base. Use the distinguished name (DN) format, which is a series of key-value pairs separated by commas (for example, cn=administrator,cn=Users,dc=domain,dc=com, where cn is common name and dc is domain component).
      • In the Password box, enter the password for the account on the directory server that corresponds to the user account in the Search User Name (bind DN) box.
   5. In the Connection security level list, select the type of communication, such as Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
   6. (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
   7. In the Connection timeout box, specify the time that the system waits before it declares an error on the connection.
3. (Optional) Click Test Server.
    A message indicates success or failure because of errors.
4. In the User lookup for authentication section, add information to enable

   The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

   to look up users that are registered on the LDAP server:
   1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. An LDAP directory is arranged in tree fashion, with a root and branches off this root. The base DN indicates at which node to start the search.
   2. In the Filter box, enter the query string that will return the records that you want to see.
   3. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN, but not including the base DN.
      • Subtree searches all entries at all levels under and including the specified base DN.
   4. In the Username attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
5. (Optional) Click Test lookup.
    If the server and lookup are configured correctly, a list of LDAP groups appears in a new window.
6. Click Save.
   
   The authenticated and authorized users acquire accounts that are associated with the roles mapped to their LDAP group.