Configuring LDAP authentication for the Console

This procedure describes how to configure the BMC Application Management Console to authenticate or authenticate and authorize users in your LDAP server.

  • Authenticated users can log on to the Console, and are logged on with the Observer role. To implement authentication only, complete steps 1–4. 
  • Authenticated and authorized users are logged on to the Console with the permission mapped to their corresponding LDAP group. To implement authentication and authorization, complete steps 1–8. 

    During the configuration process for authentication and authorization, you can also enable automatic LDAP login. When enabled, the system creates the user account for the Console when the LDAP user logs on to the APM Console for the first time. To permit only specific LDAP users to log on to the Console, do not enable this option. Instead, you can create their accounts and let LDAP handle the authentication and authorization.
Recommendation

As a best practice, BMC recommends that you always configure at least one local user with the Security role. Having a local user with the Security role ensures that you can always access and configure the Console, regardless of the state of your LDAP server or any problems that you might encounter with your LDAP configuration.

To view a list of users, select System Access > Accounts. To add a local user from the Accounts page, select Add Account from the Action menu.

To perform this procedure, you must have Security- or Administrator-level access, or have Access Manager-level access. 

To configure LDAP authentication and authorization for the Console

  1. On the APM Console, select System Access > LDAP > Settings to access the LDAP Settings page.
  2. In the Actions menu, select Edit LDAP Settings.
  3. Under Directory Server, add information specific to your LDAP server:
    1. Provide the IP address or the DNS name of the LDAP server.
    2. Specify a port or leave the default value of 389.
    3. Specify authentication type, Simple (username & password) or Anonymous.
    4. If you selected simple authentication, complete the following steps; otherwise, proceed to step 3e:
      1. In the Search username (bind DN) box, enter the name of the user account permitted to search the LDAP directory within the defined search base. Use the DN format — for example, cn=Administrator,cn=Users,dc=domain,dc=com.
      2. In the Password box, enter the password for the account specified in the Search User Name (bind DN) box.
    5. In the Connection Security Level list, select the type of communication, Non-Secure or LDAPS (Secure LDAP, also known as LDAP over SSL).
    6. (Optional) If you selected LDAPS in the Connection security level list, select Allow SSL connection to LDAP server using self-signed certificate unless your organization requires an X.509 certificate (also known as an SSL certificate) purchased from a commercial Certificate Authority (CA).
    7. In the Connection timeout box, specify the length of time that the system waits before it declares an error on the connection.
    8. (Optional) Click Test Server.
       A message indicates success or failure because of errors.
  4. In the User Lookup for Authentication section, add information to enable the APM Console to look up users that are registered on the LDAP server:

    1. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. 

      Note

      If the Base DN contains leading or trailing spaces, or any of the following special characters, you must escape them appropriately for your LDAP implementation: , \ / # + < > " ' =. For example, if you use Microsoft Active Directory, and the Base DN contains an ampersand (&), enter \&.

    2. In the Filter box, enter the query string that will return the records that you want to see.
    3. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
    4. In the User Name Attribute box, enter a single LDAP user attribute that the system uses for the lookup.
  5. To enable user authorization for your LDAP users, proceed to the next step; otherwise, click Save, and skip to Step 9.
  6. In the Group Lookup for Authorization section, add information to enable the APM Console to look up groups that are registered on the LDAP server:
    1. Click Enable LDAP Authorization.

    2. In the Base DN box, enter the base distinguished name (DN) to indicate where you want to begin the search in the LDAP directory. 

      Note

      If the Base DN contains leading or trailing spaces, or any special characters, you must escape them appropriately for your LDAP implementation.

    3. In the Filter box, enter the query string that will return the records that you want to see.
    4. In the Filter Scope list, select the starting point of a search and the depth from the base DN to which the search should occur:
      • Base searches only the entry at the base DN, resulting in only that entry being returned (if it also meets the search filter criteria).
      • One Level searches all entries that are one level under the base DN (excluding the base DN).
      • Subtree searches all entries at all levels under and including the specified base DN.
    5. In the Group Name Attribute box, enter a single LDAP user attribute that the system uses for the lookup — for example cn. It can be any attribute configured on the LDAP server.
    6. In the Member Attribute box, enter the name of the member attribute that contains the list of users in the group.
  7. Click Save.
  8. On the LDAP Settings page, set LDAP Authentication to ON.
  9. (Optional) Enable the system to create accounts and automatically log on LDAP users:
    1. On the System Access tab, select Security Policies.
    2. In the Authentication section, click Allow Automatic Ldap Login

Result

When users, who are authenticated on the Console, access the Analyzer from the Console, they are authenticated and authorized access with the Console user roles.  

Where to go from here

To configure user authorization by associating groups of LDAP users to user roles on the Console, see Mapping-LDAP-groups-to-user-roles-in-the-Console.

Related topics

Using-LDAP-authentication-and-authorization

Configuring-LDAP-for-tenant-users

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*