Configuring LDAP authentication

You can configure authentication through an LDAP server. You can use LDAP only for authentication, or you can have the system assign a role to each user based on LDAP group membership:

  • If LDAP is used only for authentication, users are assigned the default role of Manager. After a user logs on once, the system maintains a record for that user. An Admin user can assign a different role to the user by modifying the user's role preference.
  • When configured for role assignments, a user who logs on through LDAP is assigned an appropriate role based on the user's group membership in the LDAP system. The role selection can be based on nested groups.

To configure LDAP authentication

  1. Click the System tab.
  2. From the left menu, select Settings.
  3. After the list of settings, click Login Config.
  4. From the Driver list, select LDAP.
  5. Click Set and Configure.
  6. Enter all of the following mandatory LDAP settings (credentials) into the Value fields in order to establish connection:
    • The hostname of your LDAP server—Host name of the LDAP server which you will use (for example, ldaprlm.ddns.bmc.com).
    • Account DN to use for performing searches—User with the admin account. This account is used during the search by the existing users.
    • Password for the search account—Current password of the admin account.
    • Base DN for user account searches—Top level domain (For example, dc=nodomain).
    • Account Attribute—Attribute used for the account (for example, cn).
    • Group Membership DN—Filter, used while displaying the data in the LDAP Mode Configuration pop-up screen, for example:
      • ou=Groups,dc=nodomain—To have the list of groups displayed on the LDAP Mode Configuration pop-up screen;
      • cn=group1,ou=Groups,dc=nodomain—To have the list of users from the particular group displayed on the LDAP Mode Configuration pop-up screen.
    • Group Membership Attribute—In case a particular group is selected, the group itself and all its members will display in the LDAP Mode Configuration pop-up screen (for example, member).

  7. Assign specific users and groups to the appropriate modes (roles):

    • Admin User
    • Standard User
    • Report Only User

    Starting with BMC VaraLogix Q Deployment Automation version 4.3.01.01, you can assign multiple users and groups to a specific mode, using the following steps.

    1. Click the Value field next to the mode to which you want to assign specific users or groups.
      The Manage <appropriate mode> DN dialog box appears. This dialog box lists the users and groups defined in the LDAP servers database (for which you entered credentials in step 6).

    2. From the list on the left select a user or group that you want to assign to a specific mode (role), and click Add Item(s).
      To select multiple users or groups at the same time, press the Ctrl or Shift key while selecting, and then click Add Item(s).

      If the list of users and groups is very long, use the Search field to find the relevant user or group.

      To remove users or groups from the list on the right, select the relevant users or groups and click Remove Item(s).

      Note

      Assigned users are on a higher priority than assigned groups.
      Specific users and groups may belong to all three modes (Admin, Standard, Report Only) at the same time, but Admin users are of the highest priority.

  8. Click Apply and Test.
     The results of the configuration are presented in the Status section. Use this section to debug configuration issues.

Related topics

Configuring-local-authentication
Configuring-MSAD-authentication

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*