LDAP/Active directory authentication

The Lightweight Directory Access Protocol (LDAP) is a standard protocol used by many popular user repositories including Microsoft Active Directory, ACF2, and RACF. Selecting the LDAP/Active Directory option configures the Authentication Server to connect to an LDAP server to authenticate the user and (optionally) obtain group membership information.

Theory of operation

For each authentication request received, the Authentication Server performs the following steps:

Obtain the list of LDAP servers.
Connect to the LDAP server of the highest priority.
Perform a search for the user.
Extract group membership information.
Reconnect to the user's entry using the user's credentials.
If any step produces an error, repeat the process with the next LDAP server.

To configure LDAP/Active Directory

On the Authentication Server page, navigate to Authentication Method > LDAP/Active Directory, and click Configure.
The LDAP Configuration page opens.

The following table describes the UI features on the LDAP Configuration page:

UI feature	Description
Use DNS SRV Record Lookup	Click the Use DNS SRV Record Lookup toggle button to locate LDAP servers or explicitly specify a set of servers in the configuration. This option is disabled by default. For more information, see To use DNS SRV record lookup.
+ New Record	Click to configure a new server. For more information, see To use the New Configuration page.
Load from DNS SRV records	Click to display a page that administrators can use to enter DNS domain field information. For more information, see To load from DNS SRV records.
Server URI	Displays a list of available servers
Actions	Click the button to perform the following actions: Test: Test the functionality of the server. Edit: Edit the server information. Delete: Delete the server.
Advanced filter	Select the filters that help you to find servers.

To use DNS SRV record lookup

When you enable Use DNS SRV Record Lookup, the Authentication Server performs a DNS SRV record lookup against the DNS servers defined for the BMC AMI Console Management server. The configuration dialog box shows the common LDAP configuration parameters, which you can modify. If the Authentication Server is configured to perform a DNS SRV record lookup, these parameters must be the same for all servers.

The following table describes the UI features on the LDAP configuration page when Use DNS SRV Record Lookup is enabled:

UI feature	Description
Domain	(Required) Enter the domain name that you want to test.
Connect DN Connect Password	(Required) The Connect DN (Distinguished Name) and Connect Password fields are displayed when credentials are required to perform the search. Many LDAP servers are set up to require a well-known DN and password to perform a search to find a user's record.
Base DN	The field defines the point at which searches begin.
Search Filter	This field specifies the records that are matched during the search phase. This string format is per the following link: http://www.ietf.org/rfc/rfc2254.txt Alternatively, use the Search Filter dialog box to search for specific criteria starting at the Base DN. You can make specifications for any of the following search criteria: Text Message ID Color System Job ID WTOR Time Range You can also select the following options to refine the criteria used for the search as follows: Ignorecase—Ignores case-sensitive text Backward—Searches for previous messages Important If you have specified search filter criteria and they are not found during authentication, the request is rejected with a bad user name/password status. Similarly, if one criteria instance is found, the authentication continues to run.
Group Attribute	This field is used when Resource Level Authorization is enabled. This specifies the attribute name of the user's record, which is interpreted as a list of groups to which the user belongs. This is useful for Active Directory implementations whose setting may be memberOf. In Active Directory, the memberOf attribute is an array of distinguished names referring to the groups to which the user belongs.
Group Entry Name Attribute	The Group Entry Name Attribute is used to extract the group's actual name when Resource Level Authorization is enabled and a group attribute is specified. For an Active Directory implementation, this may be CN.
Test	Test the LDAP server information. Enter a user name and a password, and click Test. The results of the LDAP authentication are displayed on the page.

To use the New Configuration page

You can create an LDAP connection on the New Configuration page.

The following table describes the UI features on the New Configuration page:

UI feature	Description
Server URI	(Required) Enter the URL of the server that you want to add.
Connect DN Connect Password	(Required) The Connect DN (Distinguished Name) and Connect Password fields are provided when credentials are required to perform the search. Many LDAP servers are set up to require a well-known DN and password to perform a search to find a user's record.
Base DN	This field defines the point at which searches begin.
Search Filter	The field specifies which records are matched during the search phase. This string format is in accordance with the following: http://www.ietf.org/rfc/rfc2254.txt Alternatively, use the Search Filter dialog box to search for specific criteria starting at the Base DN. You can make specifications for any of the following search criteria: Text Message ID Color System Job ID WTOR Time Range You can also select the following options to refine the criteria used for the search as follows: Ignorecase—Ignores case-sensitive text Backward—Searches for previous messages Important If you have specified search filter criteria and they are not found during authentication, the request is rejected with a bad user name/password status. Similarly, if one criteria instance is found, the authentication continues to run.
Group attribute	This field is used when Resource Level Authorization is enabled. It specifies the attribute name of the user's record, which is interpreted as a list of groups to which the user belongs. This is useful for Active Directory implementations whose setting may be memberOf. In Active Directory, the memberOf attribute is an array of distinguished names referring to the groups to which the user belongs.
Group entry name attribute	This field is used to extract the group's actual name when Resource Level Authorization is enabled and a group attribute is specified. For an Active Directory implementation, this can be CN.
Create Save & Exit	Click Create to add a new configuration. Click Save & Exit to save an existing configuration.

To load from DNS SRV records

After you enter the information in the Domain field, click Show DNS Lookup Results.
A DNS SRV query is issued and the results are listed in the DNS SRV lookup table.
Under LDAP Fields, enter the required information.
Click Add Selected Entries to populate the LDAP server list with the selected servers and the LDAP parameters provided earlier.

To discard the process, click Cancel.