Creating LDAP group mapping

You can map LDAP groups to the groups in BMC Release Process Management. The advantage of LDAP group mapping is that, after the first login, LDAP users are automatically added to the mapped groups, and the corresponding group roles and permissions are assigned to them. Therefore, you do not have to add users to groups manually, however, the option to add users manually is still available. If there is no LDAP mapping set up, a user is automatically assigned to the default group after the first login.

In versions earlier than 5.0.03.003, LDAP group mapping is updated after the first login through the GUI. Starting from version 5.0.03.003, you can update the mapping by executing a rake task without logging through the GUI. For more information, see To update LDAP group mappings using a rake task.

Manual group assignments have higher priority than the LDAP group mapping. If you assign a user to a group manually, the assignment is not cleared. Consider the following:

Example
  1. Ldapgroup1 is mapped to group1 that has role1.
  2. User1 from ldapgroup1 logs in.
  3. User1 is automatically added to group1 and inherits role1.
  4. User1 is manually added to group2 that has role2.
  5. User1 is manually removed from group1.
  6. User1 logs off.
  7. User1 logs in and is assigned to both group1 and group2 and inherits role1 and role2.

Note

 If a group is made inactive, a user is automatically removed from the group at the login.

To create an LDAP group mapping

  1. Make sure LDAP authentication is enabled.
  2. Navigate to System > Groups.
  3. Do one of the following:
    1. To map an LDAP group to an existing group, from the Actions column, click Edit.
    2. To map an LDAP group to a new group, create a group.

  4. In Search base:

    • If the field is empty, enter the path to the LDAP group base.

      Example: OU=SomeOrganizationUnit11, OU=SomeOrganizationUnit1, DC=example, DC=com.

      Note

      The Search base field is automatically populated with the value specified for LDAP Group Search Base when enabling LDAP authentication.

    • If the field is already populated, go to the next step.

    Note

    In 5.0.03.003 and earlier versions, to search for a group, in the Search base field, you need to have the absolute path specified upto the folder level in which the group is created. Starting from version 5.0.03.004, in addition to absolute path, you can provide path only upto domain or forest level. If the group being searched is part of multiple domains or forests, multiple results are returned.

  5. In Search name, enter the name of the group, and then click Add.

    Example: CN=GroupCommonName111. 

    The group appears in the LDAP Groups list
    Repeat this step for all LDAP groups that you want to map. 

    Note

    If you receive a system message that there are no matches, consider the following:

    • The specified group does not exist.
    • LDAP server is down.
    • Wrong mapping format is used in the Search base/Search name boxes.
    • The group is already mapped.
  6. To remove a group from the LDAP Groups list, select the group, and then click Remove.  
  7. Save your changes.

To update LDAP group mappings using a rake task

  1. Go to RLMHome/releases/yourCurrentVersion/RPM/portal.war/WEB-INF and set the environment variable by running the following command.

    ./RLMHome/bin/setenv.sh

  2. Run the following rake task.

    jruby -S rake user:update_ldap_assigned_groups RAILS_ENV=production

  3. Press Enter.
    After the rake task is executed successfully, the following sample message is displayed.

    Rake started...
    Following users are processed:
    1) admin
    3) rpmadmin

    elapsed_time: 0.22 mm.ss
    Detailed log is located at: C:/Program Files/BMC Software/RLM/releases/
    5.0.03.003/RPM/log/update_ldap_assigned_groups.log

Related topics

Enabling-LDAP-authentication

Managing-groups

REST-groups

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*