The LDAP Compliant Directory Configuration windows let you configure the LDAP settings for your CA Harvest SCM agent. The window uses the following fields.
Note: The product installation program records your responses to the following prompts in the LDAP-related settings in the product configuration files HServer.arg, HBroker.arg, and HAgent.arg.
LDAP Server Name
Defines one or more host names of the LDAP server to which your CA Harvest SCM computer connects, for example:
hostname1
You can optionally define the port number to use on each host, by entering the host name in the form hostname:port, for example:
hostname2:389
You can specify a list of host names separated by spaces. Each host may optionally be of the form hostname:port, for example:
hostname1:389 hostname2 hostname3:389
Important! If used, the :port number specified in the LDAP Server Name field overrides the value specified in the LDAP Port Number field.
Limits: 255 characters
If the host name field defines multiple host names, the product computer connects to the first available LDAP server in the list.
LDAP Port Number
Specifies the port number for the LDAP server. This port number is used if the LDAP port number is not specified in the host name field.
Default: If you are using SSL as the encryption mechanism, then the default is 636;
otherwise, the default is 389.
Minimum: 1 Maximum: 9999 Base Distinguished Name
Defines the base distinguished name (DN) used when searching in the LDAP server.
For example:
"ou=users,ou=north america,dc=abccorp,dc=com"
Enter the quotation marks (" ") literally as shown.
Default: None Limits: 255 characters
Install the Agent
Chapter 2: Installing on Windows 63 Search Filter
(Optional) Defines an RFC-2254-compliant search filter for locating a user. For example, when a user attempts to log in to the product, this filter is used to search for the user in the LDAP server.
Default: (&(objectclass=person)(user-attribute-name=<placeholder>))
Note: The complete expression for the search filter used by your LDAP server may differ from the default value, depending on how your LDAP server has been configured. For details, see your system administrator.
(user-attribute-name=<placeholder>)
Specifies the LDAP User attribute name and its placeholder used in the search.
user-attribute-name
Defines your LDAP server's attribute name for user name. This value must be the same as the value specified for your LDAP server by the LDAP User Attribute name parameter, -ldapattrusrname=attribute name.
<placeholder>
Identifies a literal constant placeholder for user-attribute-name. Enter exactly the same value as user-attribute-name and enclose the value with angle brackets (< >), as shown in the following examples.
Examples
These examples use the default search filter.
If -ldapattrusrname=uid for your LDAP server, then the search filter is:
(&(objectclass=person)(uid=<uid>))
If -ldapattrusrname=cn for your LDAP server, then the search filter is:
(&(objectclass=person)(cn=<cn>))
If -ldapattrusrname=uname for your LDAP server, then the search filter is:
(&(objectclass=person)(uname=<uname>))
Install the Agent
64 Implementation Guide
Examples: How the Search Filter is Used
The search filter is used to find a user name when it is required by any operation.
For example, consider (&(objectclass=person)(uid=<uid>)): When a user attempts to log in to the product, <uid> is replaced dynamically with the user's user name, and the LDAP directory is searched for this user.
These examples use the default search filter and use the setting -ldapattrusrname=uid:
When the user amy33 attempts to log on, the search filter used to locate this user is:
(&(objectclass=person)(uid=<amy33>))
When the user john22 attempts to log on, the search filter used to locate this user is:
(&(objectclass=person)(uid=<john22>)) LDAP Search Timeout
(Optional) Defines the number of seconds to search for a user in the LDAP directory;
for example, when a user attempts to log in to the product.
Default: 60 Limits: 20 digits.
Username Attribute ID
Defines your LDAP server's LDAP user attribute name for a user's user name.
Limits: 255 alphanumeric characters LDAP/SASL Security/Encryption Mechanism
Specifies the security mechanism to use for authenticating product users:
tls
Specifies Transport Layer Security.
Specify TLS only if your LDAP server supports StartTLS.
ssl
Specifies Secure Socket Layer.
None
Specifies no security mechanism.
Important! If you specify no encryption, user credentials and all other information exchanged between the product and the LDAP server is transmitted in clear text.
Default: None.
If you specify tls or ssl, complete the following fields; otherwise, skip them:
Install the Agent
Chapter 2: Installing on Windows 65 Trusted Certificate Filename
(Optional) Defines the complete path name of the TLS trusted certificate file.
This parameter specifies the PEM-format file containing certificates for the Certificate Authorities (CAs) that the LDAP client (the product remote agent or server) will trust. The certificate for the CA that signed the LDAP server certificate must be included in these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CAs from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.
You can also define the TLS trusted certificate file in the OpenLDAP configuration file (for example: on UNIX, in $HOME/.ldaprc file) using the following parameter:
TLS_CACERT filename
Limits: 255 alphanumeric characters
Install the Agent
66 Implementation Guide
Client Certificate Filename
(Optional) Defines the complete path name of the TLS client certificate file.
You can also define this certificate file in the OpenLDAP configuration file (for example: on UNIX, in $HOME/.ldaprc file) using the following parameter:
TLS_CERT filename
Limits: 255 alphanumeric characters Client Key Filename
(Optional) Defines the complete path name of the TLS private key associated with the client certificate file.
You can also define this key in the OpenLDAP configuration file (for example:
on UNIX, in the $HOME/.ldaprc file) using the following parameter:
TLS_KEY filename
Limits: 255 alphanumeric characters
Important! Private keys themselves are sensitive data and are usually password-encrypted for protection. However, the current LDAP API
implementation does not support encrypted keys. Therefore, the key must not be encrypted and the file containing the key must be protected carefully.
LDAP Distinguished Name
Defines the LDAP initial bind distinguished name (DN) to the LDAP Server. For all authentication operations, only the initial DN is used to bind to the LDAP directory.
A sample entry is:
"cn=john22,ou=users,ou=north america,dc=abccorp,dc=com"
Enter the quotation marks (" ") literally as shown.
Default: None Limits: 255 characters
Password for LDAP Distinguished Name
Defines the password for the LDAP distinguished name. Do not enter spaces. If you do not specify a password, an empty password is used.
Limits: 255 alphanumeric characters
Your password is encrypted and is stored in the \CA_SCM_HOME\hagentauth.dfo file. This file name is specified in the following entry in the hagent.arg file:
ldapbindpwfile= hagentauth.dfo
You can optionally specify multiple base distinguished names when searching for user names in the LDAP server. To set up this capability, replace the existing description of the ldapbasedn=base distinguished name parameter with the following:
ldapbasedn="name1[;name2[;name 3]…]"
How to Install the Agent on a Network
Chapter 2: Installing on Windows 67 Defines one or more base distinguished names (DN) used when searching in the LDAP server.
To specify one base distinguished name, use the format shown in the following example:
ldapbasedn="ou=america,dc=abccorp,dc=com"
To specify two base distinguished names, use the format shown in the following example:
ldapbasedn="ou=america,dc=abccorp,dc=com;ou=europe,dc=abccorp,dc=com"
Important! When specifying multiple base distinguished names, separate them with a semicolon (;), as shown in the previous example.
Default: None Limits: 255 characters