Chapter
10
Using an external LDAP data
store
The following topics are provided:
! External LDAP server overview (page 82) ! Creating a new data store (page 82) ! Modifying an existing data store (page 85)
External LDAP server overview
This section describes the process and options available to an BMC Atrium SSO administrator when using an external LDAP server to provide group and attribute values for authenticated users. Users and groups cannot be managed from the BMC Atrium SSO server because the LDAP server access is read-only.
Configuring an external data store is primarily needed when access to group membership information is required. The LDAP authentication module can be used to retrieve user attributes without configuring an external data store. For more information, see “Using LDAP for authentication”.
An external LDAP server is used to augment the information available to BMC products. For more information about the configuration options available with the LDAP data store, see the OpenSSO documentation.
Creating a new data store
To use an external LDAP server as a data store, you either create a new data store or modify an existing data store to access the LDAP server.
To create a new data store
1 Navigate to the BmcRealm Data Stores tab:
Access Control > BmcRealm link > Data Stores tab
2 Click New.
3 Enter the name for the new data store.
4 Click the type of data store that you want to create.
! Active Directory, Active Directory Application Mode (ADAM), Generic LDAPv3, and Sun DS are equivalent LDAP data store types.
! The main difference between the data stores is the initial default data supplied for the data store configuration.
! An AR Server data store is not an LDAP type. For information on creating and configuring an AR Server data store, see “Using AR Server for authentication”.
5 Click Next.
Chapter 10 Using an external LDAP data store 83 Creating a new data store a In the LDAPv3 Plug-in Supported Types and Operations field, remove the
existing entries and add the following entries: ! user=read
! group=read
b In the LDAP Users Search Filter field, verify that the search filter is applicable for the users within the LDAP server.
c If the default class specified is not used by user entries in the server, then searches will fail.
d In the LDAP Groups Container Value field, verify that the value is correct.
e In the LDAP User Attributes field, add or remove attributes as needed.
f Verify that the attributes reflect attributes that can be used with the user entries in the LDAP server. Note that the following internal attributes are also available for mapping:
! Email: The user’s email address
! Phonenumber: The user’s phone number ! Address: The user’s mailing address ! Firstname: The first name of the user ! Lastname: The last name of the user
! Fullname: The full name of the user, usually including middle initial
g Remove attributes that are never used and those that are not needed for the mapping function.
9 Click Save.
LDAP server configuration parameters
Table 10-1: LDAP server configuration parameters
Parameter Description
LDAP Server LDAP Server specifies the host and port for the LDAP server. The initial value supplied is for the internal LDAP server, and should not be re-used.
If the server is listening on the default port, then the port value does not need to be supplied.
LDAP Bind DN DN is the login name that is used to connect to the LDAP server. LDAP Bind Password The combination of the LDAP Bind DN and password sets up an
account to connect with the LDAP server.
LDAP Organization DN LDAP Organization DN is the root of the LDAP tree. This DN is used as the starting point to perform searches for users and groups.
LDAP user attributes
LDAP SSL If you are using SSL with LDAP, verify that:
!BMC Atrium SSO public certificates are imported into the LDAP server’s truststore.
!LDAP server’s public certificate is imported into the BMC Atrium SSO server’s truststore.
For more information, see “Using CA certificates”.
LDAP Connection Pool Maximum Size The connection pool attributes adjust the performance of BMC Atrium SSO and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values.
LDAP Connection Pool Minimum Size The connection pool attributes adjust the performance of BMC Atrium SSO and the load on the LDAP server. Before modifying the default values, BMC recommends that you complete performance timings to determine appropriate values. Table 10-1: LDAP server configuration parameters
Parameter Description
Table 10-2: LDAP user data attributes
Attribute Description
Attribute Name of User Status Contains the attribute used for identifying the status of the account.
User Status Active Value Identifies the value of the attribute when the account is active. User Status Inactive Value Identifies the value of the attribute when the account is inactive. LDAPv3 Plug-in Supported Types and
Operations
Identifies the type of access that the data store provides to BMC Atrium SSO. This data store provides read-only access to BMC Atrium SSO. The entries must reflect read-only.
LDAP Users Search Attribute Specifies the attributes containing the user ID of the account that is being searched. Remove the attributes that are never used and attributes that are used for the mapping function.
LDAP Users Search Filter Specifies the filter for user searches. If the specified default class is not used by user entries in the server, then searches fail.
LDAP Groups Container Naming Attribute
Defines the LDAP attribute used to distinguish the container holding the groups.
LDAP Groups Container Value Specifies the value for LDAP Groups Container Naming Attribute. If groups are not within a container (relative to the user), then these values should be blank.
Chapter 10 Using an external LDAP data store 85 Modifying an existing data store
LDAP group data attributes
Modifying an existing data store
To edit an already existing data store for the BmcRealm
1 Navigate to the Data Stores tab:
Access Control > BmcRealm link > Data Stores tab
2 Click the DSname link.
In this case, DSname is the name of the data store that you want to modify. After the link is selected, the configuration page for the data store is displayed.
3 Click Save.
NOTE
The BMC Atrium SSO server does not need to be re-booted after altering the configuration. After the alterations are committed, the changes go into effect immediately.
Troubleshooting an external LDAP data store
Use the information in this section to help correct issues that might arise with configuring to use an external LDAP data store.
Table 10-3: LDAP user data attributes
Attribute Description
LDAP Groups Search Attribute Contains the name of the attribute which holds the name of the group. This attribute value will be used in searches for user groups. LDAP Groups Search Filter Be sure to validate that the LDAP Groups Search Filter is correct for the LDAP server. If the class specified is not applicable, update the filter with the correct objectclass name.
LDAP People Container Naming Attribute
Defines the LDAP attribute used to distinguish the container holding the people.
LDAP People Container Value Specifies the value for that LDAP attribute. If people are not within a container (relative to the group), then these values should be blank. LDAP Groups Attributes Contains only attributes available with the LDAP server. Remove
attributes that will never be part of a group entry. Attribute Name for Group
Membership
Specifies the attribute of the user which identifies the group to which the user belongs.
Attribute Name of Unique Member The value of this field is used to map with the value from the
Attribute Name of Unique Member field to form the user-group membership relationship
No users in User tab
If there are no users in the User tab:
1 Verify that the LDAP Users Search Filter field value is correct for the LDAP server. Specifically, the default filter must contain a class which is part of the LDAP structure.
2 If values were specified for the LDAP People Container Naming Attribute and
LDAP People Container Value fields, remove those values (leave those fields blank).
No groups in Group tab
If there are no groups in the Group tab:
1 Check that the LDAP Group Search Filter field value is correct (the class selected is used in LDAP server).
2 Verify that the LDAP Groups Container Naming Attribute and LDAP Groups Container Value information are both correct. Alternatively, try blank values (no characters).