Chapter
5
Using LDAP for authentication
The following topics are provided:
! Setting up LDAP to use for authentication (page 46) ! Configuring the LDAP module (page 46)
Setting up LDAP to use for authentication
BMC Atrium SSO provides support for using external Lightweight Directory Access Protocol (LDAP) servers for authentication.
To set up LDAP to use for authentication
1 Configure the LDAP module.
2 If you enabled SSL Access to LDAP Server on the LDAP configuration page, import the certificates and restart the Tomcat server before enabling LDAP authentication. See “Using CA certificates” for more information.
3 Enable LDAP authentication.
Configuring the LDAP module
The configuration and use of the LDAP module is described for a single BMC Atrium SSO server. By default, a single LDAP module is created and configured as part of the LDAP chain. The LDAP module must be configured for the enterprise environment.
To configure the LDAP module
1 Navigate to the Authentication tab:
Access Control > BmcRealm link > Authentication
2 Click the Module Instances link
3 Click the LDAPlink.
4 Enter your LDAP configuration parameters and click Save.
LDAP configuration parameters
LDAP configuration parameters are entered on the LDAP Realm Attributes page. The LDAP page has the following options:
! Save to save your modifications
! Reset to remove your modifications and stay on the LDAP page. ! Back to Authentication to navigate back to the Authentication tab.
Chapter 5 Using LDAP for authentication 47 Configuring the LDAP module
Table 5-1: LDAP module parameters
Parameters Description
Primary LDAP Server (Required) Enter the host’s Full Qualified Domain Name (FQDN) for the primary LDAP server is required.
If the LDAP server is not listening on the default port (389), suffix the host name value with a colon (:) and port number that the LDAP server is using: <host name value (FQDN)>:<port>
Secondary LDAP Server The secondary LDAP server is only used when the primary server is not available. It is not used in parallel or when a user fails to authenticate with the primary server.
If the secondary server is not listening on the default LDAP port, suffix the host name with a colon (:) and the port that is being used.
<host name value (FQDN)>:<port>
The amount of time that the server uses the secondary server before attempting to re-connect with the primary server can be configured. DN to Start User Search The search DNs should be as specific as possible for performance
reasons. The depth of the search that is performed can be
configured. If an Object search is specified, then the DN should be the DN of the node containing the users.
Enter the starting locations within the LDAP directory for
performing user searches. For each starting point, enter the login name (DN).
DN for Root User Bind (Required) The DN is the login name that is used to connect to the LDAP server.
A root user must have privileges to perform searches on the primary and secondary LDAP servers.
Enter the DN for the root user, the password, and the password confirmation.
Attributes Used to Retrieve User Profile
Attributes can be specified to retrieve user profiles. Attributes Used to Search for a
User to be Authenticated
(Required) Attributes are used to identify the DN to be used for
authentication within the LDAP servers. The attributes specified are used to search for the DN for the user to be authenticated.
Enter an attribute to identify user names in the LDAP servers. The default attribute is uid, but if a different value is used (such as
givenname), then update this value to the environment-specific attribute.
More than one attribute can be used to uniquely identify a user. For example, along with a unique user ID, the user's phone number or e-mail address could also be used. In this way, users could use their phone numbers or email accounts when authenticating, instead of relying solely upon a user ID.
User Search Filter The attribute-value pairs further refines the user search for authentication. This field can be left blank (default).
Search Scope (Required) The Search Scope determines the level that the LDAP directory searches for users to authenticate.
A search scope level must be selected.
! OBJECT level searches the contents of the nodes specified in the search list.
! ONELEVEL level searches the specified nodes and one level below.
! SUBTREE level searches the specified nodes and all sub-levels (default). SSL Access to LDAP Server The SSL Access to LDAP Server field is enabled to use SSL to connect to the
LDAP servers.
In addition, before communications can be established, the certificates for the LDAP servers (primary and secondary) must be loaded into the JVM truststore and the BMC Atrium SSO Tomcat truststore.
If client authentication is required, the BMC Atrium SSO server’s
certificate might need to be imported into the LDAP server’s truststore. For more information on the default truststore location, see Locating the keystore and truststores (page 38).
If you are using CA signed certificates for all servers, then the root certificate, and any intermediate signer certificates, can be used to complete the trust relationships instead of the server's certificates.
Note:BMC recommends that the certificates be configured before enabling LDAP authentication. See “Using CA certificates” for more information. Return User DN To DataStore If the external LDAP server uses the same structure as the internal data
store, the Return User DN to Data is enabled. This condition is atypical so this option is normally not checked.
LDAP Server Check Interval When a primary LDAP server is unavailable, authentication is switched to the secondary LDAP server. The interval specifies the delay before the primary LDAP status is re-checked for availability.
Enter the number of minutes before the primary LDAP status is re- checked. The default is 15 minutes.
! If the interval delay value is too low, performance issues occur if BMC Atrium SSO continuously tries to reconnect (unsuccessfully).
Table 5-1: LDAP module parameters
Chapter 5 Using LDAP for authentication 49 Enabling LDAP authentication
Enabling LDAP authentication
After the LDAP module is configured, specify that the LDAP module is to be used for authentication. This task involves specifying LDAP Chain as the organizational choice for authentication.
NOTE
Configure only the BmcRealm to use external LDAP servers.
IMPORTANT
If you enabled SSL Access to LDAP Server on the LDAP module configuration page, import the certificates and restart the Tomcat server. See “Using CA certificates” for more information.
To configure LDAP realm authentication
1 On the Authentication tab for the BmcRealm, click All Core Settings.
A new page is displayed. At the top of this new page is a series of radio buttons. The buttons are used to select how the user profile is handled when a user is authenticated.
2 In the User Profile field, click either Dynamic or Ignored.
! Dynamic specifies that a local SSO user profile is created after a successful authentication, if it does not already exist.
! Dynamic with User Alias specifies that a local SSO user profile and user alias is created for each successful authentication.
User Creation Attribute User creation attributes allows attributes from the external LDAP servers to be provided as attributes from the internal data store. By defining the mappings, user account data (such as telephone numbers or e-mail addresses) can be provided to BMC products.
The attribute mapping is created with an internal attribute, a vertical bar ('|'), and then the external attribute.
The following internal attributes are available for mapping:
! Email: The user’s email address
! Phonenumber: The user’s phone number
! Address: The user’s mailing address
! Firstname: The first name of the user
! Lastname: The last name of the user
! Fullname: The full name of the user, usually including middle initial Authentication Level BMC Atrium SSO does not employ authentication levels.
Note:Do not change the Authentication Level (the default is 0) for the LDAP Module.
Table 5-1: LDAP module parameters
! Ignored specifies that no local SSO user profile is created or required for authentication.
! Required specifies that a local SSO user profile with the same user ID is required for authentication to be successful.
3 Click Save.
4 Click Back to Authentication.
5 On the BmcRealm Authentication page, select LDAP Chain from the Organization Authentication Configuration drop down menu.
6 On the BmcRealm Authentication page, select LDAP Chain from the Administrator Authentication Configuration drop down menu.