Authenticating users with LDAP
Use the User authentication settings page to manage user authentication.
Before you begin
About this task
An LDAP realm identifies users and groups and defines rules how to search users and groups. When unknown users attempt to log on, an external LDAP server authenticates them by using the realm parameters that you configure. To configure an LDAP authentication realm, you identify the URL of the LDAP server, and define valid searches.
To create an LDAP realm, complete the following steps:
Procedure
- From the HCL™ Accelerate dashboard, page, click .
- Click Configure LDAP .
-
On LDAP page, in the Name field, enter a name for
the realm configuration.
The value is an arbitrary label that does not effect the other settings.
-
In the LDAP URL field, enter the URL for the LDAP that you use for
authentication.
Separate multiple servers by commas.For example,
ldap://ldap_server.my_domain.com:389,ldap://ldap_server.my_domain2.com:389
. -
Specify whether anonymous searches are allowed by completing one of the following
options:
- If the LDAP server allows anonymous searches, select Search Anonymously.
- For authenticated searches, clear the Search Anonymously check box,
and then enter the Bind DN and Bind credentials.
HCL™ Accelerate uses these fields to authenticate users when it connects to the LDAP server. For example,
cn=velocity,ou=applications,dc=mydomain,dc=com
.
- Optional:
In the Scope when searching LDAP users area, specify a search scope by
selecting one of the following options:
- Subtree. Select this option when user entries are direct children of the Search base.
- One level. Select this option if all user entries are direct grandchildren of the Search base.
- Base. Select this if option if user entries are two or more levels below the Search base.
The scope is relative to the Search base selected in the next step. It is a good practice to make the scope as narrow as possible. -
In the Search base field, enter the user search base.
The starting directory for the search, such as
ou=employees,dc=mydomain,dc=com
. -
In the Search filter field, enter the search filter.
The LDAP filter expression that is used when searching for user entries. The user name replaces the {{username}} variable in the search pattern, for example,
uid={{username}}
.If the value is not part of the DN pattern, enclose the value in parenthesis, for example,(mail={{username}})
. For more information, see the help information for your LDAP server and look for information about creating user search filters. - Optional:
In the Bind property field, enter a search expression.
This is the name of the LDAP attribute that contains the Bind DN specified earlier. The default value is
dn
. - Optional:
In the Name attribute field, enter the LDAP user name.
This is the name of the LDAP attribute that contains the user's full name. Examples are
cn
anddisplayName
. -
In the Email attribute field, enter the user email address.
This is the name of the LDAP attribute that contains the user's email address. For example,
mail
. -
In the Role definition area, specify a role by completing one of the
following options:
-
In the Group search base field, enter the directory that is used for
group searches.
For example,
ou=employees,dc=mydomain,dc=com
. -
In the Group name attribute field, enter the name of the entry that
contains the users' group names in the directory entries that are returned by the group
search.
If this entry is not specified, no group search runs, for example,
cn
. - On the Search group subtree box, subtrees (if any) are searched. If the item is not selected, the search is limited to the Group search base.
- Click Save.
Results
The first time an unknown user attempts to log on, LDAP authorization realms are searched in an attempt to identify the user. If the user is found, a corresponding user ID is created in HCL™ Accelerate. In addition, if the user is part of an LDAP group, that group is imported too.
When new users log on to the server and use their LDAP credentials, they are listed on the Users page. In most cases, do not manage user passwords or remove users from the list. If an active user is removed, they are still able to log on to the server while their LDAP credentials are valid.