Configure the LDAP Session Provider

If this is the first time that you are attempting to configure the session provider, the Server Connection window appears. If you have entered configuration information previously, the LDAP Session Provider Editor page appears in the right pane of LifeCycle Manager. This page has several tabs where you configure different aspects of the session provider.

Primary Server

The host name of the primary LDAP server.

Port

The port the LDAP service is listening on. Unless you have a very unique environment, leave it undefined and the correct defaults will be used (389 or 636).

Encryption method

Select "Use StartTLS extension," "Use SSL Encryption (ldaps://)," or "No encryption." The default is "Use StartTLS extension."

The "Use StartTLS extension" and "Use SSL Encryption (ldaps://) methods allow password to be sent securely. Both of these use SSL/TLS protocol to secure the transmission. The main difference is that ldaps:// encrypts the entire conversation while StartTLS only encrypts the transmission of sensitive data (such as the password). This means that StartTLS is much faster and less demanding of resources. For those reasons, it is the default setting for a new connection.

The certificates needed for successful communication are saved automatically by the configuration editor.

Click Validate to check if the configuration editor can connect to the LDAP server. Depending on the encryption method you selected, you may need to respond to a Certificate Trust dialog box.

This dialog box is displayed in different places depending on if you are configuring for StartTLS or LDAPS. When a StartTLS connection is used, the Certificate Trust dialog box is displayed when you click on Validate in the "Connection" window or tab (step 3). When LDAPS is used, the Certificate Trust dialog box is displayed when the Validate button is clicked in the "Authentication & Search Base" window or tab (see step 4). You have to select "Always trust this certificate" in order for the LDAP Session Provider to be able to connect to the LDAP server.

Secondary servers

Optionally, you can add secondary servers for fail-over purposes. For more information, see Add a secondary server.

Click Next on the Server Connection window or click Save on the LDAP Session Provider Editor page.

Username

The user name or DN to bind with. This is the user to connect to the LDAP server with and to search for users being validated.

It must be either a fully qualified name in the form "cn=User,ou=Users,dc=corp,dc=example,dc=com", or in the case of an Active Directory environment, "User@corp.example.com" will also work.

Password

The password to bind with.

Click Validate to confirm that the user name and password are correct.

Search base

LDAP location to be added to the connection URL in searches, for example, dc=corp,dc=example,dc=com. You can click Lookup to list all possible bases.

Click Next on the Authentication & Search Base window or click Save on the LDAP Session Provider Editor page.

Enter the following:

Base Locations

Base locations in the LDAP where the users are found, relative to the search base (for example, "ou=Users"). Multiple base locations can be added, if you have users located in more than one part of the LDAP tree. Click on Add on the right and browse to the preferred part of the LDAP tree. Select a Base DN location from the list and click on Remove to delete the Base DN location from the list.

User Scope

Select Sub-tree or leave the check box clear. If Sub-tree is selected, the search is from the Base DN and down, rather than just in the base locations. In most cases, Sub-tree should be selected. The User Scope setting is identical for all configured base locations.

User ID Attribute

LDAP attribute containing user id. Default value: cn. The default is used if no value is entered. The User ID Attribute setting is identical for all configured base locations.

Simple Search

For the simple search, only the object class the users belong to needs to be configured.

Object Class

LDAP class for user objects. Default value: user. The default is used if no value is entered. The Object Class setting is identical for all configured base locations.

Advanced Search

With an advanced search, the complete user search filter can be supplied. When switching from simple to advanced, a proposed example filter is provided based on the values in Object Class and the User ID Attribute.

Filter

A user search filter can be entered in the enabled text field when Advanced Search is selected. If a filter is entered, the Object Class property is not used any longer and that field is disabled. Enter %USER% in the filter where substitution should take place for the name of the user who is logging in or for the user name being searched for. A typical filter can look like this:

(&(objectClass=user)(sAMAccountName=%USER%))

The Filter setting is identical for all configured base locations.

Strip domain

If this option is selected, the provided domain information in the user names will be removed before the login is made. Do not select this option in configurations where the domain information must be kept for login.

Click Validate to confirm that a search can return a list of users. The validation will test each of the provided base locations provided above. If no base location is provided, the relative search base is used for validation. The validation will show an example result for each base location

Click Next on the User Element Mapping window or click Save on the LDAP Session Provider Editor page.

Base Locations

Base location in the LDAP where the groups are found, relative to the search base ("ou=Groups"). For performance reasons, it is best to specify the most specific Base DN possible. This is because the search must search and map all groups under the Base DN in order to find the groups a user is a member of. Note that the LDAP session provider can only find groups that users are direct members of. You therefore cannot use groups within groups.

You can add multiple different Base DNs if you have groups located in more than one part of the LDAP tree. Click on Add on the right and browse to the preferred part of the LDAP tree. Select a Base DN from the list and click on Remove to delete the Base DN from the list.

Object Class

LDAP class for group objects. Default value: group. The default is used if no value is entered. The Object Class setting is identical for all configured base locations.

Group Member Attribute

LDAP attribute containing group id. Default value: member. The default is used if no value is entered. The Group Member Attribute setting is identical for all configured base locations.

Group Scope

Select Subtree or leave the check box clear. The default is to leave the check box clear. If Subtree is selected, the search is from the Base DN and down, rather than just in the Base DN. In most cases, Subtree should be selected. The Group Scope setting is identical for all configured base locations.

Search nested groups

Check this box if the user role membership resolver should expand nested groups, i.e. groups that a user is an implicit member of due to being a member of a group in that group.

Click Validate to confirm that a search can return groups. The validation will test each of the provided group mapping base locations provided above. If no base location is provided, the relative search base is used for validation. The validation will show the result for each base location.

Display-name attributes:

A space separated list of LDAP attributes that is used in order to determine user display name.

Click Finish on the User Display Name window and then click Save on the LDAP Session Provider Editor page.