Create an LDAP Authentication Server

If you are authenticating with LDAP over SSL, it is required that you import the LDAP server’s certificate into the application server.

To create a new LDAP authentication server, complete the following steps.

Some fields on the page are already populated with recommended settings.

  1. On the toolbar, click Access > Authentication Servers.
  2. Click Create and then select LDAP.
  3. General Properties section.
    • In the Name box, type a unique name that identifies this authentication server.
    • The Enabled check box is selected by default. This means that the server will be active.
    • In the Host box, type either an IP address or DNS Name. Note: If you enter a DNS Name, the system will use DNS Name over IP address. 
    • In the Port box, type the port the remote server is listening. The default port for LDAP is 389 and for SSL is 636.
    • Select an Encryption type from the llist.
      • None
      • TLS/SSL
      • TLS/SSL Without Certificate Verification
      • StartTLS
      • StartTLS Without Certificate Verification
    • In the Server Retries box, type the number of times an attempt will be made to contact the remote server. The default is set to 3.
    •  In the Server Timeout (seconds) box, type the number of seconds to wait for a response from the remote server. The default is set to 10 seconds.
  4. LDAP section.

General Schema Settings

  • In the Base Distinguished Name box, type the root of the directory tree from which to perform user and group searches. This value will be appended to the User Search Base and Group Search Base fields. If this field is empty, the full Base DN should be specified in User Search Base and Group Search Base.
  • In the Bind Distinguished Name box, type the administrative account that has permission to perform searches on the remote authentication serve. If not specified, the LDAP server must have enabled anonymous binding.
  • In the Bind Password box, type the administrative account password.
  • Re-enter Bind Password.

User Schema Settings

  • In the User Search Base box, type the location in the directory tree from which user searches are performed. If the Base Distinguished Name is empty, this entry should be the full directory path; otherwise, this is a relative path and is prepended to the Base Distinguished Name
  • In the User Search Filter box, type the LDAP search query to be used for finding the authenticating user. The authenticating user name will be substituted for the placeholder string "{0}".
  • In the First Name Attribute box, type the user's first name. When a user is found in LDAP, the attribute with this name is used to obtain the first name which is then used to populate the SecMgr database; if set to an empty string, the corresponding user field will not be populated in the SecMgr database.
  • In the Last Name Attribute box, type the user's last name. When a user is found in LDAP, the attribute with this name is used to obtain the last name which is then used to populate the SecMgr database; if set to an empty string, the corresponding user field will not be populated in the SecMgr database.
  • In the Email Attribute box, type the user's email address. When a user is found in LDAP, the attribute with this name is used to obtain the email address which is then used to populate the SecMgr database; if set to an empty string, the corresponding user field will not be populated in the SecMgr database.

Group Schema Settings

  • In the Group Search Base box, type the location in the directory tree from which group searches are performed. If the Base Distinguished Name is empty, this entry should be the full directory path; otherwise, this is a relative path and is prepended to the Base Distinguished Name.
  • In the Group Search Filter box, type the LDAP search query to be used for finding user groups. The returned user groups can then be mapped to Security Manager groups on the User Group administration screen. Additionally, if the Group Members Attribute is set, this filter is used to obtain the authenticating user's potential groups.
  • Select the Search Subtree check box if you want to expand the search outside of the directory tree. If there are a large number of groups and / or a deep hierarchy, subtree searches may not perform as efficiently as a single level search.

Group Membership Settings

  • The Group Members Attribute box is an optional attribute on the groups returned via the Group Search Filter that indicates the members of the group. It is recommended that when possible, the User Membership Attribute should used instead of this for better performance.
  • The User Membership Attribute box is an optional attribute on the user entry that indicates the group membership of the authenticating user. Not all LDAP servers support this, but when they do, it is recommended to use it rather than the Group Members Attribute for better performance.
  1. Click Test to know if the LDAP server has been set up correctly.
  2. Click Save.
  3. You can now add User Group Mapping.