Configuring LDAP authentication

You can configure LDAP authentication at initial setup, or from the Settings area of the browser interface as follows:

  • While in the setup wizard, at Step 2: Specify or Discover Devices to Monitor, click LDAP Setup (located at the bottom right of the wizard panel).
  • From the interface, select ADVANCED > LDAP and click Add.

The first panel (Add LDAP Servers) of the LDAP Configuration wizard appears.

Figure 30. LDAP Configuration Wizard (Add LDAP Servers) LDAP Configuration Wizard (Add LDAP Servers)
  1. Enter information and make selections:
    • Host- Enter the host name or IP address of an Active Directory global catalog server (for Active Directory authentication) or the host name or IP address of an LDAP server (for Other LDAP server types).
    • Port- Optionally, change the server port number. By default, the port number is 389.
    • SSL- Select if using SSL. When you select this option, the default port number adjusts to 636.
    • Skip cert verification?- If you are using a self-signed certificate, select this check box to skip its verification. Requires OpenLDAP 2.4 or higher.
  2. To add another LDAP server, click Add Server. To remove a server from the list, click Remove.
  3. In the Manager Credentials area, provide the following information:
    • Server Type- Select a server type (Active Directory or Other LDAP).
    • Manager DN- Enter the distinguished name of a user in the domain administrators group. The following example follows the user's base DN:
      cn=admin,cn=users,dc=example,dc=com
    • Manager Password- Enter the password for the Manager DN.
  4. To ensure that your setup is valid, click Validate.
  5. Click Next. The second panel (Configure LDAP Plugin) of the LDAP Configuration wizard appears.
    Figure 31. LDAP Configuration Wizard (Configure LDAP Plugin)

    ../images/LDAP_Configuration_Wizard_2.png

  6. Provide the following information:
    • Login Name Attribute- Select the LDAP record attribute used as the user name.
    • Users Base DN- Enter the user's base distinguished name. For example, if your domain is ad.example.com, then your user's base DN might be:
      dc=Users,dc=example,dc=com
    • Groups Base DN- Enter the DN for the branch of your LDAP database that contains group records. These group records are of the LDAP class "groupOfUniqueNames," and the entry CN attribute constitutes the group name.
    • User Filter- Specify a free-form LDAP filter expression to be added to the default user search filter. The default user search filter and this additional search filter are combined as an AND expression. Records must satisfy both filters to be found using the various user searches. Any value specified in this field must follow correct LDAP search filter syntax.
    • Group Filter- Specify a free-form LDAP filter expression to be added to the default group search filter. The default group search filter and this additional search filter are combined as an AND expression. Records must satisfy both filters to be found using the various group searches. Any value specified in this field must follow correct LDAP search filter syntax.
    • Default User Roles- Specify one or more roles (by multi-selecting from the drop-down list) to be given to all users authenticated from your LDAP tree. Zope expects all users - anonymous as well as authenticated - to have the role Anonymous.
  7. Click Next. The third panel (Map LDAP Groups to Local Groups) of the LDAP Configuration wizard appears.
    Figure 32. LDAP Configuration Wizard (Map LDAP Groups to Local Groups)

    ../images/LDAP_Configuration_Wizard_3.png

  8. Provide the following information:
    • Map LDAP Groups to Roles?- Select this option if you want to control user roles within the Resource Manager Web interface by using Active Directory groups, instead of controlling the roles directly from within the system.

      If you choose to use this option, add the following groups to LDAP:

      • Resource Manager Managers
      • Resource Manager Users
    • Group- Select the LDAP group to map to a Resource Manager role.
    • Role- Select the Resource Manager role to map the LDAP group.
  9. To map another group, click Add Group Mapping. To remove a mapped group, click Remove.
  10. Click Finish.

After setup, you can edit your LDAP configuration settings from the Settings, Configuration Options, and Mappings tabs.

The Search tab allows you to locate user records on your LDAP server. Select from the list of search parameters, and optionally enter a search term, and then click Search. Search results return on the lower portion of the page.

Figure 33. LDAP Configuration - Search

../images/LDAP_Configuration_Search.png