Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 2

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
Table of Contents
maxlevel2

...

You can set up Universal Controller to use LDAP authentication for:

Anchor
Credentials for Running Tasks Authentication
Credentials for Running Tasks Authentication
Credentials for Running Tasks Authentication

To use LDAP authentication for Universal Controller user credentials:

UNIX

If you want the credentials for Universal Agent to go through LDAP authentication, the UNIX machine on which the Agents reside require PAM. The Agents must be configured to use PAM, and PAM must be configured to use LDAP.
 
The UNIX systems that support PAM authentication are AIX, HP-UX, Linux, and Solaris. Refer to Security of Universal Agent Components to see which Agent Server components can use PAM authentication on these systems.
 
Set up your PAM configuration to use the PAM LDAP module. Depending on your LDAP version, some other configuration steps may be required. Once PAM is configured, tasks specifying credentials will authenticate over LDAP transparently.

Windows

While no set-up steps are required to specifically enable Domain/Active Directory credential authentication, the target system does need to belong to a Domain or Active Directory Forest. When you specify credentials for a task, use DOMAIN\user as the user name.

Anchor
User Login Authentication
User Login Authentication
User Login Authentication

Step 1

From the Administration navigation pane, select Configuration > LDAP Settings. The LDAP Settings page displays.
 
Image RemovedImage Added

Step 2

Enter / select your LDAP Settings, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

Step 3

Click the button.

For information on how to access additional details - such as Metadata and complete database Details - for LDAP Settings (or any type of record), see Records.
 

Note
titleNote

In order to log in to the Controller using LDAP, you must set the LDAP Synchronization Enabled Universal Controller System property (Administration > Configuration > Properties in the Controller user interface) to true.

...

Field Name

Description

Connection

This section contains information on the LDAP connection.

URL

URL of the LDAP connection. For example:

  • ldap://ldap.stonebranch.com:389/
  • ldaps://192.202.185.90:636/

To use SSL/TLS encryption (ldaps://), you will have to configure the Universal Controller truststore with an X.509 CA certificate in either of these formats:

  • DER-encoded binary
  • Base64-encoded
Note

You can also specify a space-separated list of URLs. Universal Controller will attempt to use each URL in turn until a successful connection is created.

For example, ldap://ldap1.stonebranch.com:389/ ldap://ldap2.stonebranch.com:389/


Anchor
Bind DN or User
Bind DN or User
Bind DN or User

Distinguished Name (DN) or User ID used for initial access to the LDAP server.

Bind Password

Password associated with the Bind ND or User.

Use for Authentication

If enabled, indicates that LDAP will be used for password authentication.

Allow Local Login

If the LDAP Synchronization Enabled Universal Controller system property is false, or if it is true but the Use for Authentication 206427338 field is not enabled, an administrator must explicitly specify Allow Local Login to allow local account login for users that were provisioned through LDAP synchronization.
 
This option is intended only to provide temporary access while an LDAP directory is unavailable.
 
An administrator will need to update the local account password for any LDAP-synchronized user who requires temporary local account login, as the provisioned password would be unknown.

Search

This section contains search information.

Anchor
Base DN
Base DN
Base DN

Starting point for searching the directory. For example: dc=stonebranch,dc=com. If you do not specify a Base DN, the search starts as the root of the directory tree.

User Id Attribute

LDAP attribute for the specified User ID.
 
Options:

  • sAMAccountName
  • cn
  • uid
  • Other...

User Filter

Search filter for users.
 
If you do not specify a User Filter, the server uses (&(objectClass=user)(objectCategory=person)).

Anchor
User Target OU List
User Target OU List

User Target OU List

Single- or multi-level target OU's (Organizational Units) within the Base DN 206427338 directory to filter for user records.
 
For example, OU=Employees or OU=Employees,OU=Users.
 
If you do not specify one or more OU's, the entire sub-tree from the Base DN 206427338 will be searched.

Group Filter

Search filter for groups.
 
If you do not specify a Group Filter, the server uses (&(objectClass=group)(objectCategory=group)).

Anchor
Group Target OU List
Group Target OU List

Group Target OU List

Single- or multi-level target OU's within the Base DN 206427338 directory to filter for group records.
 
For example, OU=Universal Controller or OU=Universal Controller,OU=Groups.
 
If you do not specify one or more OU's, the entire sub-tree from the Base DN 206427338 will be searched.

Advanced

This section contains advanced information.

Connection Timeout (Seconds)

Timeout for connecting to the LDAP server.

Read Timeout (Seconds)

Timeout for reading from the LDAP server.

User Membership Attribute

LDAP attribute for the groups in which a user is a member. If you do not specify a User Membership Attribute, the LDAP server uses memberOf (see the uc.ldap.users.synchronize_indirect Universal Controller start-up property.

Group Member Attribute

LDAP attribute for the members of a group. If you do not specify a Group Member Attribute, the LDAP server uses member (see the uc.ldap.groups.update_members Universal Controller start-up property.

Login Method

Login method(s) that an LDAP-provisioned user can authenticate with by default. The default is applied only at user creation time. 
(

You can use the Ctrl key to select both multiple methods.

Only one of Standard or Standard / Authenticator App (TOTP) can be selected, not both.
 
Options:

  • Standard
  • Single Sign-On
  • Standard / Authenticator App (TOTP)

Buttons

This section identifies the buttons displayed above and below the LDAP Settings that let you perform various actions.

Update

Include Page
UC67IL:Update buttonUC67
IL:Update button

Anchor
Test Connection
Test Connection
Test Connection

After saving the LDAP Settings to the database, click Test Connection to run a connection test.

Refresh

Refreshes any dynamic data displayed in the LDAP Settings.

Tabs

This section identifies the tabs across the top of the LDAP Settings page that provide access to additional information about the LDAP Settings.

Mappings

List of User and Group columns mapped to LDAP attributes that enables you to customize how the User/Group records get populated from LDAP.

...

You specify the User and Group Target OUs relative from the Base DN 206427338. In this case, the Base DN would be OU=Corporate,DC=stonebranch,DC=com.
 

For the User Target OU List 206427338 LDAP Settings field, you would have the following entries:

OU=NorthAmerica,OU=CorporateUsers

OU=Students


For the Group Target OU List 206427338 LDAP Settings field, you would have the following entries:

...

For each User and Group record in the Controller that represents a synchronized LDAP User or Group, the Source column on the Users list or Groups List, respectively, contains the Distinguished Name of that User or Group in LDAP. (For Users and Groups created locally in the Controller, the Source column is blank.)

...

Note
titleNote

By default, the Source column is not shown on either lists. For instructions on how to add the Source column, see Selecting Columns / Column Locations for a List.

Anchor
LDAP Server Operations
LDAP Server Operations
LDAP Server Operations

...

Additionally, the Controller provides two Server Operations that let you force an LDAP refresh:

...

Once LDAP configuration has been completed, you can utilize the LDAP Refresh server operation to verify your configuration.

...

1

Do not explicitly specify a value for the Group search filter.

2

Do not specify any target Group OUs (organizational units).

3

Ensure that the Universal Controller Start-up Properties file (uc.properties) contains the following property configuration: uc.ldap.groups.filter_indirect=true
 
(If uc.ldap.groups.filter_indirect=true, any Groups synchronized indirectly - that is, through a User's memberOf attribute - will honor the Group Filter and Group Target OU List.)

...

It requires setting up a truststore (keystore) and setting the following properties in the Universal Controller Start-up Properties (uc.properties) file:

...

When these configurations have been made, use ldaps:// for the URL prefix in the LDAP Settings Field Descriptions 206427338.