Versions Compared

Version Old Version 1 New Version Current
Changes made by

Stonebranch

Alec Berger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
Table of Contents
maxlevel2

...

UNIX

If you want the credentials for Universal Agent to go through LDAP authentication, the UNIX machine on which the Agents reside require PAM. The Agents must be configured to use PAM, and PAM must be configured to use LDAP.
 
The UNIX systems that support PAM authentication are AIX, HP-UX, Linux, and Solaris. Refer to Security of Universal Agent Components to see which Agent Server components can use PAM authentication on these systems.
 
Set up your PAM configuration to use the PAM LDAP module. Depending on your LDAP version, some other configuration steps may be required. Once PAM is configured, tasks specifying credentials will authenticate over LDAP transparently.

Windows

While no set-up steps are required to specifically enable Domain/Active Directory credential authentication, the target system does need to belong to a Domain or Active Directory Forest. When you specify credentials for a task, use DOMAIN\user as the user name.

...

Field Name

Description

Connection

This section contains information on the LDAP connection.

URL

URL of the LDAP connection. For example:

  • ldap://ldap.stonebranch.com:389/
  • ldaps://192.202.185.90:636/

To use SSL/TLS encryption (ldaps://), you will have to configure the Universal Controller truststore with an X.509 CA certificate in either of these formats:

  • DER-encoded binary
  • Base64-encoded
Note

You can also specify a space-separated list of URLs. Universal Controller will attempt to use each URL in turn until a successful connection is created.

For example, ldap://ldap1.stonebranch.com:389/ ldap://ldap2.stonebranch.com:389/


Anchor
Bind DN or User
Bind DN or User
Bind DN or User

Distinguished Name (DN) or User ID used for initial access to the LDAP server.

Bind Password

Password associated with the Bind ND or User.

Anchor
Use for Authentication
Use for Authentication
Use for Authentication

If enabled, indicates that LDAP will be used for password authentication.

Allow Local Login

If the LDAP Synchronization Enabled Universal Controller system property is false, or if it is true but the Use for Authentication field is not enabled, an administrator must explicitly specify Allow Local Login to allow local account login for users that were provisioned through LDAP synchronization.
 
This option is intended only to provide temporary access while an LDAP directory is unavailable.
 
An administrator will need to update the local account password for any LDAP-synchronized user who requires temporary local account login, as the provisioned password would be unknown.

Search

This section contains search information.

Anchor
Base DN
Base DN
Base DN

Starting point for searching the directory. For example: dc=stonebranch,dc=com. If you do not specify a Base DN, the search starts as the root of the directory tree.

User Id Attribute

LDAP attribute for the specified User ID.
 
Options:

  • sAMAccountName
  • cn
  • uid
  • Other...

User Filter

Search filter for users.
 
If you do not specify a User Filter, the server uses (&(objectClass=user)(objectCategory=person)).

Anchor
User Target OU List
User Target OU List

User Target OU List

Single- or multi-level target OU's (Organizational Units) within the Base DN directory to filter for user records.
 
For example, OU=Employees or OU=Employees,OU=Users.
 
If you do not specify one or more OU's, the entire sub-tree from the Base DN will be searched.

Group Filter

Search filter for groups.
 
If you do not specify a Group Filter, the server uses (&(objectClass=group)(objectCategory=group)).

Anchor
Group Target OU List
Group Target OU List

Group Target OU List

Single- or multi-level target OU's within the Base DN directory to filter for group records.
 
For example, OU=Universal Controller or OU=Universal Controller,OU=Groups.
 
If you do not specify one or more OU's, the entire sub-tree from the Base DN will be searched.

Advanced

This section contains advanced information.

Connection Timeout (Seconds)

Timeout for connecting to the LDAP server.

Read Timeout (Seconds)

Timeout for reading from the LDAP server.

User Membership Attribute

LDAP attribute for the groups in which a user is a member. If you do not specify a User Membership Attribute, the LDAP server uses memberOf (see the uc.ldap.users.synchronize_indirect Universal Controller start-up property.

Group Member Attribute

LDAP attribute for the members of a group. If you do not specify a Group Member Attribute, the LDAP server uses member (see the uc.ldap.groups.update_members Universal Controller start-up property.

Login Method

Login method(s) that an LDAP-provisioned user can authenticate with by default. The default is applied only at user creation time.

You can use the Ctrl key to select multiple methods.

Only one of Standard or Standard / Authenticator App (TOTP) can be selected, not both.
 
Options:

  • Standard
  • Single Sign-On
  • Standard / Authenticator App (TOTP)

Buttons

This section identifies the buttons displayed above and below the LDAP Settings that let you perform various actions.

Update

Include Page
IL:Update button
IL:Update button

Anchor
Test Connection
Test Connection
Test Connection

After saving the LDAP Settings to the database, click Test Connection to run a connection test.

Refresh

Refreshes any dynamic data displayed in the LDAP Settings.

Tabs

This section identifies the tabs across the top of the LDAP Settings page that provide access to additional information about the LDAP Settings.

Mappings

List of User and Group columns mapped to LDAP attributes that enables you to customize how the User/Group records get populated from LDAP.

...

It requires setting up a truststore (keystore) and setting the following properties in the Universal Controller Start-up Properties (uc.properties) file:

You must make sure that the LDAP server's certificate exists in the truststore that is referenced by these two properties.

...