When configuring search filter parameters for Lightweight
Directory Access Protocol (LDAP) servers, always perform authentication
tests to confirm that your search filters are successful. All search
filters must be working properly to ensure a successful integration
with your LDAP server.
Before you begin
You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.Note:
When Single-Sign-On is enabled, LDAP settings can not be tested or changed.
Procedure
- Click (or if in 2.3.3.3).
- Click Test LDAP Authentication Settings.
-
Test the external (LDAP) user name search filter. In the LDAP user name
field, type the name of an existing external user, for example user1, and
click Test LDAP query. If the query is successful, a check mark displays
beside the Test LDAP query button. If the query is not successful, an error
message displays.
-
Test the external (LDAP) group name search filter. In the LDAP group
name field, type the name of an existing external group, for example
g1-10, and click Test LDAP query. If the query is
successful, a check mark displays beside the Test LDAP query button. If the
query is not successful, an error message displays.
- Test the LDAP membership (user name) to make sure that
the query syntax is correct and that LDAP user group role inheritance
works properly.
-
In the LDAP membership (user name) field, type the name of an existing
user who is member of an external (LDAP) group, for example user1, and click
Test LDAP query. If the query syntax for the search filter is correct, a
check mark displays beside the Test LDAP query button. Note that the check
mark only indicates that the syntax is correct.
-
Test that the membership search works properly. First, register an external (LDAP) group with
Cloud Pak System Software. Then, attempt to log in to
the system with a user name that belongs to that group but has not yet registered with the system.
If the login is successful and that user is added automatically to the system as an external user,
the membership search filter works properly.
- If one or more authentication tests are not successful,
run the following commands to find out a typical user or group name
to use as a valid parameter in your search filter:
ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base users DN>" "uid=user1"
ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base groups DN>" "uid=user1"
What to do next
To troubleshoot LDAP connection issues, see the instructions at
Troubleshooting LDAP connection issues
.