When configuring search filter parameters for Lightweight
Directory Access Protocol (LDAP) servers, always perform authentication
tests to confirm that your search filters are successful. All search
filters must be working properly to ensure a successful integration
with your LDAP server.
Before you begin
You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.
Procedure
- Click .
- Click Test LDAP authentication settings.
-
Test the LDAP user name search filter. In the LDAP user name field, type
the name of an existing LDAP user, for example user1. Next, click
Test LDAP query. If the query is successful, a check mark displays beside the
Test LDAP authentication settings button. If the query is not successful, an
error message displays.
-
Test the LDAP group name search filter. In the LDAP group name field,
type the name of an existing LDAP group, for example g1-10. Next, click
Test LDAP query. If the query is successful, a check mark displays beside the
Test LDAP authentication settings button. If the query is not successful, an
error message displays.
-
Test the LDAP membership (user name) to make sure that the query syntax is correct and that
LDAP user group role inheritance works properly.
-
In the LDAP membership(user name) field, type the name of an existing
user who is member of an LDAP group, for example user1. Then, click
Test LDAP query. If the query syntax for the search filter is correct, a
check mark displays beside the LDAP membership(user name) button. Note that
the check mark only indicates that the syntax is correct.
-
Next, test that the membership search works properly. First, register an LDAP group with Cloud Pak System. Then, attempt to log in to the
system with a user name that belongs to that group but has not yet registered with the system. If
the login is successful and that user is added automatically to the system as an LDAP user, the
membership search filter works properly.
- If one or more authentication tests are not successful,
run the following commands to find out a typical user or group name
to use as a valid parameter in your search filter:
ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base users DN>" "uid=user1"
ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base groups DN>" "uid=user1"
What to do next
To troubleshoot LDAP connection issues, see the instructions at
Troubleshooting LDAP connection issues
.