Use the User authentication settings page to manage user
authentication.
You must have the URL of the external LDAP server that you intend to authenticate users.
This task requires that you are an Measure administrator.
An LDAP realm identifies users and groups and defines rules how to search users and groups. When
unknown users attempt to log on, an external LDAP server authenticates them by using the realm
parameters that you configure. To configure an LDAP authentication realm, you identify the URL of
the LDAP server, and define valid searches.
To create an LDAP realm, complete the following steps:
-
From the Measure dashboard, page, click .
-
Click Configure LDAP .
-
On LDAP page, in the Name field, enter a name for
the realm configuration.
The value is an arbitrary label that does not effect the other settings.
-
In the LDAP URL field, enter the URL for the LDAP that you use for
authentication.
Separate multiple servers by commas.
For example,
ldap://ldap_server.my_domain.com:389,ldap://ldap_server.my_domain2.com:389.
-
Specify whether anonymous searches are allowed by completing one of the following
options:
- If the LDAP server allows anonymous searches, select Search
Anonymously.
- For authenticated searches, clear the Search Anonymously check box,
and then enter the Bind DN and Bind credentials.
Velocity uses these fields to authenticate users when it connects to the LDAP server. For example,
cn=velocity,ou=applications,dc=mydomain,dc=com.
- Optional:
In the Scope when searching LDAP users area, specify a search scope by
selecting one of the following options:
- Subtree. Select this option when user entries are direct children of
the Search base.
- One level. Select this option if all user entries are direct
grandchildren of the Search base.
- Base. Select this if option if user entries are two or more levels
below the Search base.
The scope is relative to the Search base selected in the next step. It
is a good practice to make the scope as narrow as possible.
-
In the Search base field, enter the user search base.
The starting directory for the search, such as
ou=employees,dc=mydomain,dc=com.
-
In the Search filter field, enter the search filter.
The LDAP filter expression that is used when searching for user entries. The user name
replaces the {{username}} variable in the search pattern, for example,
uid={{username}}.
If the value is not part of the DN pattern, enclose the value in parenthesis, for example,
(mail={{username}}). For more information, see the help information for your LDAP
server and look for information about creating user search filters.
- Optional:
In the Bind property field, enter a search expression.
This is the name of the LDAP attribute that contains the Bind DN
specified earlier. The default value is dn.
- Optional:
In the Name attribute field, enter the LDAP user name.
This is the name of the LDAP attribute that contains the user's full name. Examples are
cn and displayName.
-
In the Email attribute field, enter the user email address.
This is the name of the LDAP attribute that contains the user's email address. For example,
mail.
-
In the Role definition area, specify a role by completing one of the
following options:
-
Select Role in LDAP reference their members if you want to find group
membership by searching roles, and then define the Group search filter.
Note: The Group search filter is the LDAP filter expression that is used when
you search for user entries. The user name replaces the {1} variable in the search pattern and the
full user distinguished name (DN) replaces the {0} variable, for example,
(&(uniqueMember={dn})(cn=BSO*)). The user name replaces the
{username} variable in the search pattern and the full user distinguished name
replaces the {dn} variable.
-
Select User roles are defined as an attribute on that user if you want
to find group membership by using this attribute, and then define the Group DN
Attribute and User Group Attribute fields.
The Group DN Attribute is the name of the LDAP attribute on group
entries, whose value is the group's distinguished name. For example, dn. The
User Group Attribute is the name of the LDAP attribute on user entries, whose
value is the distinguished name of a group of which the user is a member. For example,
memberOf.
-
In the Group search base field, enter the directory that is used for
group searches.
For example, ou=employees,dc=mydomain,dc=com.
-
In the Group name attribute field, enter the name of the entry that
contains the users' group names in the directory entries that are returned by the group
search.
If this entry is not specified, no group search runs, for example, cn.
-
On the Search group subtree box, subtrees (if any) are searched. If the
item is not selected, the search is limited to the Group search base.
-
Click Save.
-
Click Import users to verify the
LDAP configuration settings. For the valid
LDAP configurations, user import status is
successful. For the invalid LDAP configurations, user
import fails with the error message.
The first time an unknown user attempts to log on, LDAP authorization realms are searched in an
attempt to identify the user. If the user is found, a corresponding user ID is
created in Measure. In addition, if the user is part of an LDAP group, that group is
imported too.
When new users log on to the server and use their LDAP credentials, they are listed on the
Users page. In most cases, do not manage user passwords or remove users from
the list. If an active user is removed, they are still able to log on to the server while their LDAP
credentials are valid.