Configuring UMS to connect with LDAP

Learn how to change UMS configuration file to connect with your LDAP identity provider.

Before you begin

  1. Prepare the LDAP identity provider service. To learn more about how to set up LDAP for IBM RPA, see Installing and configuring LDAP.
  2. Prepare your IBM RPA server environment. To use this service, you must create the UMS database.
  3. You must have installed the IBM RPA server. See Install the server for details.

Procedure

  1. On Windows Explorer, go to the C:\ProgramData\IBM Robotic Process Automation\servers\umsServer\configDropins\overrides directory.
  2. Open the openLDAPFedrated.xml file.
  3. Change the following attributes to match your custom LDAP user registry:

    • host
      Enter the hostname or IP address of your LDAP server. The hostname is the Fully Qualified Domain Name (FQDN) of the LDAP server.

    • baseDN
      Enter the base domain name registry for your LDAP server. The base DN is how you configured your organization's LDAP entries.

    • bindDN
      Enter the manager user that you created to manage the LDAP server. For example, cn=Manager,dc=rpa,dc=ibm,dc=com.

    • bindPassword
      Enter the password that you created for the Manager user.

    • <searchBase></searchBase>
      In the searchBase tags, insert the entries of your LDAP servers with their unique domain names. For example, for PersonAccount, you must specify in which group the users are located.

      In this case, if the users belong to an organizationalUnit called rpausers, you must enter the domain name that points to this organizationalUnit, such as ou=rpausers,dc=rpa,dc=ibm,dc=com.

      All the users in the server must inherit from the inetOrgPerson object class, and they must have the displayName, uid, and userPassword attributes.

See the following samples for configuration files for your LDAP server:

OpenLDAP

<server>

    <featureManager>
        <feature>ldapRegistry-3.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>

    <ldapRegistry id="customId" ldapType="Custom"
        host="rpa.ibm.com" port="389" ignoreCase="true"
        baseDN="dc=rpa,dc=ibm,dc=com"
		bindDN="cn=admin,dc=rpa,dc=ibm,dc=com"
        bindPassword="rpaadmin" >

        <loginProperty name="mail" />
        <loginProperty name="uid" />

        <groupProperties>
            <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
        </groupProperties>
        
		<ldapEntityType name="PersonAccount">
			<objectClass>inetOrgPerson</objectClass>
			<searchBase>ou=rpausers,dc=rpa,dc=ibm,dc=com</searchBase>
		</ldapEntityType>

		<ldapEntityType name="Group">
			<objectClass>organizationalGroup</objectClass>
			<searchBase>ou=rpagroups,dc=rpa,dc=ibm,dc=com</searchBase>
		</ldapEntityType>
		
		 <attributeConfiguration>
             <!-- attribute name="userPassword" propertyName="password" entityType="PersonAccount" defaultValue="xyz123"/ -->
			 <!--attribute name="mail" propertyName="mail" syntax="String" entityType="PersonAccount"  / -->
			<attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />
		 </attributeConfiguration>	

     </ldapRegistry> 

</server>

Active Directory

<server>
​
    <featureManager>
        <feature>ldapRegistry-3.0</feature>
        <feature>appSecurity-2.0</feature>
    </featureManager>
​
    <ldapRegistry id="customId"  realm="SampleLdapADRealm"
        host="rpa.ibm.com" port="389" ignoreCase="true"
		baseDN="dc=rpa,dc=ibm,dc=com"
		bindDN="cn=Manager,dc=rpa,dc=ibm,dc=com"
		bindPassword="rpapassw0rd"
		ldapType="Microsoft Active Directory">
​
    <activedFilters
		userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"
		groupFilter="(&amp;(cn=%v)(objectcategory=group))"
		userIdMap="user:sAMAccountName"
		groupIdMap="*:cn"
		groupMemberIdMap="memberOf:member" >
	</activedFilters>
   </ldapRegistry>
   
    <groupProperties>
        <memberAttribute name="uniqueMember" objectClass="groupOfUniqueNames" scope="all" />
    </groupProperties>
    
    <ldapEntityType name="PersonAccount">
        <objectClass>user</objectClass>
        <searchBase>DC=ibmrpa,DC=intra</searchBase>
    </ldapEntityType>
​
    <ldapEntityType name="Group">
        <objectClass>group</objectClass>
        <searchBase>DC=ibmrpa,DC=intra</searchBase>
    </ldapEntityType>
    
    <attributeConfiguration>
        <attribute name="displayName" propertyName="cn" syntax="String" entityType="PersonAccount" />        
    </attributeConfiguration>	

</server>

What to do next

After the configuration, you are ready to import your LDAP users. For more information, see Managing LDAP users.