Configuring LDAP Servers

1. On the Fortify header, click ADMINISTRATION.

2. In the left panel, select Configuration, and then select LDAP Servers.

3. On the Integration with LDAP servers page, click NEW.

   The CREATE NEW LDAP CONFIGURATION dialog box opens.

4. Configure the attributes described in the following table.

   Field	Description
   BASIC SERVER PROPERTIES
   Enable this LDAP Integration	Select this check box to make this LDAP server available for Fortify Software Security Center to use.
   Server Name Important! If you configure multiple LDAP servers, you must make sure that you specify a unique server name for each.	Type a unique name for this server.
   Server URL (ldap://<host>:<port>)	Type the LDAP authentication server URL. If you use unsecured LDAP, enter the URL in the following format: ldap://<hostname>:<port> If you use secured LDAPS, enter the URL in the following format: ldaps://<hostname>:<port> LDAPS ensures that only encrypted user credentials are transmitted.
   Base DN Important! If you configure more than one LDAP server for Fortify Software Security Center, then you must set a unique Base DN for each of them.	Type the Base Distinguished Name (DN) for LDAP directory structure searches. For example, the Base DN for companyName.com is dc=companyName,dc=com. All DN values are case-sensitive, must not contain extra spaces, and must exactly match LDAP server entries. If you specify no value, Fortify Software Security Center searches from the root of LDAP objects tree. With multiple LDAP servers, the Base DN must be unique for each. If the Base DN for one server is empty, it cannot be empty for another LDAP server.
   Bind User DN	Type the full distinguished name (DN) of the account Fortify Software Security Center uses to connect to the authentication server. The general format for an account specifier is: cn=<accountName>, ou=users,dc=<domainName>,dc=com where <accountName> represents the minimum privilege, read-only authentication server account you created for exclusive use by Fortify Software Security Center. Caution! For security reasons, never use a real user account name in a production environment. If you use Active Directory, specify the domain name and username in the following format: <domain_name>\<username>
   Bind User Password	Type the password for the Bind User DN account.
   Show Password	Select this check box to show entered passwords.
   Relative Search DNs (1 per line)	(Optional) Type the Relative Distinguished Name (RDN). An RDN defines the starting point from the Base DN for LDAP directory searches. Fortify recommends that you search from the base DN. However, if your LDAP directory is so large that searching for Fortify Software Security Center users takes too long, use an RDN to limit the number of LDAP entries searched. You can also use an RDN to hide some part of the LDAP tree from Fortify Software Security Center for security reasons. For example: To search within the base DN companyName.com and all entries under that base DN, specify the following to recursively search all entries under that path: cn=users or cn=users,ou=divisionName
   Ignore Partial Result Exception	To avoid search failures when search results include more records than the LDAP server can return, leave this check box selected. You can also enable this flag to hide LDAP server misconfiguration. For example, if the LDAP server limits the number of query results to 500, but there are 600 actual results, with this flag enabled, Fortify Software Security Center silently returns only 500 records.
   Because most people use Microsoft Active Directory, the remaining LDAP attributes on the page are configured to work with the default Active Directory configuration. However, if your LDAP server is set up differently, you can change these attribute values.
   BASE SCHEMA
   Object class attribute	Type the class of the object. For example, if this is set to objectClass, Fortify Software Security Center looks at the objectClass attribute to determine the entity type to search. The default value is objectClass.
   Organizational unit class	Type the object class that defines an LDAP object as an organizational unit. The default value is container.
   User class	Type the object class that identifies an LDAP object type as a user. The default value is organizationalPerson.
   Organizational unit name attribute	Type the group attribute that specifies the organizational unit name. The default value is cn .
   Group class	Type the object class that identifies an LDAP object type as a group. The default value is group.
   Distinguished name (DN) attribute	Type the value that determines the attribute Fortify Software Security Center looks at to find the distinguished name of the entity. The default value is distinguishedName.
   USER LOOKUP SCHEMA
   User first name attribute	Type the user object attribute that specifies a user’s first name. The default value is givenName.
   User lastname attribute	Type the user object attribute that specifies a user’s last name. The default value is sn.
   Group name attribute	Type the group attribute that specifies the group name. The default value is cn.
   User username attribute	Type the user object attribute that specifies a username. The default value is sAMAccountName.
   User password attribute	Type the user object attribute that specifies a user’s password. The default value is userPassword.
   Group member attribute	Type the group attribute that defines the members of the group. The default value is member.
   User email attribute	Type the user object attribute that specifies a user’s email address. The default value is mail.
   User memberOf attribute	Type the name of an LDAP attribute that includes the LDAP group names for LDAP users.
   USER PHOTO
   User photo enabled	Select this check box to enable the retrieval of user photos from the LDAP server.
   User thumbnail photo attribute	ThumbnailPhoto attribute for Active Directory.
   User thumbnail mime default attribute	Thumbnail mime default attribute
   ADVANCED INTEGRATION PROPERTIES
   Cache LDAP User Data Note: Fortify recommends that you leave LDAP user caching enabled. Changes to user information made directly in the LDAP server may not be reflected in Fortify Software Security Center for up to an hour. However, a slow connection between Fortify Software Security Center and the LDAP server or a large LDAP directory with slow searches could degrade Fortify Software Security Center performance. User data are seldom changed directly in the LDAP server.	Select this check box to enable LDAP user data caching in Fortify Software Security Center. You can refresh the LDAP cache manually from the ADMINISTRATION view in Fortify Software Security Center. For instructions, see Refreshing LDAP Entities Manually.
   Cache: Max threads per cache	Type the maximum number of threads dedicated for each update process (user action). Each time a user clicks Update, a new update process starts. The default value is 4.
   Cache: Max object lifetime (ms, "-1" to turn off)	If you want objects in the cache refreshed more frequently than the default refresh time (typically 1 hour), type the maximum amount of time (in milliseconds) that an object can be in the cache before it is refreshed with new information from the LDAP server. The default value is -1.
   Cache: Initial thread pool size	Type the initial number of available cache update threads. This value is used to configure the thread pool for the task executor, which updates the LDAP cache in several threads simultaneously. The default value is 4.
   Cache: Max thread pool size	Type the maximum number of threads that can be made available if the initial thread pool size is not adequate for the update process. The default value is 12.
   Enable paging in LDAP search queries	Select this check box to enable paging in LDAP search queries. Note: Not all LDAP servers support paging. Check to make sure that your LDAP server supports this feature.
   Page size of LDAP search request results	If your LDAP server limits the size of the search results by a certain number of objects and Enable paging in LDAP search queries is selected, type a value that is less than or equal to your LDAP server limit. The default value is 999.
   LDAP referrals processing strategy Note: If referrals are not used on your LDAP server, see About the LDAP Server Referrals Feature."	If you have only one LDAP server, Fortify recommends that you select ignore so that LDAP works faster. If you have a multi-domain LDAP configuration and you use LDAP referrals, select follow. The default value is ignore.
   LDAP Authenticator type	From this list, select one of the following LDAP authentication types to use: BIND_AUTHENTICATOR— Authentication directly to the LDAP server ("bind" authentication). PASSWORD_COMPARISON_AUTHENTICATOR—The password the user supplies is compared to the one stored in the repository. For more information about LDAP authentication types, see http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ldap.html.
   LDAP Password Encoder type	Select a value from this list only if the LDAP authentication methodAn action that a web service performs. For instance, one web service may have one WSDL that contains four operations. Those might be, for example, Update, Create, Delete, and Diagnostic. (Same as operation). is password comparison. You must select the encoder type that the LDAP server uses. Fortify Software Security Center compares encoded passwords. If, for example, the LDAP server uses LDAP_SHA_PASSWORD_ENCODER to encode passwords, but you select MD4_PASSWORD_ENCODER, password comparisons will fail.
   Enable Nested LDAP Groups Note: Use nested LDAP groups only if you absolutely must. Enabling nested LDAP groups forces Fortify Software Security Center to perform extra tree traversals during authentication. Fortify strongly recommends that you clear this check box if you do not plan to use nested groups.	Select this check box to enable nested group support for LDAP in Fortify Software Security Center (wherein a given group member might itself be a group).
   Interval between LDAP server validation attempts (ms)	Number of milliseconds the LDAP server waits after a validation attempt before next attempting a validation. The default value is 5000.
   Time to wait LDAP validation (ms)	Type the length of time (in milliseconds) that Fortify Software Security Center is to wait for a response after sending a request to the LDAP server to update the cache. If a response is not received at the end of the designated time, the update is not performed. The request is sent again at the frequency determined by the value set for the Interval between LDAP server validation attempts field. The default value is 5000.
   Base SID of Active Directory objects	Specify the base security identifier (SID) of LDAP directory objects.
   Object SID (objectSid) attribute	Type the name of the attribute that contains the LDAP entity's objectSid (Object Security Identifier). This attribute is used to search for users based on their object security IDs. It is required if you use Active Directory and more than one LDAP server.
   SSL Trust Check	Select this check box to verify that the certificate presented by the LDAP server was issued by a trusted authority.
   Hostname Validation	Select this check box to ensure that the LDAP server hostname matches the hostname the certificate was issued for.

5. To check the validity of the configuration, click VALIDATE CONNECTION.

6. To check the validity of and save the configuration, click SAVE.

7. To configure another LDAP server, repeat steps 3 through 6.

   Important! If you configure multiple LDAP servers, you must make sure that you specify a unique server name and a unique BASE DN for each.

   Although Fortify supports the use of multiple LDAP servers, it does not support the use of multiple LDAP servers behind a load balancer.
   

LDAP User Authentication

Registering LDAP Entities

About Managing LDAP User Roles

Editing an LDAP Server Configuration

Deleting an LDAP Server Configuration