Configuring LDAP servers
The following procedure describes how to configure an LDAP authentication server for use with Application Security.
Before you configure the properties on the LDAP page, you must prepare for LDAP authentication as described in LDAP user authentication. That section includes requirements and recommendations for configuring multiple LDAP servers.
OpenText recommends that you maintain a couple of local administrator accounts in case you encounter problems with your LDAP server at some point.
To configure an LDAP server connection for Application Security:
On the header, select Administration.
- On the navigation pane, expand Configuration, and then select LDAP Servers.
On the LDAP servers page, click NEW.
In the CREATE NEW LDAP CONFIGURATION dialog box, configure the settings described in the following table.
Field
Description
BASIC SERVER PROPERTIES
Enable this LDAP configuration
Select this check box to make this LDAP server available for Application Security to use.
Server name
Type a unique name for this server.
If you configure multiple LDAP servers, ensure that you specify a unique server name for each.
Server URL
Type the LDAP authentication server URL.
If you use unsecured LDAP, type the URL in the following format:
ldap://<hostname>:<port>If you specify an
ldap://protocol, and either the SSL trust check or the Hostname validation check box is selected, StartTLS is used to connect to the LDAP server. Otherwise, an unencrypted connection is used.If you use secured LDAPS, type the URL in the following format:
ldaps://<hostname>:<port>LDAPS ensures that only encrypted user credentials are transmitted.
Base DN
Type the base distinguished name (DN) for LDAP directory structure searches.
If you configure more than one LDAP server for Application Security, then you must set a unique base DN for each of them.
For example, the base DN for
companyName.comisdc=companyName,dc=com.All DN values are case-sensitive, must not contain extra spaces, and must exactly match LDAP server entries.
If you specify no value, Application Security searches from the root of LDAP objects tree. With multiple LDAP servers, the base DN must be unique for each. If the base DN for one server is empty, it cannot be empty for another LDAP server.
Bind user DN
Type the full distinguished name (DN) of the account Application Security uses to connect to the authentication server. Use a dedicated LDAP service account for the bind account. Do not use this account as a standard user account to login to Application Security.
This account must be a minimum privilege, read-only authentication server account that you created for exclusive use by Application Security.
For security reasons, never use a real user account name in a production environment.
If you use Active Directory, specify the domain name and username in the following format:
<domain_name>\<username>Bind user password
Type the password for the bind user DN account.
Show password Select this check box to show entered passwords. Relative search DNs (1 per line) (Optional) Type the relative distinguished name (RDN). An RDN defines the starting point from the base DN for LDAP directory searches. OpenText recommends that you search from the base DN. However, if your LDAP directory is so large that searching for Application Security users takes too long, use an RDN to limit the number of LDAP entries searched. You can also use an RDN to hide some part of the LDAP tree from Application Security for security reasons.
For example, to search within the base DN companyName.com and all entries under that base DN, specify the following to recursively search all entries under that path:
cn=usersor
cn=users,ou=divisionNameIgnore partial result exception
To avoid search failures when search results include more records than the LDAP server can return, leave this check box selected.
You can also enable this setting to hide LDAP server misconfiguration. For example, if the LDAP server limits the number of query results to 500, but there are 600 actual results, with this setting enabled, Application Security silently returns only 500 records.
LDAP server type From this list, select the type of LDAP server you are connecting with Application Security (either ACTIVE_DIRECTORY or OTHER). SECURITY SSL trust check If the domain controller is enabled for SSL, leave this check box selected to verify that the certificate presented by the LDAP server was issued by a trusted authority. If the domain controller is not configured for SSL, clear this check box. Hostname validation If the domain controller is enabled for SSL, leave this check box selected to ensure that the LDAP server hostname matches the hostname for which the certificate was issued. If the domain controller is not configured for SSL, clear this check box. Enable user status mapping (Microsoft Active Directory only) Select this check box to enable Application Security to retrieve status information for users on this LDAP server. The information enhances authentication checks during token-based and SSO-based authentication schemes. BASE SCHEMA
Object class attribute
Type the class of the object. For example, if this is set to
objectClass, Application Security looks at theobjectClassattribute to determine the entity type to search. The default value isobjectClass.Organizational unit class
Type the object class that defines an LDAP object as an organizational unit. The default value is
container.User class
Type the object class that identifies an LDAP object type as a user. The default value is
organizationalPerson.Organizational unit name attribute
Type the group attribute that specifies the organizational unit name. The default value is
cn.Group class
Type the object class that identifies an LDAP object type as a group. The default value is
group.Distinguished name (DN) attribute
Type the value that determines the attribute Application Security looks at to find the distinguished name of the entity. The default value is
distinguishedName.USER LOOKUP SCHEMA
User firstname attribute
Type the user object attribute that specifies a user’s first name. The default value is
givenName.User lastname attribute
Type the user object attribute that specifies a user’s last name. The default value is
sn.Group name attribute
Type the group attribute that specifies the group name. The default value is
cn.User username attribute
Type the user object attribute that specifies a username. The default value is
sAMAccountName.User password attribute
Type the user object attribute that specifies a user’s password. The default value is
userPassword.Group member attribute
Type the group attribute that defines the members of the group. The default value is
member.User email attribute
Type the user object attribute that specifies a user’s email address. The default value is
mail.User memberOf attribute
Type the name of an LDAP attribute that includes the LDAP group names for LDAP users. USER PHOTO
User photo enabled
Select this check box to enable the retrieval of user photos from the LDAP server.
User thumbnail photo attribute
The thumbnailPhoto attribute for Active Directory
User thumbnail MIME default attribute
Thumbnail MIME default attribute
ADVANCED INTEGRATION PROPERTIES
Cache LDAP user data
Select this check box to enable LDAP user data caching in Application Security.
You can refresh the LDAP cache manually from the Administration view in Application Security. For instructions, see Refreshing LDAP entities manually.
OpenText recommends that you leave LDAP user caching enabled. Application Security periodically updates the LDAP cache automatically.
Cache: Max threads per cache
Type the maximum number of threads dedicated for each update process (user action). Each time a user clicks Update, a new update process starts. The default value is
4.Cache: Initial thread pool size Type the initial number of available cache update threads. This value configures the thread pool for the task executor, which updates the LDAP cache in several threads simultaneously. The default value is
4.Cache: Max thread pool size
Type the maximum number of threads that can be made available if the initial thread pool size is not adequate for the update process. The default value is
12.Enable paging in LDAP search queries
Select this check box to enable paging in LDAP search queries.
Not all LDAP servers support paging. Ensure that your LDAP server supports this feature.
Page size of LDAP search request results
If your LDAP server limits the size of the search results by a certain number of objects and Enable paging in LDAP search queries is selected, type a value that is less than or equal to your LDAP server limit. The default value is
999.LDAP referrals processing strategy
If you have only one LDAP server, OpenText recommends that you select ignoreso that LDAP works faster. If you have a multi-domain LDAP configuration and you use LDAP referrals, select
follow. The default value isignore.If referrals are not used on your LDAP server, seeAbout the LDAP server referrals feature.
LDAP authenticator type
From this list, select one of the following LDAP authentication types to use:
- BIND_AUTHENTICATOR— Authentication directly to the LDAP server ("bind" authentication).
- PASSWORD_COMPARISON_AUTHENTICATOR—The password the user supplies is compared to the one stored in the repository.
For more information about LDAP authentication types, go to https://spring.io/projects/spring-security.
LDAP password encoder type
Select a value from this list only if the LDAP authentication method is password comparison.
You must select the encoder type that the LDAP server uses. Application Security compares encoded passwords. If, for example, the LDAP server uses LDAP_SHA_PASSWORD_ENCODER to encode passwords, but you select MD4_PASSWORD_ENCODER, password comparisons will fail.
Enable nested LDAP groups
Select this check box to enable nested group support for LDAP in Application Security (wherein a given group member might itself be a group).
Use nested LDAP groups only if absolutely required. Enabling nested LDAP groups forces Application Security to perform extra tree traversals during authentication. OpenText strongly recommends that you clear this check box if you do not plan to use nested groups.
Interval between LDAP server validation attempts (ms)
Type the number of milliseconds the LDAP server waits after a validation attempt before next attempting a validation. The default value is
5000.Time to wait LDAP validation (ms)
Type the length of time (in milliseconds) that Application Security waits for a response after sending a request to the LDAP server to update the cache. If a response is not received at the end of the designated time, the update is not performed. The request is sent again at the frequency determined by the value set for the Interval between LDAP server validation attempts field. The default value is
5000.Base SID of Active Directory objects
(Microsoft Active Directory only) Specify the base security identifier (SID) of LDAP directory objects.
Object SID (objectSid) attribute
(Microsoft Active Directory only) Type the name of the attribute that contains the LDAP entity's objectSid (Object Security Identifier).
This attribute is used to search for users based on their object security IDs. It is required if you use Active Directory and more than one LDAP server.
To check the validity of the configuration, click VALIDATE CONNECTION.
- To check the validity of and save the configuration, click SAVE.
To configure another LDAP server, repeat steps 3 through 6.
If you configure multiple LDAP servers, ensure that you specify a unique server name and a unique Base DN for each.
Although OpenText supports the use of multiple LDAP servers, it does not support the use of multiple LDAP servers behind a load balancer, unless those servers are identical.