Adding and Removing Directories
You can add an Active Directory or one that exposes generic LDAP. The procedure is the same. To work with Directories, from the main toolbar, expand the Management drop down list, and then select Directories to open the Directory Explorer.
Add a directory
The Add Directory wizard, consisting of three pages, walks you the steps necessary to connect successfully to a directory. After you complete the first page, Connection Configuration, you can skip the other pages if you do not need to modify the schema and domain configuration pages.
- In the Directory Explorer perspective toolbar, click . The Add Directory Wizard Connection Configuration Page displays.
- From the Directory Type drop down list, select which directory type you want to connect to.
- Provide the necessary information to connect to the directory:
- Name: The name of the directory you are connecting to
- Address: The directory address (for example, microfocus.com)
- Port: The port number to use for LDAP authentication requests. By default, this is set to port 389. If you are connecting using SSL, the default secure port is 636. You must enter the port that your network is using.
- Base DN: The distinguished name (DN) of the node in the directory where you want the connection rooted. All children nodes of this node are included when searching for user and groups to add to authorization profiles. A typical base DN might look like: DC=attachmate,DC=com. DC is an abbreviation for domain components.
- User name The name of the user to use when making connections to this directory
- Password: The password to use for the user named above
Select Secure Connection to connect to the directory service using SSL. If you are not using SSL, skip to step 5.
- Click Add Certificate to browse for the certificate associated with the directory. Obtain this certificate from the directory administrator.
A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver's license, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person's identity. Public-key cryptography uses certificates to address the problem of impersonation.
- Click Certificate Info to see basic certificate information for the certificate that you added for this directory. This option is enabled when a certificate is added.
- Click Test Connection to verify the connection is successful. If, for some reason, the connection is not successful, it is easier to make the necessary changes before you click OK.
- Click Next to enter schema and domain information, or accept the default values on those panels and click Finish.
You need to supply the schema information that will be used to look up entries on the new directory. If you are using Active Directory, the default values are in place and most likely will not have to be modified. If you are connecting to a generic LDAP directory, you may need to edit the schema values.
- User attribute: Specifies the name of the attribute that is used to determine if a directory entry represents a user. See the documentation for your LDAP server if you are unsure what to enter here.
- User value: Specifies the value that the user attribute must have in order for a directory entry to be considered a user.
- Group attribute: Specifies the name of the attribute that will be used to determine if a directory entry represents a group.
- Group value: Specifies the value that the group attribute must have in order for a directory entry to be considered a group.
- Member attribute: Specifies the name of the attribute indicating which users are members of a group.
- MemberOf attribute: Specifies the name of the attribute indicating what groups a user is a member of.
- Entry Name attribute: Specifies the name of the attribute which indicates an entry's name. For example, a user might use the login bobsm, but the entry name will read Bob Smith. The entry name is displayed in the user search dialog box, but the user login is added to authorization profiles.
- Login attribute: Specifies the attribute that indicates a user's login.
You can enter a list of values in both the User and Group Value properties fields. You must separate each value by a comma. Additionally, a value can be preceded by the ‘!’ character to indicate that the attribute cannot have this value. For example: if the value is "user,!computer" then the attribute must have the value user and cannot have the value computer.
You can optimize the directory performance by limiting the range of the search.
Remove User Domain: Ignore whatever domain information is provided by the user.
For example, if a user supplies
micro focus\bobsmthe domain
micro focuswill be removed and only the string bobsm will be sent to the directory for authentication. This property can be used to allow users to enter what they are used to entering while supplying the directory with what it expects for authentication.
Default Authentication Domain: Add the name of the domain to be used when authenticating users.
For example, if during authentication a directory is looking for the domain\user_name and the domain is constant, then you can simplify the process for your users by requiring them to enter only their user name. If you set domain1 as the default authentication domain, then domain1 will be added to the user name; domain1\user_name. If you specify a Default Authentication Domain and the Remove User Domain is enabled, then any domain that the user specifies is replaced by the default.
Domain Mappings: If you have multiple directories you can map a domain to a specific directory. This increases directory performance by only trying to authenticate against a directory which matches the domain supplied by a user and not trying all directories in the processing order.
Remove a directory
To remove a directory, select the directory from the Directory Explorer and click on the Directory Explorer toolbar.