Authenticating users with LDAP#

Use the User authentication settings page to manage user authentication.

You must have the URL of the external LDAP server that you intend to authenticate users. This task requires that you are an HCL™ Accelerate administrator.

An LDAP realm identifies users and groups and defines rules how to search users and groups. When unknown users attempt to log on, an external LDAP server authenticates them by using the realm parameters that you configure. To configure an LDAP authentication realm, you identify the URL of the LDAP server, and define valid searches.

To create an LDAP realm, complete the following steps:

  1. From the HCL Accelerate dashboard, page, click Settings > User authentication.

  2. Click Configure LDAP .

  3. On LDAP page, in the Name field, enter a name for the realm configuration.

    The value is an arbitrary label that does not effect the other settings.

  4. In the LDAP URL field, enter the URL for the LDAP that you use for authentication.

    Separate multiple servers by commas.

    For example, ldap://ldap_server.my_domain.com:389,ldap://ldap_server.my_domain2.com:389.

  5. Specify whether anonymous searches are allowed by completing one of the following options:

    • If the LDAP server allows anonymous searches, select Search Anonymously.
    • For authenticated searches, clear the Search Anonymously check box, and then enter the Bind DN and Bind credentials. HCL Accelerate uses these fields to authenticate users when it connects to the LDAP server. For example, cn=velocity,ou=applications,dc=mydomain,dc=com.
    • In the Scope when searching LDAP users area, specify a search scope by selecting one of the following options:

    • Subtree. Select this option when user entries are direct children of the Search base.

    • One level. Select this option if all user entries are direct grandchildren of the Search base.
    • Base. Select this if option if user entries are two or more levels below the Search base. The scope is relative to the Search base selected in the next step. It is a good practice to make the scope as narrow as possible.
  6. In the Search base field, enter the user search base.

    The starting directory for the search, such as ou=employees,dc=mydomain,dc=com.

  7. In the Search filter field, enter the search filter.

    The LDAP filter expression that is used when searching for user entries. The user name replaces the {username} variable in the search pattern, for example, uid={username}.

    If the value is not part of the DN pattern, enclose the value in parenthesis, for example, (mail={username}). For more information, see the help information for your LDAP server and look for information about creating user search filters.

  8. In the Bind property field, enter a search expression.

    This is the name of the LDAP attribute that contains the Bind DN specified earlier. The default value is dn.

  9. In the Name attribute field, enter the LDAP user name.

    This is the name of the LDAP attribute that contains the user's full name. Examples are cn and displayName.

  10. In the Email attribute field, enter the user email address.

    This is the name of the LDAP attribute that contains the user's email address. For example, mail.

  11. In the Group search base field, enter the directory that is used for group searches.

    For example, ou=employees,dc=mydomain,dc=com.

  12. In the Group name attribute field, enter the name of the entry that contains the users' group names in the directory entries that are returned by the group search.

    If this entry is not specified, no group search runs.

    For example, cn.

  13. On the Search group subtree box, specify whether to include sub-directories in the search .

  14. In the Role definition area, specify a role by completing one of the following options:

    1. Select Role in LDAP reference their members if you want to find group membership by searching roles, and then define the Group search filter.

      For example, (&(uniqueMember={dn})(cn=BSO*)).

      The user name replaces the {username} variable in the search pattern and the full user distinguished name replaces the {dn} variable.

    2. Select User roles are defined as an attribute on that user if you want to find group membership by using this attribute, and then define the Group DN Attribute and User Group Attribute fields.

      The Group DN Attribute is the name of the LDAP attribute on group entries, whose value is the group's distinguished name. For example, dn. The User Group Attribute is the name of the LDAP attribute on user entries, whose value is the distinguished name of a group of which the user is a member. For example, memberOf.

  15. Click Save.

The first time an unknown user attempts to log on, LDAP authorization realms are searched in an attempt to identify the user. If the user is found, a corresponding user ID is created in HCL Accelerate. In addition, if the user is part of an LDAP group, that group is imported too.

When new users log on to the server and use their LDAP credentials, they are listed on the Users page. In most cases, do not manage user passwords or remove users from the list. If an active user is removed, they are still able to log on to the server while their LDAP credentials are valid.

Parent topic: Managing users