Configuring GridServer for LDAP Authentication or Authorization

After Manager installation, when the GridServer Administration Tool is accessed for the first time, you are prompted to create a root user account. This root user account is usable regardless of whether LDAP or the internal database is used for authentication.

To configure LDAP for authentication or authorization, complete the following task to configure the connection, and then complete the tasks for configuring authentication, authorization, or both.

Configure the Connection

Procedure 

1. Log in to the GridServer Administration Tool using the root user account on a Manager containing the primary Director.
2. Go to Admin > User Admin > Authentication.
3. Select LDAP from the Authentication Mode list.
4. In the Provider URL(s) box, enter a pipe-delimited list of URLs of your LDAP servers. The first URL is the primary server and the rest are failover servers. For example, ldap://host1:389|ldaps://host2:636.
5. If your server does not allow anonymous search, enter values in the Connection DN and Connection Password boxes. Example values are cn=admin,dc=company,dc=com and mysecret (encrypted form).
6. You can optionally use the JNDI Environment Variables box to enter a comma-delimited list of name=value environment variables to use when connecting to your LDAP server. For example, com.sun.jndi.ldap.connect.timeout=500. A list of environment variables can be found in Oracle’s JNDI LDAP documentation.
7. You can also optionally configure if the host’s IP address is resolved by using Resolve IP Address. This is false by default; if changed to true, if there is a failure connecting to the host, the IP address is logged on failures instead of the hostname. This is useful for diagnosing problem servers when using DNS load balancing.
8. To test that the values you have provided results in a working connection, click the Test Connection button. A Test Results popup window displays if the test script was able to connect. If not, go back to step 4 and confirm your values.

Configure Authentication

Procedure 

1. Configure a user lookup method:
For the User DN Format, specify the parameterized DN to be used to locate the user, for instance, user={0},ou=usernames,dc=company,dc=com.
For the full user search, specify the User Search Base, such as ou=usernames,dc=company,dc=com, and the parameterized User Search String Format, such as (&(objectclass=user)(sAMAccountName={0})). This starts searching from the base for any entries that are of class user, and have an attribute called sAMAccountName that matches the user name. User Search Subtree optionally enables you to widen the scope of the user search to include subtrees. Set this to false when possible to improve search performance and reduce latency.
2. If you are using comparison mode, enter the name of the password attribute on the user entry in the User Password Attribute field, and select the appropriate digest method in Password Digest. In most cases Auto Detect is appropriate.
3. You can optionally enter attributes to retrieve other fields from your user search. These include the User First Name Attribute, User Last Name Attribute, and User Email Attribute boxes.

Configure Authorization

Procedure 

1. Configure a group lookup method:
If the groups are assigned as attributes of the user entry, enter that attribute name in the User Group Attribute box, for example, memberOf.
If a separate search is required to get the group information, you must configure the following items: In the Group Search Format box, enter the pattern used to match user names to group entries. For example, (memberUid={0}) returns all groups that have a memberUid attribute that matches the user name. In the Group Search Attribute box, enter the attribute that provides the name of the group in the group entry. For example, cn. In the Group Search Base box, enter the base of a group search. For example, ou=groups,dc=company,dc=com.
2. Click Save.

To map an LDAP group to a Role, go to the Admin > User Admin > Role Admin page, edit the Role, and set the Group entry to the name of the group. Note that oftentimes the group name might be in CN format, especially when using group search with a cn attribute. For example, if the cn attribute for the group you want to assign to the Configure role is CN=Administrators,CN=Builtin,DC=na,DC=tibco,DC=com,you can edit the Configure role and specify the group as that entire name, not just Administrators.