Edit Server LDAP Authentication Realm

If you select an LDAP authentication realm, Administrator stores information about users and groups in LDAP. You are prompted for the user and password, name resolution context, and server URLs. You can also specify the user search configuration and optional group information.

Field Description
Bind DN Name Distinguished name or name of the superuser to be used to connect to the server.

Default: uid=Manager,ou=people,dc=example,dc=com.

Password LDAP server password.

Default: None.

Context Factory Factory object that provides the starting point for resolution of names within the LDAP server.

Default: com.sun.jndi.ldap.LdapCtxFactory

Machine Name Port List Comma-separated list of URLs for an LDAP server. To achieve fault tolerance, you can specify multiple URLs. For example, server1.example.com:686, server2.example.com:1686.

Default: machinename:389, where machinename is the machine on which TIBCO Configuration Tool is being executed.

Fetch DN You can retrieve the base DN (distinguished name) of the LDAP server.
User Search Configuration
User Search Base DN (optional) Base distinguished name from which the search starts.

Default: ou=people,ou=na,dc=example,dc=org

User Search Expression (optional) Expression used for searching a user. For example: (CN=%U). '%U' is replaced by the username being searched for. You can define any complex filter such as (&(cn=%U)(objectClass=account)).

Default: (&(uid={0})(objectclass=person)).

User Attribute with User Name (optional) Name of the attribute in the user object that contains the user's name.

Default: uid.

Search Timeout (ms) Time to wait for a response from the LDAP server. A values less than 90 seconds yields in a warning message.

Default: 30000.

Follow Referrals Select to follow LDAP referrals. If you select this check box, requests to LDAP can be redirected to another server. Use this check box to indicate that the LDAP information might be available at another location, or possibly at another server or servers.

Ask your LDAP administrator whether LDAP referrals are used in your domain.

Field Description
Group Indication (optional) Specifies how a user’s group memberships are found. Administrator uses group information when a user, once authenticated, performs other activities in the system. Options:
  • Group has users - List of users that belong to the group. When selected, the Group Attribute with User Names field is enabled.
  • User has groups - List of groups to which the user belongs. When selected, the User Attribute with Group Names field is enabled.

Default: Group has users.

Group Search Base DN (optional) Base distinguished name from which the search for the group starts.

Default: ou=groups,ou=na,dc=example,dc=org.

Group Search Expression (optional) Search by matching this expression against potential groups.

Default: cn={0}.

Group Attribute with User Names (optional) Name of the attribute in the group object containing its users.

Example: uniqueMember (OpenLDAP) or member (ActiveDirectory).

Default: uniqueMember.

Group Attribute with Group Name (optional) Name of the attribute in the group object that contains the name of the group.

Example: cn (OpenLDAP) or sAMAccountName (ActiveDirectory).

Default: cn.

Group Attribute Subgroup Names (optional) Name of the attribute in the group object that contains its subgroups.

Example: uniqueMember (OpenLDAP) or member (ActiveDirectory).

Default: uniqueMember.

User Attribute with Group Names Name of the attribute in the user object that lists the groups to which the user belongs.

Default: None.

Group Search Scope Subtree When searching the group, indicate whether to traverse into the subtree or to search only under the group base distinguished name.

Default: Selected.

Field Description
LDAP Realm
User Search Scope Subtree Select to have the search include the entire subtree starting at the base DN. Otherwise, search only the nodes one level below the base DN.

Default: Selected.

Security Authentication

Value of Simple Authentication and Security Layer (SASL) authentication protocol to use. Values are implementation-dependent. Some possible values are simple, none, md-5.

Default: simple.

LDAP Authentication
User DN Template (optional) Template by which the User DN, used to connect to the LDAP server, is generated. Because the full DN is always supplied, the template should always be 0 (zero).

Default: uid={0},ou=people,ou=na,dc=org.

User Attributes Extra (optional) Optional list of user attributes to retrieve from the LDAP directory during authentication.

Default: Empty (no additional attributes will be retrieved for the user).

LDAP Server is SSL Enabled Select to enable the LDAP server for SSL. When selected, the SSL Keystore Configuration fields are enabled.

Default: Cleared.