Defining the Primary Source Using an LDAP Group

Each LDAP container must contain a primary LDAP source. If you are using an LDAP group source in the LDAP container definition, a group DN is used to identify the directory entry that is the group. When a group DN is specified, a member attribute is also specified, which holds the collection of member identifiers (DNs). This provides the list of candidate resources.

Procedure

  1. Open the Organization Browser (see Access to the Organization Browser), then select LDAP Containers.

    If any LDAP containers had previously been defined, they are shown in the left pane of the dialog, and the details of the selected container are shown in the right pane:

    The first time you display the Organization Browser, there will not be any containers listed.

    Note: After you’ve defined a container, you can edit it by selecting the container in the list, then clicking the Edit link in the lower-right part of the dialog. You can generally follow the same steps in this procedure to edit an existing LDAP container.

    However, if the existing LDAP container contains resources, the LDAP sources for that container are fixed; you cannot delete or change the primary or secondary LDAP sources, nor add additional secondary LDAP sources.

    Also note that if an LDAP source defined in an LDAP container is currently offline, you cannot edit the container until the LDAP source is back online.

  2. Click the Add a new LDAP container button.
  3. On the Add a new LDAP Container dialog, enter a name and description for the new container.
  4. If desired, you can now specify organization relationships for the new container (note that this is applicable only if there are multiple organizations in your organization model).

    If the container has a relationship with an organization, resources in the container will be able to see that organization in the Organization Browser, as well as organizations that do not have an explicit relationship with a container. Resources can be mapped to positions in organizations that the user can see in the Organization Browser.

    For more information about organization relationships, see Container Organization Relationships.

    If you are not specifying organization relationships for this container, proceed to Step 5. (You can specify organization relationships for this container at a later time.)

    To specify organization relationships:

    1. Click the Edit button to the right of the Organization field.
    2. On the Define relationships to containers dialog, select the appropriate boxes for the organizations to which you want the new container to have a relationship.

      Selecting a box causes the Relate this container to the following organizations option to automatically be selected.

      Selecting the Do not relate this container to specific organizations option causes all check boxes to become unchecked.

    3. Click Save.

      The organization(s) you specified is now shown in the Organization field.

  5. Click the Add Group LDAP Source link, which displays the Add new LDAP Group Source dialog.
    The Add new LDAP Group Source dialog is used to select the primary LDAP source from which resources will be obtained, as well as to provide the DN that identifies the LDAP directory containing the group.
    Note: If you create multiple LDAP containers that use the same primary LDAP source, then create a resource in one container, that resource will not appear in any other container. Once created, a resource only appears in the container in which it is created.
  6. In the Alias field, select the LDAP source from which you want to obtain resources.

    The names in the Alias list are user-readable names that an administrator has assigned to each of the LDAP Servers available in the enterprise.

  7. Optional: In the Base DN field, enter the branch (e.g., an organization unit) in which you would like to limit the search in the LDAP directory structure.

    This increases the efficiency of the search if the LDAP contains a large number of branches.

    You can also leave the Base DN field blank.

  8. In the Group DN Query field, identify the objectClass of the LDAP directory whose entries are group entries.
    This field defaults to "(objectClass=group)". To change the value, select the box to the left of the field. Note that the value must be enclosed in parentheses.

    For information about objectClasses, see LDAP Group Sources.

  9. Using the Search Scope options, specify the depth to perform the search in the LDAP directory structure, as follows:
    • ONE LEVEL - Only the elements directly within the Base-DN level are searched.
    • SUBTREE - Elements directly within, and below, the Base-DN level are searched.
  10. In the Group DN field, enter the LDAP directory that contains the group entries.
    For example, if the LDAP directory shown in the following illustration identifies the group, the group-DN is "ou=CSR,ou=groups,o=insuranceServices":

    You can either manually type in the group DN if you know it, or you can click the Fetch Group DN button, then click the arrow button to the right of the field and select one of the DNs listed. The Fetch Group DN button causes the Organization Browser to retrieve all of the group DNs whose objectClass matches the one specified in the Group DN Query field.

  11. In the Member Attribute field, enter the attribute within the LDAP group entry that holds the collection of DNs that identifies the candidate resources.
    For example, if the DN specified in the Group DN field contains the following attributes, where the roleoccupant attribute contains the DNs of the group members, you would specify "roleoccupant" as the member attribute:

    You can either manually type in the member attribute name if you know it, or you can click the Fetch button to the left of the field, then click the select field to the right of the field and select one of the attributes listed. The Fetch button causes the Organization Browser to retrieve all of the attributes from the DN specified in the Group DN field.

  12. In the Resource Attribute(s) field, enter one or more LDAP attributes by which you want the resources to be displayed in the list of candidate resources.
    Note: You may need to click the Get Sample Values button (which is covered in Step 13) to see the names of the available attributes.

    The resource attribute name is significant for a couple of reasons:

    • These are the names by which the user must log into the BPM application.
    • These are the names by which the resources will be listed when mapping resources to groups and/or positions in the organization model. That is, they must be names that the user doing the mapping can use to uniquely identify the resources. For example, you probably wouldn’t want to use only “sn” (surname), as that may not be unique among all of the resources.

      The default resource attribute is “cn”, which typically contains a full name. But depending on the data in the LDAP source, there may be more suitable attributes for this use.

      You can specify multiple attributes in the Resource Attribute(s) field. For instance, you could enter “givenname  sn” to display the resource’s first name and last name (again, depending on what is stored in those attributes on the chosen LDAP source).

      Once you save the LDAP Container you will be able to view the list of resources for the container. For the LDAP entities you see in that list that have not yet been “created”, the resource name will be constructed based on the Resource Attribute(s).

      When a resource is created (either using the Create function or by mapping the user to a group or position), you are given the opportunity to edit the constructed resource name.

      It is possible to change the Resource Attribute(s) setting for the container, but that will not affect the resource name of resources that have already been created. It will, however, change the name that is constructed for the remaining LDAP entries that have not yet been created. For instance, using the example shown above, if you change the value in Resource Attribute(s) field to “cn” (which contains "Mr" or "Mrs" with the resource's full name), the Resource Names now appear as shown below in the list of candidate resources.

      Notice that the resources that had been previously created (those that have the ), are shown with the resource names they had when they were created; the resources that have not been created yet (those that have the icon), are shown with the new resource names.

  13. Click the Get Sample Values button.
    A list of the group members DNs are returned and displayed.
  14. Click Save to save the primary LDAP source you have defined, then click Save again to save the LDAP container definition.
    The newly created LDAP container now appears in the Container Name list.
  15. Select the new container to see its definition details in the right pane.
    For example:

  16. You can now do one of the following: