Adding LDAP user groups - BlueCat Integrity - 26.1.0

Address Manager Administration Guide
ft:locale
en-US
Product name
BlueCat Integrity
Version
26.1.0

Address Manager LDAP groups allow users from Lightweight Directory Access Protocol (LDAP) systems, such as Microsoft Active Directory or OpenLDAP, to log in to Address Manager. Use LDAP groups when you already have users defined in another system and you don't want to re-create and maintain those users in Address Manager.

When users from an LDAP group log in to Address Manager, they're automatically added to the Users list. Unlike standard Address Manager users, you don't need to create the user in Address Manager before the user can log in. Any users you add to the LDAP group on your LDAP server can log in to Address Manager.

You can assign access rights to the LDAP group, and you can assign access rights to individual LDAP users. If you have several LDAP groups with differing access rights, and a user belongs to multiple groups, or if you apply access rights to a user in addition to those that the user inherits from the LDAP group, the user receives the most permissive access rights.

Note: You can't assign LDAP users to a standard Address Manager user group.
Note: You can't edit an LDAP group after you create it. To make a change to an LDAP group, delete the group and then re-create it.

To create LDAP groups, set up one or more LDAP authenticators. For information on adding authenticators, refer to Adding external authenticators.

To add an LDAP Group:

  1. Select the Settings tab in the sidebar.
  2. Under User management, select Users and groups.
  3. Select the User groups tab.
  4. Select New > LDAP group.
  5. Under General, set the following parameters:
    • Authenticator—select the previously configured LDAP authenticator.
    • Search base—displays the search base distinguished name defined for the LDAP authenticator.
    • Object class—select the type of LDAP object to search for users. Selecting an option here changes the default setting in the Name filter field. These options are defined when you add authenticators to Address Manager.
      • group sets the Name filter as cn (common name).
      • organizationalUnit sets the Name filter as ou (organizational unit).
      • container sets the Name filter as cn (common name).
      • domain sets the Name filter as dc (domain component).
    • Name filter query—enter a string to search for and match LDAP objects. The string isn't case sensitive, and you can use the * (asterisk) wildcard. If you don't use a wildcard, Address Manager tries to find an exact match for your string.
    Note: Examples:
    • The string Addr* finds the LDAP common name Address Manager Users.
    • The string addr* also finds the LDAP common name Address Manager Users. The Name filter isn't case sensitive.
    • The string *Users* finds the LDAP common names Address Manager Users, DHCP Users, and Domain Users. The * wildcard can be used multiple times in the Name filter.
    • The string Address Manager doesn't find the LDAP common name Address Manager Users. When there's no wildcard, LDAP common names must be an exact match for the Name filter.
  6. Select Search matching LDAP groups. The LDAP group field presents a list of LDAP groups matching your object class and name filter settings. Select an LDAP group from the drop-down list. If the group you're looking for doesn't appear in the list, modify your object class and name filter settings and click Search matching LDAP groups to update the list.
  7. On the Access rights tab, select Assign administrator privilege to assign users within the LDAP group administrative user privileges.
  8. On the Change control tab, enter change control comments if required.
  9. Select Create or Create and add another.