Adding LDAP user groups - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Address Manager LDAP Groups allow users from Lightweight Directory Access Protocol (LDAP) systems, such as Microsoft Active Directory or OpenLDAP, to log in to Address Manager. Use LDAP Groups when you already have users defined in another system and you don't want to re-create and maintain those users in Address Manager.

When users from an LDAP group log in to Address Manager, they're automatically added to the Users list, and the LDAP User column indicates that the users are LDAP users. Unlike standard Address Manager users, you don't need to create the user in Address Manager before the user can log in. Any users you add to the LDAP group on your LDAP server can log in to Address Manager.

You can assign access rights to the LDAP group, and you can assign access rights to individual LDAP users. If you have several LDAP groups with differing access rights, and a user belongs to multiple groups, or if you apply access rights to a user in addition to those that the user inherits from the LDAP group, the user receives the most permissive access rights.

Note: You can't assign LDAP users to a standard Address Manager user group.

To create LDAP groups, set up one or more LDAP authenticators. For information on adding authenticators, refer to Adding external authenticators.

Note: You can't edit an LDAP Group after you create it. To make a change to an LDAP group, delete the group and then re-create it.

To add an LDAP Group:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under User Management, click Users and Groups.
  3. Click the Groups tab.
  4. Under Groups, click New, and then select LDAP Group.
  5. Under LDAP Group, define the following parameters:
    • LDAP Server—select and LDAP authenticator from the drop-down list.
    • Search Base—displays the search base distinguished name defined for the LDAP authenticator.
    • Object Class—select the type of LDAP object to search for users. Selecting an option here changes the default setting in the Name Filter field. These options are defined when you add authenticators to Address Manager.
    • Name Filter—select a name filter option from the drop-down list. A default value appears here depending on the object you selected in the Object Class field:
      • group sets the Name Filter as cn (common name).
      • organizationalUnit sets the Name Filter as ou (organizational unit).
      • container sets the Name Filter as cn (common name).
      • domain sets the Name Filter as dc (domain component).
    In the Name Filter text field, type a string to search for and match LDAP objects. The string isn't case sensitive, and you can use the * (asterisk) wildcard. If you don't use a wildcard, Address Manager tries to find an exact match for your string.
    Note: Examples:
    • The string Addr* finds the LDAP common name Address Manager Users.
    • The string addr* also finds the LDAP common name Address Manager Users. The Name Filter isn't case sensitive.
    • The string *Users* finds the LDAP common names Address Manager Users, DHCP Users, and Domain Users. The * wildcard can be used multiple times in the Name Filter.
    • The string Address Manager doesn't find the LDAP common name Address Manager Users. When there's no wildcard, LDAP common names must be an exact match for the Name Filter.
  6. Click Refresh. The LDAP Group field presents a list of LDAP groups matching your Object Class and Name Filter settings.
    • LDAP Group—select an LDAP group from the drop-down list. If the group you're looking for doesn't appear in the list, modify your Object Class and Name Filter settings and click Refresh to update the list.
  7. Under Change Control, add comments, if required.
  8. Click Add or Update.