To edit properties of a created LDAP domain:
- Select
- Select the domain to edit. Properties are shown in the LDAP domain
properties panel.
- Edit the values for any of the fields, and then click Save.
The following fields are required:
- Name
- Host
- Bind User Account
- Protocol
- Display Name
- Distinguished Name
- Mail Name
- Unique Identifier
- If you want the domain to be the default used, click Make
Default.
- Name
- Required. Name for the LDAP domain within Build Forge. If there
is at least one LDAP domain configured, the Build Forge login form
lists them by this name.
- Admin DN
- Account to use to provide search access to the LDAP server database.
If your server allows an anonymous bind for searching the database,
leave this field blank.
Some LDAP servers require an administrative
bind to search the database. This setting allows you to specify the
DN of the administrator account, as shown in the following example.
cn=Administrator,cn=users,dc=example,dc=com
Specify
the password for the Admin DN account in the Password and Verify
Password fields.
- Map Access Groups
- Determines whether to map group information from the LDAP server
to access groups in the Management Console. The default is No. Each
access group in Build Forge must have its LDAP Group DNs property
set to the correct group name in LDAP.
- If No, then LDAP groups are not mapped to Build Forge access
groups. You can assign users to access groups in Build Forge after
they have logged in at least once. Using this option implies that
you manage access groups for users within Build Forge. Default access
groups are applied when the user first logs in and has a user name
created in Build Forge.
- If Yes, the Build Forge refreshes group membership information
from the LDAP server for a user every time the user logs in to Build
Forge. Any changes to access group membership made for the user within
Build Forge since the last login are overwritten. Using this option
implies that you manage all group memberships in LDAP. The LDAP group
memberships are automatically mapped (added or removed) to access
groups in Build Forge. Group properties are used as follows to determine
group membership for a user:
- If Group Name is not blank, query for the
value of the keyword specified. Use the values returned as the groups
for the user.
- If Group Name is blank or its query
does not return a value, then use Groups Search Base and Groups
Unique Identifier to query for LDAP groups that the user
belongs to.
- If no group information is returned in (1) and (2), the user is
allowed to log in and is assigned membership in the access groups
that are specified as default access groups for new users.
- Host
- Required. Host name and port of the LDAP server. Examples:
ldapserver.mycompanyname.com
ldap.mycompany.com:9000
- Password
- Password for the Admin DN account. Required if Admin
DN is specified.
- Verified
- Repeat entry of the Admin DN password.
- Bind User Account
- Required. Determines whether the Build Forge attempts to validate
user credentials against LDAP at login time. The default is Yes.
- If Yes, Build Forge checks the user name and password supplied
at login with the LDAP server.
- If No, Build Forge accepts the username without validation.
This setting is used when an external password validation is implemented
for Build Forge, such as Single Sign-on (SSO).
- Protocol
- Required. Identifies the protocol Build Forge uses to read and
write data from the directory service for the purpose of authenticating
Build Forge users. The default is LDAP. Enter LDAPS if you use LDAP
over SSL (LDAPS). Additional setup is required for this option. See Enabling secure LDAP (LDAPS).
- Display Name
- Required. Enter the keyname that specifies the full name of the
user.
- Distinguished Name
- Required. Enter the keyname that specifies the Distinguished Name
for a user account.
- Mail Name
- Required. Enter the keyname that specifies an email address for
the user.
- Group Name
- Enter the keyname in the LDAP schema that holds the list of groups
the user is a member of. Used only when Map Access Groups is
Yes or Authorized Group DN is used.
- Authorized Group DN
- Distinguished Name of an LDAP group. If set, then only members
of the specified group are allowed to log in. If blank, then any valid
LDAP user can log in to the console.
- Write Access Group DN
- Determines whether the user has normal or read-only access. Values
may be one of the following:
- blank - for new logins, the user type is set to Normal. Existing
users keep their assigned user type (Normal, Read-only, or API). The
type is set in .
- * (asterisk) - all logins are given user type Normal.
- LDAP group name - if the user belongs to the group, then the user's
type is set to Normal. If the user does not belong to the group, then
the user's type is set to Read-only.
- Other - use any other value to force all users to be Read-only.
Example: RO.
- Search Base
- Required. Search string used to query LDAP records for users.
Example:
cn=users,dc=buildforge,dc=com
- Unique Identifier
- Required. Identifies the field in the LDAP database to compare
with user name a user enters at login. Use a % character for the login
name entered by the user. Example:
(sAMAccountName=%)
- Groups Search Base
- Requires Groups Unique Identifier. Used
only when Map Access Groups is Yes or Authorized
Group DN is used. Search string used to query LDAP records
for group data. Needed if your LDAP database stores group membership
in a database that is separate from the database used to store user
records. Example:
cn=groups,dc=buildforge,dc=com
- Groups Unique Identifier
- Requires Groups Search Base. Used only
when Map Access Groups is Yes or Authorized
Group DN is used. Identifies the field in the LDAP user
database to use to obtain group membership information. The filter
can use any of the data fields for a user account as a key into the
groups table. Use the %fieldname% syntax to
identify the field. The following example works if your groups table
uses the sAMAccountname field as a key for users.
sAMAccountName=%sAMAccountname%