Creating an LDAP authorization realm

An LDAP authorization realm uses an external LDAP server for authorization.

Procedure

  1. Click Settings > Authorization (Groups) > Create Authorization Realm to open the Create Authorization Realm dialog.
  2. Enter a name in the Name field.
  3. Ensure that LDAP or Active Directory is selected in the Type list.
  4. Select a search type to use when you import groups. If you select Roles in LDAP reference their members; look up group membership by searching for roles, specify the following parameters:
    Table 1. LDAP properties
    Field Description
    Group Search Base Directory that is used for group searches, such as ou=employees,dc=mydomain,dc=com.
    Group Search Filter LDAP filter expression that is used when you search for user entries. The user name replaces the {1} variable in the search pattern and the full user distinguished name (DN) replaces the {0} variable, for example, member={0}.
    Group Name The name of the entry that contains the users group names in the directory entries that are returned by the group search. If this entry is not specified, no group search runs. For example, enter cn.
    Search Group Subtree Subtrees (if any) are searched if selected. If the item is not selected, the search is limited to the group search base and its immediate child nodes.

    The values in the Group Search Base and Search Group Subtree fields define the scope of the search. Within the scope, groups that match the user-entered group search filter are searched. The value in the Group Name field specifies the LDAP attribute that contains the group name.

    If you select User roles are defined as an attribute on that user; look up group membership using this attribute, specify the name of the attribute that contains role names in the user directory entry in the User Group Attribute field. If user groups are defined in LDAP as an attribute of the user, the Group Attribute configuration must be used.
    Note: The first time an unknown user attempts to log on, LDAP authorization realms are searched in an attempt to identify the user. If the user is found, a corresponding user ID is created in IBM® UrbanCode Deploy. In addition, if the user is part of an LDAP group, that group is imported as well.

Feedback