LDAP parameters are set in the LDAP configuration file:
univiewer_server\<nodename>\data\ldap.xml
This file must be manually adapted to display the connection parameters to the LDAP server. Its update is only taken into account when UVMS restarts. It is not updated by a UVMS upgrade.
Several LDAP directories can be used to verify authentication, create a section <instance name> by LDAP directory in ldap.xml.
All the file fields are described below:
BaseDN
This parameter is deprecated.
Specifies whether the securityCredential is in clear or encrypted format. By default, passwords are not encrypted.
A password encryption utility (uniencoder) is provided in the kit in order to store the securityCredential password in an encrypted format inside the ldap.xml file:
This command takes the source password as an argument and displays the encrypted password in standard output.
If clearCredential is set to “NO” (YES by default), cut and paste the encrypted password to the securityCredential field in ldap.xml.
Even if the password is encrypted in the ldap.xml file, by default it is sent in clear by UVMS. To secure the communication refer to the section "Password Communication between UVMS and the Directory Server".
The value YES allows UVMS to use a connection cache (standard use by default). Refer to section LDAP Failover mode for more information.
YES (by default) or NO
followReferral
If LDAP slave servers are declared, the YES value enables you to look for information on slave servers if the latter is not found on the master server.
The NO value (by default) enables you to ignore the slave servers.
groupsAttributeId
Synchronization mode only. CN
Attribute used to create the group. It must be unique. For instance: CN.
groupsListSearchFilter
Synchronization mode only
Filter applied to find all first level groups (for instance, all groups starting with AUTOMIC):
groupsSearchBase
Synchronization mode only.
DN name of the tree structure which contains all the first level groups. For instance: where=groups,dc=automic,dc=com
groupsSearchDepth
Synchronization mode only
Search depth
host
Hostname of the LDAP directory server
localhost (by default)
instance name
Mandatory. An instance defines a set of parameters for a directory server. In the case where several instances are defined, the authentication will be tested against the first instance, then the second if authentication failed against the first, the third if authentication failed against the second, etc.
memberAttribute
Synchronization mode only. member
Attribute to link groups and users.
memberAttributeOf
Synchronization mode only. memberOf
Attribute to link groups and users if the LDAP server supports this type of request. For improved performance, use this field for memberAttribute. If this field must not be used, then it must be empty.
nestedGroups
Synchronization mode only
Supports nested groups (YES) or not (NO, by default).
The activation or not of Nested Groups has a direct impact on importing groups in UVMS.
For example, for a standard definition as:
Group A
Group A1
User1
Group A2
User2
Group B
User3
If the Nested Groups are deactivated, the import of groups A and B in UVMS will result in:
Group A
No user
Group B
User3
If the Nested Groups are activated, the import of groups A and B in UVMS will result in:
Group A
User1
User2
Group B
User3
nestedGroupsListSearchFilter
Synchronization mode only
Filter applied to find all nested groups. For instance:
nestedGroupsSearchBase
Synchronization mode only
DN name of the tree structure containing all first level groups. For instance: ou=groups, dc=automic, dc=com
nestedGroupsSearchDepth
Synchronization mode only
Search depth for all nested groups.
port
Mandatory. Port number of the LDAP directory server. For example, 389 or 636
securityAuthentication
Type of authentication, simple (by default)
The DIGEST-MD5 value can be entered to support SASL. Refer to section "SASL Configuration".
securityCredential
Mandatory. Password of the user defined in securityPrincipal.
All information needed must be added between the two CDATA brackets. For example, to define the local user password:
<securityCredential><![CDATA[Ld@p$Unv]]></securityCredential>
If there is nothing to add, <!CDATA!> part should be removed.
securityPrincipal
Service user account (in DN format) used by UVMS to search for users in the LDAP directory. This entry must have search rights on the directory subtree where users are located. Examples:
securityProtocol
The only security protocol accepted is “plain”.
SSL
YES turns on the ldaps protocol. Refer to section: SSL Configuration for more information.
YES
or NO (by default)
useMemberOfAttribute
Synchronization mode only.
Indicates if UVMS can use the memberAttributeOf field (value set to YES) or not. (value set to NO by default): if the LDAP server supports a memberOf request or not.
usersAttributeId
Synchronization mode only. CN
Attribute used to create a user. It must be unique. For instance:
usersListSearchFilter
Synchronization mode only.
Filter applied to find all users. For instance: objectclass=Person
usersSearchBase
Mandatory. Distinguished Name of the sub-tree entry containing all the user entries. For example: ou=users,dc=automic,dc=com
For performance reasons, this value is only used during connection (authentication). During group synchronization, each user matching a usersListSearchFilter will be created in UVMS even if it does not match a usersSearchBase or usersSearchDepth. Those accounts will not be able to connect to UVMS.
usersSearchDepth
Scope of the search
For performance reasons, this value is only used during the connection (authentication). During group synchronization, each user matching a usersListSearchFilter will be created in UVMS even if it does not match usersSearchBase or usersSearchDepth. Those accounts will not be able to connect to UVMS.
usersSearchFilter
Mandatory. Filter applied to find the user from his/her Login.
For example:
The !login! variable will be replaced automatically by UVMS with the login provided by the connected user.
All information needed must be added between the two CDATA brackets. For example, to change the User Search Filter:
<usersSearchFilter><!CDATA(&(objectClass=Person)(uid=!login!))></usersSearchFilter>
If there is nothing to add, <!CDATA!> part should be removed.
Wildcards, if usable, can only be entered at the end of the chain, for instance: "automic*". Special characters need to be represented with different syntax. For example:
Example of a generic LDAP configuration file (Open LDAP for instance)
<?xml version="1.0" encoding="UTF-8"?>
<ldap version="1.0">
<instance name="LDAP Repository">
<!-- general configuration -->
<host></host>
<port>389</port>
<SSL>NO</SSL>
<memberAttribute>member</memberAttribute>
<memberOfAttribute>memberOf</memberOfAttribute>
<useMemberOfAttribute>NO</useMemberOfAttribute>
<followReferral>NO</followReferral>
<!-- security -->
<securityPrincipal></securityPrincipal>
<clearCredential>YES</clearCredential>
<securityCredential><![CDATA[]]></securityCredential>
<securityProtocol>plain</securityProtocol>
<securityAuthentication>simple</securityAuthentication>
<!-- users -->
<usersSearchBase>ou=users,dn=yourdomain,dc=com</usersSearchBase>
<usersAttributeId>CN</usersAttributeId>
<usersListSearchFilter><![CDATA[objectClass=person]]></usersListSearchFilter>
<usersSearchFilter><![CDATA[(&(objectClass=person)(cn=!login!))]]></usersSearchFilter>
<usersSearchDepth>SUBTREE_SCOPE</usersSearchDepth>
<!-- groups -->
<groupsSearchBase>ou=groups,dn=yourdomain,dc=com</groupsSearchBase>
<groupsAttributeId>CN</groupsAttributeId>
<groupsListSearchFilter><![CDATA[(&(objectClass=groupOfNames)(CN=AUTOMIC*))]]></groupsListSearchFilter>
<groupsSearchDepth>SUBTREE_SCOPE</groupsSearchDepth>
<!-- nested groups -->
<nestedGroups>NO</nestedGroups>
<nestedGroupsSearchBase>ou=groups,dn=yourdomain,dc=com</nestedGroupsSearchBase>
<nestedGroupsListSearchFilter><![CDATA[objectClass=groupOfNames]]></nestedGroupsListSearchFilter>
<nestedGroupsSearchDepth>SUBTREE_SCOPE</nestedGroupsSearchDepth>
</instance>
</ldap>
Example of a LDAP configuration file for Active Directory
<?xml version="1.0" encoding="UTF-8"?>
<ldap version="1.0">
<instance name="Active Directory">
<!-- general configuration -->
<host></host>
<port>389</port>
<SSL>NO</SSL>
<memberAttribute>member</memberAttribute>
<memberOfAttribute>memberOf</memberOfAttribute>
<useMemberOfAttribute>YES</useMemberOfAttribute>
<followReferral>NO</followReferral>
<!-- security -->
<securityPrincipal></securityPrincipal>
<clearCredential>YES</clearCredential>
<securityCredential><![CDATA[]]></securityCredential>
<securityProtocol>plain</securityProtocol>
<securityAuthentication>simple</securityAuthentication>
<!-- users -->
<usersSearchBase>ou=users,dn=yourdomain,dc=com</usersSearchBase>
<usersAttributeId>userPrincipalName</usersAttributeId>
<usersListSearchFilter><![CDATA[objectClass=person]]></usersListSearchFilter>
<usersSearchFilter><![CDATA[(&(objectClass=person)(userPrincipalName=!login!))]]></usersSearchFilter>
<usersSearchDepth>SUBTREE_SCOPE</usersSearchDepth>
<!-- groups -->
<groupsSearchBase>ou=groups,dn=yourdomain,dc=com</groupsSearchBase>
<groupsAttributeId>CN</groupsAttributeId>
<groupsListSearchFilter><![CDATA[(&(objectClass=group)(CN=AUTOMIC*))]]></groupsListSearchFilter>
<groupsSearchDepth>SUBTREE_SCOPE</groupsSearchDepth>
<!-- nested groups -->
<nestedGroups>NO</nestedGroups>
<nestedGroupsSearchBase>ou=groups,dn=yourdomain,dc=com</nestedGroupsSearchBase>
<nestedGroupsListSearchFilter><![CDATA[objectClass=group]]></nestedGroupsListSearchFilter>
<nestedGroupsSearchDepth>SUBTREE_SCOPE</nestedGroupsSearchDepth>
</instance>
</ldap>
As of version 6.10.41, documentation new updates are posted on the Broadcom Techdocs Portal.
Look for Dollar Universe.