Use the User authentication settings page to manage user
authentication.
Before you begin
You must have the URL of the external LDAP server that you intend to authenticate users.
This task requires that you are an UrbanCode Velocity administrator.
About this task
An LDAP realm identifies users and groups and defines rules how to search users and groups. When
unknown users attempt to log on, an external LDAP server authenticates them by using the realm
parameters that you configure. To configure an LDAP authentication realm, you identify the URL of
the LDAP server, and define valid searches.
To create an LDAP realm, complete the following steps:
Procedure
- From the UrbanCode™ Velocity dashboard, page, click .
- Click Configure LDAP .
- On LDAP page, in the Name field, enter a name for
the realm configuration. The value is an arbitrary label that does not effect the other settings.
- In the LDAP URL field, enter the URL for the LDAP that you use for
authentication. Separate multiple servers by commas. For example,
ldap://ldap_server.my_domain.com:389,ldap://ldap_server.my_domain2.com:389.
- Specify whether anonymous searches are allowed by completing one of the following
options:
- If the LDAP server allows anonymous searches, select Search
Anonymously.
- For authenticated searches, clear the Search Anonymously check box,
and then enter the Bind DN and Bind credentials.
UrbanCode Velocity uses these fields to authenticate users when it connects to the LDAP server. For example,
cn=velocity,ou=applications,dc=mydomain,dc=com.
- Optional: In the Scope when searching LDAP users area, specify a search scope by
selecting one of the following options:
- Subtree. Select this option when user entries are direct children of
the Search base.
- One level. Select this option if all user entries are direct
grandchildren of the Search base.
- Base. Select this if option if user entries are two or more levels
below the Search base.
The scope is relative to the Search base selected in the next step. It
is a good practice to make the scope as narrow as possible.
- In the Search base field, enter the user search base. The starting directory for the search, such as
ou=employees,dc=mydomain,dc=com.
- In the Search filter field, enter the search filter. The LDAP filter expression that is used when searching for user entries. The user name
replaces the {username} variable in the search pattern, for example,
uid={username}. If the value is not part of the DN pattern, enclose the value in parenthesis, for example,
(mail={username}). For more information, see the help information for your LDAP
server and look for information about creating user search filters.
- Optional: In the Bind property field, enter a search expression. This is the name of the LDAP attribute that contains the Bind DN
specified earlier. The default value is dn.
- Optional: In the Name attribute field, enter the LDAP user name. This is the name of the LDAP attribute that contains the user's full name. Examples are
cn and displayName.
- In the Email attribute field, enter the user email address. This is the name of the LDAP attribute that contains the user's email address. For example,
mail.
- In the Group search base field, enter the directory that is used for
group searches. For example, ou=employees,dc=mydomain,dc=com.
- In the Group name attribute field, enter the name of the entry that
contains the users' group names in the directory entries that are returned by the group
search. If this entry is not specified, no group search runs. For example, cn.
- On the Search group subtree box, specify whether to include
sub-directories in the search .
- In the Role definition area, specify a role by completing one of the
following options:
- Select Role in LDAP reference their members if you want to find group
membership by searching roles, and then define the Group search filter. For example, (&(uniqueMember={dn})(cn=BSO*)). The user name replaces the {username} variable in the search pattern and the
full user distinguished name replaces the {dn} variable.
- Select User roles are defined as an attribute on that user if you want
to find group membership by using this attribute, and then define the Group DN
Attribute and User Group Attribute fields. The Group DN Attribute is the name of the LDAP attribute on group
entries, whose value is the group's distinguished name. For example, dn. The
User Group Attribute is the name of the LDAP attribute on user entries, whose
value is the distinguished name of a group of which the user is a member. For example,
memberOf.
- Click Save.
Results
The first time an unknown user attempts to log on, LDAP authorization realms are searched in an
attempt to identify the user. If the user is found, a corresponding user ID is created in UrbanCode Velocity. In addition, if the user is part of an LDAP group, that group is imported too.
When new users log on to the server and use their LDAP credentials, they are listed on the
Users page. In most cases, do not manage user passwords or remove users from
the list. If an active user is removed, they are still able to log on to the server while their LDAP
credentials are valid.