Configuring the Lightweight Directory Access Protocol (LDAP) settings
Configuring the Lightweight Directory Access Protocol (LDAP)
security for Rational® Test Control Panel works
the same way as for Active
Directory, except that the LDAP configuration involves
setting a few additional properties.
Editing the security.config file
The security.config file
is found in the security folder in the Rational Test Control Panel workspace.
- On Windows systems, the folder is typically at C:\IBM\RTCP-Workspace\security.
- On Unix-like systems, the folder is typically at /var/rtcp/security.
Keep in mind the following guidelines while editing the security.config file:
- If the backslash character "\" needs to be used in any property value, escape it with another backslash character: "\\". For example, if the value is C:\XYZ, specify it as C:\\XYZ.
- Optional: If any of the characters "=", ":", "#", or "!" is used in a property value, escape it with a backslash.
- Set the credentialsStore property to LDAP.
| Property | Description | |
|---|---|---|
| Name in the IBM Installation Manager GUI | Name in the security.config file | |
| user filter | userFilter | User filter. The {0} placeholder will be replaced with the user name of the user that you are trying to authenticate. This is used to locate users within the LDAP server. |
| user group filter | userGroupFilter | User Group filter. The {0} placeholder will be replaced with the Distinguished Name (DN) of the user that you are trying to authenticate. This filter returns the groups of which the user is a member. |
| group filter | parentGroupFilter | Group filter. Used for recursive retrieval of parent groups of the user groups. This property is different from its Active Directory equivalent and has a different property name. |
| group id attribute | groupIdentifier | Group identification attribute. This value is used to get the group's name for mapping groups to roles. Do not use Distinguished and partially qualified names (DNs). |
| url | url | The address of the LDAP server. |
| admin user | adminuser | An LDAP user with group query permissions. The user name should be a distinguished name (DN). |
| group search base | searchBase | The location where the directory group searches should begin. For example, dc=mycompany,dc=local. |
| user search base | userSeachBase | The location where the directory user searches should begin. Leave this property blank if this is the same as the group search-base. |
Note: For
users to be able to log in, the following conditions must be met:
- The user's LDAP entry must exist within the user search base; that is, the user's LDAP Distinguished Name must end with the user search base.
- The user must either be in an LDAP group that has been assigned the user role, or be in an LDAP group that has been assigned the admin role.
Sample: security.config file with Lightweight
Directory Access Protocol settings
#RTCP security configuration
#Fri Jan 16 14:41:04 GMT 2015
allGroupsFilter=(objectClass\=groupOfUniqueNames)
url=ldap\://localhost\:11589
searchBase=dc\=example,dc\=com
groupMappings=admingroup\=admin,admingroup\=user,usergroup\=user,
adminuser=Cn\=root
parentGroupFilter=(objectClass\=groupOfUniqueNames)
adminpassword=\#com.ghc.1\!c310E357A2EB7262116255340CB26A
credentialsStore=LDAP
groupIdentifier=cn
userGroupFilter=(&(objectClass\=groupOfUniqueNames)(uniqueMember\={0}))
userFilter=(&(objectClass\=person)(cn\={0}))
userSearchBase=dc\=example,dc\=comNote: The searchBase parameter
is used for group search.