Thursday, August 16, 2012

Quality Center LDAP Authentication


Important distinction should be made when working with LDAP. There are two phases. First is the import. In this phase you need an LDAP account that has the privileges to import users. Of course, an ‘admin’ of the LDAP is the best suitable.

The second phase is the actual usage of the imported account by the QC user. In this phase, the user does not make usage of the "importer" LDAP account. QC delegates the user's DN ('Distinguished Name' – a unique user identifier) as imported before to the LDAP and grants or denies access according to the LDAP reply.

The user's password is not stored in QC - it is managed by the LDAP. When a user password is modified in the site, QC does not need to know about it.

Importing users from LDAP:

  1. Obtain the URL of your LDAP server and enter it in the ‘Authentication Settings->Directory Provider URL’. The URL convention is: ldap://myserver:port. You can use this convention in the following combinations:

'<Server name>'
'ldap://<server name>'
'ldap://<server name>:<custom port>'

·         Check with LDAP administrator if secure LDAP is used. In this case you might need to use ‘ldaps’ when creating the connection (‘ldaps://<server name>’).
·          The default ports for LDAP are 389 (regular) and 636 (secure)
·         This check verifies only the connection URL, not access rights.

  1. Once you have successfully established a connection you can continue to importing users. Open the ‘LDAP Import Settings’ Dialog.
  2. ‘Directory Provider URL’ will be similar to what you have used in the previously in ‘‘Authentication Settings’
  3. Depending on your site policy you can choose between  ‘Anonymous’ account if that was set with sufficient privileges to import users or you must obtain a user account that was given appropriate grants. Notice that in sites using security it is not likely that ‘Anonymous’ will have sufficient grants.
  4. If ‘Anonymous’ is not used then a ‘Simple->Authentication Principle’ account is to be used. LDAP identifies any object (a 'user' object in our case) in the tree as a path combination of nodes from current node to root node. This unique string combination is called a DN (distinguished name). For example, consider the below screen shot of an LDAP tree, that starts with a domain called 'CSOIL'.


  1. In this example the ‘Administrator’ 'node' is a DN combined of the 'nodes' going from end to start:

'CN=Administrator, CN=Users, DC=CSOIL' 

·         The above DN is partial path only. In real example it will be with more root elements.
·         You will need to ask your LDAP admin for the DN to authenticate with.


  1. In order to understand more about LDAP terminology find table below with famous  LDAP abbreviations and terms that are usually concerning an object of type 'user':

LDAP term
Explanation
CN
Common Name. CN is the combination of First name and last name. Attribute is made up from givenName joined to SN (surname).

For example:
CN=Yariv Gadish
DN
Distinguished Name. DN is simply the most important LDAP attribute.

For example:
CN=Yariv Gadish, OU=CSO ,DC= CO ,DC=IL
OU
Organizational unit.

For Example:
OU=CSO
DC
Domain Components.

For example:
DC=IL
SN
SN is the last name or surname.

For example:
SN=Gadish
sAMAccountName
sAMAccountName is the NT 4.0 logon name.

For example:
sAMAccountName=gadishy
userPrincipalName
userPrincipalName. Often abbreviated to UPN, and looks like an email address. 

For example:
userPrincipalName=yariga@mercury.com   
givenName
Firstname also called Christian name
name
Name.  The same as CN.

Example:
name=Yariv Gadish


  1. After completing the first dialog of ‘LDAP Import Settings’ the next screen will ask you for more details.
  2. ‘Directory base’. Here you can choose if you want to import from the root of the LDAP tree, or from a sub node.
  1. Another way to filter objects is to use the ‘Base Filter’. Here you can specify classes that will fit certain objects only. You can use logical ‘OR’ (‘|’) and/or ‘AND’ (‘&’) to create a condition made of several sub conditions.

For example, search for users which are defined of class ‘user’ or of class ‘person’:

(|(objectClass=user)(objectClass=person))

Another example - Search for a Single User:

(&(|(objectClass=user)(objectClass=person))(CN=Yariv))

Note that:
·         The logical operator joining the conditions is at the start of the statement.
·         A user entity might be defined as made of different ObjectClass.



  1. Next you have two possible buttons, ‘Set Default for Active Directory’ and ‘Set Default for LDAP’. Pressing this buttons will set the field mappings between the LDAP user and the imported QC user. As the name of the buttons implies, these will set the mappings to the default standards used in either category. Note that ‘Active Directory’ means the Microsoft implementation for LDAP.
  2. If you do not have default names used for your user objects, you need to click the ‘advanced’ button.
  3. In the ‘advanced->Field Mapping’ dialog you can specify your naming conventions as used on your LDAP server.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)