Important
distinction should be made when working with LDAP. There are two phases. First
is the import. In this phase you need an LDAP account that has the privileges
to import users. Of course, an ‘admin’ of the LDAP is the best suitable.
The
second phase is the actual usage of the imported account by the QC user. In
this phase, the user does not make usage of the "importer" LDAP account. QC delegates the user's DN ('Distinguished
Name' – a unique user identifier) as imported before to the LDAP and
grants or denies access according to the LDAP reply.
The
user's password is not stored in QC - it is managed by the LDAP. When a user
password is modified in the site, QC does not need to know about it.
Importing
users from LDAP:
- Obtain the URL
of your LDAP server and enter it in the ‘Authentication
Settings->Directory Provider URL’. The URL convention is:
ldap://myserver:port. You can use this convention in the following
combinations:
'<Server name>'
'ldap://<server name>'
'ldap://<server name>:<custom
port>'
·
Check
with LDAP administrator if secure LDAP is used. In this case you might need to
use ‘ldaps’ when creating the connection (‘ldaps://<server name>’).
·
The
default ports for LDAP are 389 (regular) and 636 (secure)
·
This
check verifies only the connection URL, not access rights.
- Once you have
successfully established a connection you can continue to importing
users. Open the ‘LDAP Import Settings’ Dialog.
- ‘Directory
Provider URL’ will be similar to what you have used in the previously in
‘‘Authentication Settings’
- Depending on
your site policy you can choose between ‘Anonymous’ account if that
was set with sufficient privileges to import users or you must obtain
a user account that was given appropriate grants. Notice that in sites using
security it is not likely that ‘Anonymous’ will have sufficient grants.
- If ‘Anonymous’
is not used then a ‘Simple->Authentication Principle’ account is to be
used. LDAP identifies any object (a 'user' object in our case) in the tree
as a path combination of nodes from current node to root node. This unique
string combination is called a DN (distinguished name). For example, consider
the below screen shot of an LDAP tree, that starts with a domain called
'CSOIL'.
- In this example
the ‘Administrator’ 'node' is a DN combined of the 'nodes' going from
end to start:
'CN=Administrator,
CN=Users, DC=CSOIL'
·
The
above DN is partial path only. In real example it will be with more root elements.
·
You
will need to ask your LDAP admin for the DN to authenticate with.
- In order to
understand more about LDAP terminology find table below with famous LDAP abbreviations and terms that are
usually concerning an object of type 'user':
LDAP
term
|
Explanation
|
CN
|
Common Name. CN is the combination of First name and last name.
Attribute is made up from givenName joined to SN (surname).
For example:
CN=Yariv Gadish
|
DN
|
Distinguished Name. DN is simply the most important LDAP
attribute.
For example:
CN=Yariv Gadish, OU=CSO ,DC= CO ,DC=IL
|
OU
|
Organizational unit.
For Example:
OU=CSO
|
DC
|
Domain
Components.
For example:
DC=IL
|
SN
|
SN is the last name or surname.
For example:
SN=Gadish
|
sAMAccountName
|
sAMAccountName is the NT 4.0 logon name.
For example:
sAMAccountName=gadishy
|
userPrincipalName
|
userPrincipalName. Often abbreviated to UPN, and looks like an
email address.
For example:
userPrincipalName=yariga@mercury.com
|
givenName
|
Firstname also called Christian name
|
name
|
Name. The same as CN.
Example:
name=Yariv Gadish
|
- After completing
the first dialog of ‘LDAP Import Settings’ the next screen will ask you
for more details.
- ‘Directory
base’. Here you can choose if you want to import from the root of the LDAP
tree, or from a sub node.
- Another way to
filter objects is to use the ‘Base Filter’. Here you can specify classes
that will fit certain objects only. You can use logical ‘OR’ (‘|’) and/or
‘AND’ (‘&’) to create a condition made of several sub conditions.
For example, search for users which are
defined of class ‘user’ or of class ‘person’:
(|(objectClass=user)(objectClass=person))
Another example - Search for a Single User:
(&(|(objectClass=user)(objectClass=person))(CN=Yariv))
Note that:
·
The
logical operator joining the conditions is at the start of the statement.
·
A
user entity might be defined as made of different ObjectClass.
- Next you have
two possible buttons, ‘Set Default for Active Directory’ and ‘Set Default for
LDAP’. Pressing this buttons will set the field mappings between the LDAP user and the imported QC
user. As the name of the buttons implies, these will set the mappings to
the default standards used in either category. Note that ‘Active Directory’
means the Microsoft implementation for LDAP.
- If you do not
have default names used for your user objects, you need to click the
‘advanced’ button.
- In the
‘advanced->Field Mapping’ dialog you can specify your naming
conventions as used on your LDAP server.