Important
distinction should be made when working with LDAP. There are two phases. First
is the import. In this phase you need an LDAP account that has the privileges
to import users. Of course, an ‘admin’ of the LDAP is the best suitable.
The
second phase is the actual usage of the imported account by the QC user. In
this phase, the user does not make usage of the "importer" LDAP account. QC delegates the user's DN ('Distinguished
Name' – a unique user identifier) as imported before to the LDAP and
grants or denies access according to the LDAP reply.
The
user's password is not stored in QC - it is managed by the LDAP. When a user
password is modified in the site, QC does not need to know about it.
Importing
users from LDAP:
- Obtain the URL of your LDAP server and enter it in the ‘Authentication Settings->Directory Provider URL’. The URL convention is: ldap://myserver:port. You can use this convention in the following combinations:
'<Server name>'
'ldap://<server name>'
'ldap://<server name>:<custom
port>'
·
Check
with LDAP administrator if secure LDAP is used. In this case you might need to
use ‘ldaps’ when creating the connection (‘ldaps://<server name>’).
·
The
default ports for LDAP are 389 (regular) and 636 (secure)
·
This
check verifies only the connection URL, not access rights.
- Once you have successfully established a connection you can continue to importing users. Open the ‘LDAP Import Settings’ Dialog.
- ‘Directory Provider URL’ will be similar to what you have used in the previously in ‘‘Authentication Settings’
- Depending on your site policy you can choose between ‘Anonymous’ account if that was set with sufficient privileges to import users or you must obtain a user account that was given appropriate grants. Notice that in sites using security it is not likely that ‘Anonymous’ will have sufficient grants.
- If ‘Anonymous’ is not used then a ‘Simple->Authentication Principle’ account is to be used. LDAP identifies any object (a 'user' object in our case) in the tree as a path combination of nodes from current node to root node. This unique string combination is called a DN (distinguished name). For example, consider the below screen shot of an LDAP tree, that starts with a domain called 'CSOIL'.
- In this example the ‘Administrator’ 'node' is a DN combined of the 'nodes' going from end to start:
'CN=Administrator,
CN=Users, DC=CSOIL'
·
The
above DN is partial path only. In real example it will be with more root elements.
·
You
will need to ask your LDAP admin for the DN to authenticate with.
- In order to understand more about LDAP terminology find table below with famous LDAP abbreviations and terms that are usually concerning an object of type 'user':
LDAP
term
|
Explanation
|
CN
|
Common Name. CN is the combination of First name and last name.
Attribute is made up from givenName joined to SN (surname).
For example:
CN=Yariv Gadish
|
DN
|
Distinguished Name. DN is simply the most important LDAP
attribute.
For example:
CN=Yariv Gadish, OU=CSO ,DC= CO ,DC=IL |
OU
|
Organizational unit.
For Example:
OU=CSO
|
DC
|
Domain
Components.
For example:
DC=IL
|
SN
|
SN is the last name or surname.
For example:
SN=Gadish
|
sAMAccountName
|
sAMAccountName is the NT 4.0 logon name.
For example:
sAMAccountName=gadishy
|
userPrincipalName
|
userPrincipalName. Often abbreviated to UPN, and looks like an
email address.
For example:
userPrincipalName=yariga@mercury.com
|
givenName
|
Firstname also called Christian name
|
name
|
Name. The same as CN.
Example:
name=Yariv Gadish
|
- After completing the first dialog of ‘LDAP Import Settings’ the next screen will ask you for more details.
- ‘Directory base’. Here you can choose if you want to import from the root of the LDAP tree, or from a sub node.
- Another way to filter objects is to use the ‘Base Filter’. Here you can specify classes that will fit certain objects only. You can use logical ‘OR’ (‘|’) and/or ‘AND’ (‘&’) to create a condition made of several sub conditions.
For example, search for users which are
defined of class ‘user’ or of class ‘person’:
(|(objectClass=user)(objectClass=person))
Another example - Search for a Single User:
(&(|(objectClass=user)(objectClass=person))(CN=Yariv))
Note that:
·
The
logical operator joining the conditions is at the start of the statement.
·
A
user entity might be defined as made of different ObjectClass.
- Next you have two possible buttons, ‘Set Default for Active Directory’ and ‘Set Default for LDAP’. Pressing this buttons will set the field mappings between the LDAP user and the imported QC user. As the name of the buttons implies, these will set the mappings to the default standards used in either category. Note that ‘Active Directory’ means the Microsoft implementation for LDAP.
- If you do not have default names used for your user objects, you need to click the ‘advanced’ button.
- In the ‘advanced->Field Mapping’ dialog you can specify your naming conventions as used on your LDAP server.
No comments:
Post a Comment