Administrators can connect the Manager to an external LDAP
server to access users and user groups stored in external
directories. This enables administrators to integrate the
Manager further with their IT platform.
The user directory can reside either in the internal database
or at an external LDAP server. The group directory
can also reside either in the internal database or an external
LDAP server.
The LDAP functionality can be used to lookup users
and their attributes along with the groups they belong to.
The directory server is accessed in read-only mode, it does
not allow users or administrators to change attributes originating
from an external LDAP. Furthermore, the "admin"
user is always stored locally on the Manager, and never
read from an external LDAP server.
User authentication to an external LDAP server is
done via LDAP Simple Bind with clear text passwords.
We recommend using SSL to protect the communication.
Before using this functionality, basic LDAP knowledge
is required as well as the internal structure of the LDAP
(or Active Directory) to be used.
The following examples may not match your installation,
as most LDAP structures are modified to meet specific
needs. Be sure to have a clear description of your LDAP
location and structure before proceeding.
 |
To add an LDAP server, log in with administrator
privileges and click the Administration
link. Then, select the Users page and
click on the External Directory Settings
page. |
From here, you can fill out the properties of the LDAP
server you wish to use for authentication. This step must
be done for every LDAP server you wish to use. (e.g.
for users and groups)
Here are some details:
| Host |
Fill in the IP number or name
of your LDAP server.
|
| Port |
Fill in the port it listens
to. If SSL is used, the default port is 636 otherwise
port 389 is usually used.
|
| SSL |
If the LDAP server uses
SSL to protect the data it communicates then
this check box should be checked. The Manager will require
the SSL certificate used by the LDAP server in
order to communicate properly.
|
| Base DN: |
(Distinguished Name) This is
the root from where directory lookups should take place.
Remember that no spaces are allowed between the commas
or the '=' equal symbol and that entries are case sensitive.
Here is an active directory example: "DC=ad,DC=lulea,DC=marratech,DC=com"
|
| User DN |
The User DN that the
Manager will use to authenticate to the LDAP server.
|
| Append base DN |
This will automatically add
the base DN entered previously to the User DN in order
to provide simplicity.
|
| Password |
The password for the User DN
used by the Manager to authenticate to the LDAP
server. |
 |
Click the Add LDAP server button to
continue.
The Manager must be restarted:
|
 |
Before continuing, you may test, modify
or delete the server you have added. The Test
function provides a way to verify the parameters entered
when adding an LDAP server. It will connect to
the specified host and port and attempt an LDAP
bind, either anonymous or by using the supplied credentials. |
 |
You can now select if you want to use the
"Internal" Manager database or the "External"
LDAP server you have added in the previous steps. |
| User Sub Context |
If you defined the same LDAP database
for Users and Groups, (i.e. used a higher level in the
hierarchy), specify the sub context to reach the user
level. |
Match user entries using
| User Object Class |
Attribute for the user data to be searched
for. This attribute defines the scheme used by your
LDAP server for the data you will be accessing.
|
| Custom search filter |
Instead of using a User object class to
find your user objects, you may use a custom filter.
Use the syntax specified in RFC-2254.
This could be used to filter what users you want to
give Manager access to.
|
| |
|
User login attribute
|
The user login attribute in your LDAP
structure |
User name attribute
|
The name attribute for the users in your
LDAP structure |
User nickname attribute
|
The nickname (given name) for the users
in your LDAP structure. |
User mail attribute
|
The e-mail attribute for the users in your
LDAP structure. |
User phone attribute
|
The phone number attribute for the users
in your LDAP structure. |
| User location attribute |
The user's location (city or country for
example) for the users in your LDAP structure |
If you are not certain if your LDAP structure contains
the previous attributes, simply leave the default value.
Group Directory
If you wish to specify an external directory for
the groups to be used in the Manager, select External.
If you want to specify the groups yourself manually and
store them in the Manager, choose Internal.
LDAP server
|
Choose the LDAP server
you have previously defined for Group directory
access. |
| Group sub context |
If you have defined a generic
LDAP server for both users and groups, please
add in the Group sub context to specify how to find
the group directory from the main structure. |
Match group entries using
| Group object class |
Attribute for the group data
to be searched for. This attribute defines the scheme
used by your LDAP server for the data you will
be accessing.
|
| Custom search filter |
Instead of using a group object
class to find your user objects, you may use a custom
filter. Use the syntax specified in RFC-2254.
This could be used to filter what users you want to
give Manager access to.
|
Group ID attribute
|
The group ID attribute in your
LDAP structure. |
Group description
attribute
|
The group description
attribute in your LDAP structure. |
| Group member attribute |
The attribute storing the members
of a group in your LDAP structure. This attribute
is assumed to have the DN of a user (the member) as
value, specifically a user that can be found in the
user directory. |
|
Once completed, press Apply
and restart the Marratech Manager. |
| |
If successful, you will now
see what users and groups have access to the Manager
in the user and groups listings. Remember that the "admin"
user is always controlled and modified internally by
the Manager and not accessible via LDAP. |
 |
If successful, you will now
see what users and groups have access to the Manager
in the user and groups listings. Remember that the "admin"
user is always controlled and modified internally by
the Manager and not accessible via LDAP. |
