Creating an LDAP connection

To let your users authenticate in the orchestrator web interface using credentials stored on a remote LDAP server, you must create an LDAP connection. The following LDAP servers are supported:

• OpenLDAP with Simple authentication and Simple SSL authentication.
• Microsoft Active Directory with Kerberos authentication and Kerberos SSL authentication.

The orchestrator cannot make changes on a connected LDAP server.

To configure a connection between the orchestrator and a remote LDAP server:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. In the upper part of the page, click + LDAP.
4. In the displayed settings area, in the Name field, enter the name of the LDAP connection.
5. In the Domain field, enter the FQDN of the domain in which the LDAP server is located.
6. In the Domain alias field, enter the domain alias (usually the NETBIOS name). The alias is used along with the FQDN of the domain when creating and authenticating users. For example, if the FQDN of the domain is 'example.com' and the alias is 'example', users can enter the following values when authenticating:
   • admin@example.com
   • admin@example
   • example.com\admin
   • example\admin
7. In the LDAP host field, enter the host name of the LDAP server. The following host name formats are supported:
   • ldap://<host name>:<port number> for a standard LDAP server. The default port is 389.
   • ldaps://<host name>:<port number> for a LDAP server with SSL authentication. The default port is 636.

   For example, if you enter ldap://example.com:100, the host name of the LDAP server is 'example.com' and the port number is 100.

8. In the Base DN field, enter the base distinguished name to be used by the orchestrator as the starting point for searching user accounts in the LDAP server directory. The following base distinguished name formats are supported:
   • OU=<value>,OU=<value> for authentication in OpenLDAP. A base distinguished name consists of one or more OU attributes that represent the structure of organizational units in the directory of the LDAP server. For example, if you enter OU=OU_example1,OU=OU_example2, the starting point for searching user accounts is organizational unit OU_example2, which is nested in OU_example1.
   • DC=<value>,DC=<value> for authentication in Microsoft Active Directory. The base distinguished name consists of two DC attributes that represent the domain components of the LDAP server. For example, if you enter DC=example,DC=com, the starting point for searching user accounts is the 'example.com' domain.
9. In the Search attribute drop-down list, select the attribute that the orchestrator must use to search for user accounts in the LDAP server directory:
   • uid (OpenLDAP) – the uid (user ID) for searching in OpenLDAP. This is the default setting.
   • sAMAccountName (Active Directory) – pre-Windows 2000 logon name for searching in Microsoft Active Directory.
10. In the Bind DN field, enter the distinguished name for authenticating the orchestrator on the LDAP server. The following distinguished name formats are supported:
    • UID=<value>,OU=<value> for authentication in OpenLDAP. A distinguished name consists of one UID attribute and one or more OU attributes. The UID attribute stands for the user ID, while the OU attributes represent the structure of organizational units in the LDAP server directory that contains the user. For example, if you enter UID=user_example,OU=OU_example, user user_example from organizational unit OU_example is used for authenticating the orchestrator on the LDAP server.
    • CN=<value>,OU=<value>,DC=<value>,DC=<value> for authentication in Microsoft Active Directory. A distinguished name consists of one CN attribute, one or more OU attributes, and two DC attributes. The CN attribute stands for the common name of the user, while the OU attributes represent the structure of organizational units in the LDAP server directory that contains the user. The final two DC attributes represent the components of the domain in which the user is located. For example, if you enter CN=user_example,OU=OU_example,DC=example,DC=com, user user_example in organizational unit OU_example in the example.com domain is used for authenticating the orchestrator on the LDAP server.
11. In the Bind password field, enter the password for authenticating the orchestrator on the LDAP server.
12. To check if the LDAP server is available, click Test authentication.
13. Click Create.

The LDAP connection is created and displayed in the table. The LDAP server can now be used when creating users or user groups.

Page top