10.5.5. LDAP

[Tip] Tip

To access an LDAP or Active Directory server, it is necessary to set numerous configuration parameters first. When in doubt, please consult your system administrator about the values to enter here.

The “LDAP” Tab

Figure 10.29. The LDAP Tab


Parameters required to contact the LDAP server:

Server Address

The URI under which the LDAP server resides (e.g. ldap.acme.com).

Server Port

The port on which the LDAP server is located (typically 389 for unencrypted connections or 686 for LDAPS).

Secure (LDAPS)

If this option is enabled, the encrypting LDAPS protocol is used.

Bind DN

The Distinguished Name of the user account that will log on to the server and execute the bind operation.

Bind Credentials

The password credential of the user account that will log on to the server and execute the bind operation.

Follow Referrals

If this option is enabled, searching a directory automatically follows any referrals the server might return. When disabled referrals will be ignored and other servers will not be contacted during the search.

Parameters needed to locate a user account:

User Context DN

The distinguished name of the path under which user accounts will be searched (e.g. ou=Users,dc=verit,dc=de).

User Object Classes

A comma separated list of the LDAP object classes a user account must match to be included in the search (e.g. person,posixAccount).

Enable naive DN Matching Mode

If this option is enabled, the returned DN of a user search is directly used to authenticate the user. If this option is disabled, the following two parameters will be used in conjunction with the User Name Attribute to build a DN to authenticate with.

User DN Prefix

The prefix of the distinguished name used to locate user accounts (e.g. uid=).

User DN Suffix

The suffix of the distinguished name used to locate the user account (e.g. ,ou=Users,dc=acme,dc=com). When locating user accounts, the prefix, the account id and the suffix are concatenated to form the distinguished name of the user account.

Parameters describing the attributes of a user account:

User Search Attribute

The LDAP username attribute which corresponds to the Klaros-Test­management account name (e.g. uid).

User Name Attribute

The LDAP attribute which will be used in the DN bind action which authenticates the user (if naive DN Matching mode is deactivated). In a simple scenario this will match the User Search Attribute.

If your LDAP Server setup does not allow you to bind a user with the specified user search attribute you should specify the corresponding attribute here (e.g. cn) and use this in conjunction with the corresponding user DN prefix/suffix.

User Password Attribute

The LDAP password attribute which corresponds to the Klaros-Test­management account password (e.g. userPassword).

Full Name Attribute

The LDAP attribute containing the full name of the user (e.g cn). If specified, this will be automatically be transferred into the Klaros-Test­management database upon first successful login.

Email Attribute

The LDAP attribute containing the email address of the user account (e.g. mail). If specified, this will automatically be transferred into the Klaros-Test­management database upon the first successful login.

Enabled Attribute

If specified, this LDAP boolean attribute defines whether a user is allowed to log in. Not all directory servers provide such an attribute.

If the Set as default checkmark is activated, the login screen will default to LDAP authentication for all users. It is still possible for existing users to authenticate against the Klaros-Test­management user database if selected in the login screen.

Use the Disable automatic user registration option to prevent the automatic creation of a user in Klaros-Test­management upon the first successful login.

Upon the first successful login a matching password hash is created in the local user database so that users can also authenticate themselves against the local user database with their LDAP password. If the Disable Password Synchronization checkmark is activated, this synchronization will not be performed and users will only be able to log in locally when an administrator assigns them a local password interactively.

Clicking the Test LDAP access button tests whether the parameters entered on this page are correct. The test process in divided in two phases:

In the first phase, an attempt is made to log on to the server and a search for all available users is performed. If this is successful, a dialog is displayed listing the users found in the LDAP directory.

In the second phase, a username and password can be entered to test the LDAP login of a user. The result of the login attempt is logged in the log panel.

The “LDAP Authentication” Dialog

Figure 10.30. The LDAP Authentication Dialog