Atrium SSO LDAP configuration
The Atrium SSO system provides support for utilizing external LDAP (or Active Directory)
servers for authentication. The features available for an external LDAP authentication are:




Primary and secondary server for failover
Multiple search nodes
Search depth configuration
Multiple user attributes for identification
By default, a single LDAP module has been created and configured as part of the LDAP Chain.
The configuration and use of this module is define below for a single Atrium SSO server.
Configuring the LDAP module
Begin utilizing the LDAP module by first configuring the module for the enterprise environment.
Log into the administrators console, and browse through the console to the LDAP module by
following the path:
Access Control -> BmcRealm -> Authentication -> Module Instances section -> LDAP link
On the LDAP Module page, enter the FQDN (Fully Qualified Domain Name) for the primary
LDAP server host into the New Value field. If the LDAP server is not listening on the default
port (389), suffix the host name value with a colon (":") followed by the number of the port the
LDAP server is employing. Once the value is entered, press the Add button. Do not enter a
server name with the host information as this feature is not available for the default
configuration.
If a secondary, redundant, LDAP server is available, enter its' information into the New Value
field in the Secondary LDAP Server section. As with the primary server, if the secondary
server is not listening on the default LDAP port, suffix the host name with ":" and the port that is
used.
This secondary server will be utilized if contact with the primary server is lost. The amount of
time that the server will continue to use the secondary server before attempting to re-connect
with the primary server can be configured below. Note that the secondary LDAP server is only
used when the primary server is not available- it is not used in parallel or when a user fails to
authenticate with the primary server.
After entering the LDAP server host information, the root locations within the LDAP directory
for performing user searches need to be provided. For each starting point, enter the DN into the
New Value field below the DN to Start User Search table. Press the Add button to save the DN
into the search table.
The search DN's should be as specific as possible for performance reasons. The depth of the
search that is performed can be configured below. If Object search is specified, then the DN
entered should the DN of the node containing the users.
Next, enter the DN for a root user that has sufficient privileges to perform searches on the
primary and secondary LDAP servers specified into the DN for Root User Bind field.
Place this user's password into the Password for Root User Bind field and once again into the
Password for Root User Bind field to validate the data entry.
In the Attribute Used to Retrieve User Profile field, place the attribute used to identify user
names in the LDAP servers. The default is "uid," but if a different value is used (such as
"givenname") then update this value to the one specific to the environment.
With Atrium SSO, it is possible to allow more than one attribute to be used to uniquely identify a
user. For example, along with a unique user id, the user's phone number or email address could
also be used. For each attribute to be used, enter this value into the New Value field of the
Attributes Used to Search for a User to be Authenticated table and press the Add button.
Place in the User Search Filter attribute-value pairs that can be used to further refine the search
performed when looking for users to authenticate. This field can be left blank (the default).
The Search Scope radio buttons determine the depth that the LDAP directory will be searched
when looking for users to authenticate. The OBJECT selection will limit the search to the
contents of the nodes specified in the search list, ONELEVEL will search the nodes specified
and one level below, and SUBTREE will search the nodes specified and all levels below.
The values of the external attributes are set in the internal attributes only when the User
Profileattribute (in the Core Authentication module) is set to Dynamically Created and the user
does not exist in local Directory Server instance.
To use SSL when contacting the LDAP servers, check the SSL Access to LDAP Server option.
Before communications can be established, the certificates of the LDAP servers (primary and
secondary) must be loaded into the JVM trust store and the Atrium SSO Tomcat trust store. The
default trust stores are at <Install>/tomcat/conf/cacerts and <Install>/jdk/jre/lib/security/cacerts,
with keystore password "changeit".
Also, the Atrium SSO servers' certificate may need to be imported into the LDAP servers' trust
store if client authentication is required. If using signed certificates for all servers, then the root
certificate may be used to complete the trust relationships instead of the server's certificates.
After importing the new certificates, the Atrium SSO server must be restarted before the changes
will take effect. It is recommended that the certificates be configured before enabling the LDAP
authentication to prevent errors.
Return User DN To DataStore should only be checked if the external LDAP server utilizes the
same structure as the internal data store. This condition is atypical so this option should normally
be unchecked.
The LDAP Server Check Interval specifies the number of minutes of delay before primary
LDAP status is re-checked when authentication has switched to the secondary LDAP server. Do
not specify too low of a value as that may cause performance issues while the Atrium SSO server
spends time trying to unsuccessfully reconnect.
The User Creation Attribute List allows attributes from the external LDAP servers to be
provided as attributes from the internal data store. By defining the mappings, user account data
(such as telephone numbers or email addresses) can be provided to BMC Software products.
To create a mapping, enter the internal attribute, then the vertical bar ('|'), followed by the
external attribute. Pressing Add will place the mapping into the list.
Do not change the Authentication Level for the LDAP Module, leaving it at the default value of
0, as Atrium SSO does not employ authentication levels.
Press the Save button to commit the changes to the LDAP Module.
Configuring the Realm Authentication
After the LDAP module has been configured, the final step is to specify that the LDAP module
to be used for authentication with the BMC realm. This task simply involves specifying the
LDAP Chain as the organizational choice for authentication.
Important: Be sure to change only the "BmcRealm" to utilize external LDAP servers.
Begin by selecting the Core... button on the Authentication tab for the BmcRealm. Selecting
this button will open a new page. At the top of this new page are a series of radio buttons which
are used to select how the User Profile is handled when a user is authenticated. In order to use
the LDAP Module, the User Profile option must be specified as either Dynamic or Ignored.
Press the Save button to commit the changes to the User Profile attributes. On the "BmcRealm"
Authentication page, select the LDAP Chain from the Organization Authentication
Configuration drop down menu. The LDAP Module will begin to be used after the Save button
has been pressed to commit this last change.