Setting up a client to use the LDAP server

Complete the following steps to set up a management module to use the LDAP server:

Log in to the management module on which you want to set up the client. For more information, see Starting the management-module Web interface.
In the navigation pane, click MM Control → Network Protocols. Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section. A page similar to the one in the following illustration is displayed.
Configure the LDAP client, using the following information:
1. Select Use DNS to find LDAP Servers or Use Pre-Configured LDAP Servers (default). The management module contains a Version 2.0 LDAP Client that you can configure to provide user authentication through one or more LDAP servers. The LDAP servers that are used for authentication can be discovered dynamically or manually preconfigured.
2. If you are using DNS to find LDAP servers, configure the following settings; then, go to step 3.d. When you are discovering LDAP servers dynamically, the mechanisms that are described by RFC2782 are applied to find the servers through a process called DNS SRV.
  
  Domain Source
  
  The DNS SRV request that is sent to the DNS server must specify a domain name. The LDAP client determines where to get this domain name according to the option that is selected:
  Extract search domain from login id: The LDAP client uses the domain name in the login ID. For example, if the login ID is joesmith@mycompany.com, the domain name is mycompany.com. If the domain name cannot be extracted from the login ID, the DNS SRV process fails, causing a user authentication failure.
  
  Use only configured search domain below: The LDAP client uses the domain name that is set in the Search Domain field.
  
  Try login id first, then configured value: The LDAP client first attempts to extract the domain name from the login ID. If this succeeds, this domain name is used in the DNS SRV request. If there is no domain name in the login ID, the LDAP client uses the domain name that is set in the Search Domain field as the domain name in the DNS SRV request. If neither of these items is configured, user authentication fails.
  
  Search Domain
  
  This optional parameter is used only when a configured search domain is being used as a domain source. This parameter might be used as the domain name in the DNS SRV request, depending on how the Domain Source parameter is configured.
  
  Service Name
  
  A DNS SRV request that is sent to a DNS server must also specify a service name. If this field is not set, the DNS SRV request uses a default value of ldap. Each DNS SRV request must also specify a protocol name: this value is set totcp and is not configurable.
3. If you are using preconfigured LDAP servers, configure the LDAP Server Host Name or IP Address fields; then, go to step 3.d. The port number for each server is optional. If the field is left blank, the default value of 389 is used for nonsecured LDAP connections. For secured connections, the default is 636. You must configure at least one LDAP server.
4. Configure the following items for all LDAP server types:
  
  Root DN
  
  This is the distinguished name for the root entry of the directory tree on the LDAP server (for example, dn=companyABC,dn=com).
  
  Group Filter
  
  The Group Filter field is used for group authentication. It specifies the groups that the management module belongs to. If the Group Filter field left blank, group authentication is disabled. If group authentication is enabled, it is performed after user authentication. Specifically, an attempt is made to match at least one group in the list to a group that the user belongs to. If there is no match, the user fails authentication and is denied access. If there is at least one match, group authentication passes. All comparisons that are made during authentication are case sensitive.
  The group filter is limited to 511 characters and can contain multiple group names. A colon (:) is used to delimit group names. Leading spaces and trailing spaces are ignored; all other spaces are treated as part of the group name. The asterisk "*" wildcard character is not treated as a wildcard, because the wildcard concept has been eliminated for security. A group name can be specified as a full domain name or using only the company name portion. For example, a group with a domain name equal to cn=adminGroup,dc=mycompany,dc=com can be specified using the actual domain name or by using adminGroup. You must also configure additional authentication attributes as described in Configuring the LDAP search attributes.
  
  Binding Method
  
  For initial binds to the LDAP server during user authentication, select one of the following options:
  Anonymous authentication: A bind attempt is made without a client distinguished name or password. If the bind is successful, a search is requested to find an entry on the LDAP server for the user who is attempting to log in. If an entry is found, a second attempt to bind is attempted, this time with the distinguished name and password of the user. If this succeeds, the user has passed the user authentication phase. Group authentication is then attempted, if it is enabled.
  
  w/ Configured Credentials: A bind attempt is made, using the configured client domain name and password. If the initial bind is successful, a search is performed to find an entry on the LDAP server that belongs to the user who is logging in. If necessary, a second attempt to bind is attempted, this time with the domain name that is retrieved from the user LDAP record and the password that was entered during the login process. If this fails, the user is denied access. When using a binding method of configured credentials, you must configure the credentials as described in Configuring the LDAP client authentication.
  
  w/ Login Credentials: A bind attempt is made, using the credentials that were supplied during the login process. If the initial bind is successful, a search is performed to find an entry on the LDAP server that belongs to the user who is logging in.
  
  Depending on the LDAP configuration that you have set, click the options to set the domain names and passwords that are used for client authentication and the LDAP client search attributes. Each of these options is described in the following sections.