4.1 Configuring LDAP Directory Profile

Self Service Password Reset allows you to configure multiple LDAP directory profiles depending on your environment. During the Configuration Guide process, it defined the default profile for your environment. You can change the information for the default profile or create new profiles. If you are manually configuring Self Service Password Reset, you must create an LDAP directory profile.

Each LDAP profile defines a unique LDAP data environment that depends on the directory type and configuration. Each profile can have multiple redundant servers defined that must be shared on all the servers. For more information on creating an additional profile, see Configuring Profiles. The following steps explain how to edit or create the default profile.

Before configuring the default LDAP profile or creating a new profile, you must export the corresponding LDAP server certificates. The profile configuration requires that you import the LDAP server certificates. For more information, see Exporting LDAP Certificates in the Self Service Password Reset 4.1 Installation Guide.

To configure LDAP profiles:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. To define the connection to the LDAP directory:

    1. Click LDAP > LDAP Directories > default > Connection.

    2. Use the following information:

      LDAP URLs

      Specify the URLs of LDAP servers.

      The system uses these servers in configuring failover in the same order as these appear in this list. If the first server is unavailable, the system uses the next available server in the list. Self Service Password Reset checks unavailable servers periodically to check their availability.

      For secure SSL, use the ldaps://servername:636 format. For plain text servers, use the ldap://serverame:389 format (not recommended). When using secure connections, the Java virtual machine (JVM) must trust the directory server in either of these scenarios:

      • It has a valid commercial certificate.

      • You have manually added the public key certificate from the tree to the Java keystore.

      IMPORTANT:

      • Do not use a non-secure connection for anything but the most basic testing purposes (Many LDAP servers will reject password operations on non-secure connections)

      • Do not use a load-balancing device for LDAP high availability, instead use the built-in LDAP server fail-over functionality

      • Do not use a DNS round-robin address.

      • Avoid using the network address, use the proper fully-qualified domain name address for the server.

      LDAP Certificates

      Import the LDAP server certificates to create a secure connection between Self Service Password Reset and the LDAP directory. After you have imported the certificate, this setting displays details of LDAP server certificates. Click Import From Server to import the certificates from the server. Self Service Password Reset stores these certificates in the configuration file and it uses the certificates to validate the identity of the LDAP server.

      LDAP Proxy User

      Configure an LDAP proxy user using the LDAP distinguished name format. For example, cn=admin,o=example or cn=administrator,cn=users,dc=subdomain,dc=domain,dc=net

      You can gain access to the LDAP directory through the LDAP proxy user. This user must have the following rights:

      • Browse users and manage password attributes of the user object

      • Create object rights in the new user container (if enabled)

      LDAP Proxy Password

      Set the password for the LDAP proxy user.

      LDAP Contextless Login Roots

      Specify the base context to search for user names during authentication and other operations. This is the top level LDAP container where your users exist.

      You can add multiple contexts. Self Service Password Reset searches each context until it finds a single match. To improve search performance, do not add large numbers of contexts because Self Service Password Reset searches each context serially.

      LDAP Test User

      Specify an LDAP test user account that Self Service Password Reset uses to validate the health of the LDAP server. Create a new test user account with the same privileges and policies as any other users in the system.

      Using a test user account increases the ability to detect and alert you to any configuration or health issues. Use a test user to test the following:

      • Authentication

      • Read password policy

      • Set password

      • Set challenge-responses

      • Load challenge-responses

      This is an important setting. You can configure an LDAP Test User at any time.

      Auto Add GUID Value

      Select this option to create a unique GUID value and assign it to any user who does not have a GUID value and is attempting to authenticate. The system writes this value to the attribute named in the LDAP GUID Attribute setting.

      LDAP Profile Enabled

      Select Enabled if you want to enable this profile. When you deselect this option, the system disables the profile but does not delete the configuration details of the settings. This setting is helpful when you do not want to remove all the configuration settings for a particular profile but keep the profile for future use.

    3. Click Test LDAP Profile to test if Self Service Password Reset is able to read the data of the users in this LDAP profile.

  5. To configure the login setup:

    1. Click LDAP > LDAP Directories > default > Login Setup.

    2. Use the following information:

      User Name Search Filter

      Specify the user name search query in the following format:

      (&(objectClass=person)(cn=%USERNAME%))

      Replace the value %USERNAME% with the actual user name value. Self Service Password Reset uses this filter for the contextless login and for finding users in the LDAP directories.

      User Selectable Login Contexts

      Specify the values in this format: display value:::context. For example,

      • ou=sf,ou=ca,o=example:::San Francisco

      • ou=lon,ou=uk,o=example:::London

      • ou=nyc,ou=ny,o=example:::New York

      This is an optional setting. If you configure this, the system adds a field to the form-based login screen and other user search screens. This field allows users to select a specific context.

      LDAP Profile Display Name

      Specify the name of the LDAP profile that you have configured. Self Service Password Reset displays this name to the users.

  6. To configure the user attributes for the LDAP directory:

    1. Click LDAP > LDAP Directories > default > User Attributes.

    2. Use the following information:

      Attribute to use for User Name

      Specify an attribute to allow pages to display other details such as the user name of a user instead of the LDAP Naming Attribute value.

      LDAP GUID Attribute

      Specify an attribute to identify and reference unique users in the LDAP directory. You can set any string readable attribute as the GUID, as long as the directory can be trusted to the uniqueness. You can also use a custom attribute and enable Auto-Add GUID Value. The application-defined schema includes the attribute pwmGUID for this usage.

      The default value is VENDORGUID. For the default value, the system attempts to read the vendor-specific LDAP GUID.

      LDAP Naming Attribute

      Specify an attribute name that the system can use as the naming attribute on LDAP user entries. This attribute is the first part of the distinguished name of a user. This name is constant depending on the directory vendor type even if you use a different attribute for the login search filter. Typically, the naming attribute is cn or uid.

      Last Password Update Attribute

      Specify an attribute to record when users update their passwords and when the system uses the password during replication checks and other processes.

      User Group Attribute

      Specify the attribute for a user entry that you specified as a group entry in the directory.

      User Email Attribute

      Specify the attribute that contains the users’ email address.

      SMS Destination Address LDAP Attribute

      Specify the users' LDAP attribute containing the users' mobile phone numbers for SMS.

      Response Storage Attribute

      Specify the attribute to use for response storage when storing responses in an LDAP directory. If blank, Self Service Password Reset does not store responses in the LDAP directory. If configured, it stores the responses in the LDAP directory in addition to any other configured storage repositories.

      User History LDAP Attribute

      Specify the attribute Self Service Password Reset uses to write a user event attribute in LDAP. The user event log attribute holds an XML document with the users' event history. Leave blank to disable logging event history in LDAP.

      Web Service User Attributes

      Add the user attributes that the various web services use and Self Service Password Reset presents as part of the users' data sets.

      Auto Add Object Classes

      Specify the LDAP object classes to automatically add users who are authenticated using the password servlet. This is an auxiliary LDAP class that contains attributes used to store password self-service data. If you extended the schema to store the challenge-response information, this setting is required This is not required for Active Directory even with schema extension

  7. In the toolbar, click Save changes.