5.1 Configuring LDAP Directory

SSPR allows to configure multiple LDAP directory profiles. Before configuring the LDAP directory, you must configure the LDAP settings. For more information on configuring LDAP settings, refer to Section 3.1, Configuring LDAP Settings. Each LDAP profile defines a unique LDAP data environment that depends on the directory type and configuration. Each profile can have multiple redundant servers defined that must be shared on all the servers.

NOTE:You can either use Active Directory or eDirectory for an instance of SSPR configuration.

To configure LDAP profiles, perform the following steps:

In Configuration Manager, click Profiles > LDAP Directory Profiles.
In the Selected Profile field, select Edit Profile List, to specify name of the profile.
In the Add Value field enter the profile name.

The profile name must have the following format:
- Start with a letter (a-Z)
- Contain only letters, numbers, and hyphens
- Length between 2 and 15 characters
You can include multiple profiles. During authentication, SSPR searches for the default profile first, and then the other profiles in the order mentioned.
Click Return to configuration editor.
Select the appropriate profile from the Selected Profile list.
Click View > Always Show Advanced Settings.

Configure the following settings:

Field	Description
LDAP URLs	Specify the URLs of LDAP servers. The system uses these servers in configuring failover in the same order as these appear in this list. If the first server is unavailable, the next available server in the list is used. SSPR checks unavailable servers periodically to check their availability. For secure SSL, use the ldaps://servername:636 format. For plain text servers, use the ldap://serverame:389 format (not recommended). When using secure connections, the Java virtual machine must trust the directory server in either of these scenarios: It has a valid commercial certificate. You have manually added the public key certificate from the tree to the Java keystore. IMPORTANT: Avoid using non-secure connections because many LDAP servers reject password operations on non-secure connections. Avoid using a virtual IP address or a load balancer device. Instead of using a load-balancing device for LDAP high availability, use the built-in LDAP server fail-over functionality. Avoid using a DNS round-robin address.
LDAP Certificates	Displays details of LDAP server certificates.
LDAP Proxy Users	Configure an LDAP proxy user in the LDAP distinguished name format. For example, cn=admin,o=example or cn=administrator,cn=users,dc=subdomain,dc=domain,dc=net You can gain access to the LDAP directory through the LDAP proxy user. This user must have the following rights: Browse users and manage password attributes of the user object Create object rights in the new user container (if enabled)
LDAP Proxy Password	Set a password for the LDAP proxy user.
LDAP Contextless Login Roots	Specify the base context to search for usernames during authentication and other operations. This is the top level LDAP container in which your users exist. You can add multiple contexts. SSPR searches each context until it finds a single match. To improve search performance, do not add large numbers of contexts because SSPR searches each context serially.
LDAP Test User	Specify an LDAP test user account. You must create a new test user account with the same privileges and policies as any other users in the system. You can change the password of this account and use it periodically to check the health of the LDAP server. Using a test user account increases the ability to detect and alert you about any configuration or health issues. You can test the following functionalities through a test user: Authentication Read password policy Set password Set challenge-responses Load challenge-responses This is a recommended setting. You can configure an LDAP Test User DN later also.
Username Search Filter	Specify the username search query in the following format: (&(objectClass=person)(cn=%USERNAME%)) Replace the value %USERNAME% with the actual username value. SSPR uses this filter for the contextless login and for finding users in the LDAP directories.
LDAP GUID Attribute	Specify an attribute to identity and reference unique users in the LDAP directory. You can set any string readable attribute as the GUID, as long as the directory can be trusted to the uniqueness. You can also use a custom attribute and enable Auto-Add GUID Value. The default value is VENDORGUID. For the default value, the system attempts to read the vendor-specific LDAP GUID.
Auto Add Object Classes	Specify the LDAP object classes to automatically add users who are authenticated using the password servlet. This is an auxiliary LDAP class that contains attributes used to store password self-service data. It is required only if schema is extended to store challenge response information. This is not required for Active Directory even with schema extension
LDAP Chai Settings	Specify a Name/Value setting to control behavior of the LDAP Chai API. The settings must be in the name=value format, where name is the key value of a valid ChaiSetting.
Attribute to use for Username	Specify an attribute to allow pages to display other details such as, the username of a user instead of the LDAP Naming Attribute value.
Auto-Add GUID Value	Select this check box to create a unique GUID value and assign it to any user who does not have a GUID value and is attempting to authenticate. The system writes this value to the attribute named in the LDAP GUID Attribute setting.
User Selectable Login Contexts	Specify the values in this format: display value:::context. For example, ou=sf,ou=ca,o=example:::San Francisco ou=lon,ou=uk,o=example:::London ou=nyc,ou=ny,o=example:::New York This is an optional setting. If you configure this, system adds a field to the form-based login screen and other user search screens. This field allows users to select a specific context.
LDAP Profile Display Name	Specify the name of the LDAP profile that you have configured.

Click Actions > Save.