BigMemory 4.4.0 | Product Documentation | Terracotta Management Console User Guide | Setting up Security | Setting up LDAP or Active Directory Authorization
 
Setting up LDAP or Active Directory Authorization
When you select either the LDAP or Active Directory authorization method from the TMC authentication page, a setup page opens. Filling out the form on the setup page allows the TMC to use your enterprise directory for authentication and authorization. The information below clarifies what is required in the fields on the setup form.
Enter your directory URL: The complete URL of the LDAP server. The URL has the format protocol://hostname:portnumber where the protocol is LDAP for standard connections or LDAPS for secure connections.
*The host is the host name or IP address of the LDAP server.
*The port is the port on which the server is running. The port is optional. If omitted, the port defaults to 389 for LDAP, or 636 for LDAPS.
For example, specifying the URL ldaps://ldapserv1:700 would create a secure connection to the LDAP server running on the nonstandard port 700 on the host called ldapserv1.
Enter your directory system username: The user ID the TMC should supply to connect to the LDAP server, for example, "Directory manager". This user must have permission to query groups and group membership.
Note:
If your LDAP server allows anonymous access, leave this field blank. If your LDAP does not allow anonymous access, the username must map to a password in the TMC keychain, which can be configured such as: bin/keychain.sh -O ~/.tc/mgmt/keychain ldap://admin@localhost:1389
Static Groups for LDAP
If you want to use a LDAP URL to define a set of rules for explicit group names, consider the following configuration.
Prompt
Example Value
Enter your directory URL
ldap://vminrwa04:1389
Directory System user name
tmcoperatoruser3
Search base
dc=localdomain,dc=com
UserDN Template
uid={0}, ou=Users, dc=localdomain,dc=com
Group DN Template
cn={0}, ou=Groups, dc=localdomain,dc=com
Is your LDAP instance working against dynamic groups?
No
Enter the attribute matching the user with the group
uniqueMember
Admin Groups, Operator group
tmcadminstgroup1,tmcadminstgroup2, tmcadminstgroup3,tmcopstgroup1, tmcopstgroup2 tmcopstgroup3, tmcadminstgroup1,tmcadminstgroup2, tmcadminstgroup3
Operator group
OP,AD
Keychain Formation command
keychain -O -c .tc\mgmt\keychain ldap://tmcoperatoruser3@vminrwa04:1389
Keychain password
manageAD12
Dynamic Groups for LDAP
If you want to use a LDAP URL to define a set of rules that match only for group members, use the dynamic group feature. This alternative to explicit group names works with the filter values you provide. All the members of a dynamic group share a common attribute or set of attributes that are defined in the memberURL filter.
For example, suppose that your organization has two departments Admin and Operator. If the ldap attribute ‘departmentNumber’ for members of Admin department is AD, and the equivalent for the Operator department is ‘OP’, configure as follows.
Prompt
Example Value
Enter your directory URL
ldap://vminrwa04:1389
Directory System user name
tmcoperatoruser3
Search base
dc=localdomain,dc=com
UserDN Template
uid={0}, ou=Users, dc=localdomain,dc=com
Group DN Template
cn={0}, ou=Groups, dc=localdomain,dc=com
Is your LDAP instance working against dynamic groups?
Yes
Enter the attribute matching the user with the group
departmentNumber
Admin Groups
AD
Operator group
OP,AD
Keychain Formation command
keychain -O -c .tc\mgmt\keychain ldap://tmcoperatoruser3@vminrwa04:1389
Keychain password
manageAD12
Static Groups for Active Directory
If you want to use a Active Directory URL to define a set of rules for explicit group names, consider the following configuration example.
Prompt
Example Value
Enter your directory URL
ldap://10.60.29.212:389
Directory System user name
tmcoperatoruser3
Search base
DC=igomega,DC=com
Admin Groups
tmcadminstgroup1,tmcadminstgroup2,tmcadminstgroup3
Operator group
tmcopstgroup1,tmcopstgroup2,tmcopstgroup3, tmcadminstgroup1,tmcadminstgroup2, tmcadminstgroup3
Keychain Formation
keychain -O -c .tc\mgmt\keychain ldap://tmcoperatoruser3@10.60.29.212:389
Keychain password
manageAD12