Setting up LDAP or Active Directory Authorization

When you select either the LDAP or Active Directory authorization method from the TMC authentication page, a setup page opens. Filling out the form on the setup page allows the TMC to use your enterprise directory for authentication and authorization. The information below clarifies what is required in the fields on the setup form.

Enter your directory URL: The complete URL of the LDAP server. The URL has the format protocol://hostname:portnumber where the protocol is LDAP for standard connections or LDAPS for secure connections.

For example, specifying the URL ldaps://ldapserv1:700 would create a secure connection to the LDAP server running on the nonstandard port 700 on the host called ldapserv1.

Enter your directory system username: The user ID the TMC should supply to connect to the LDAP server, for example, "Directory manager". This user must have permission to query groups and group membership.

Note:
If your LDAP server allows anonymous access, leave this field blank. If your LDAP does not allow anonymous access, the username must map to a password in the TMC keychain, which can be configured such as: bin/keychain.sh -O ~/.tc/mgmt/keychain ldap://admin@localhost:1389

Prompt	Example Value
Enter your directory URL	ldap://vminrwa04:1389
Directory System user name	tmcoperatoruser3
Search base	dc=localdomain,dc=com
UserDN Template	uid={0}, ou=Users, dc=localdomain,dc=com
Group DN Template	cn={0}, ou=Groups, dc=localdomain,dc=com
Is your LDAP instance working against dynamic groups?	No
Enter the attribute matching the user with the group	uniqueMember
Admin Groups, Operator group	tmcadminstgroup1,tmcadminstgroup2, tmcadminstgroup3,tmcopstgroup1, tmcopstgroup2 tmcopstgroup3, tmcadminstgroup1,tmcadminstgroup2, tmcadminstgroup3
Operator group	OP,AD
Keychain Formation command	keychain -O -c .tc\mgmt\keychain ldap://tmcoperatoruser3@vminrwa04:1389
Keychain password	manageAD12

If you want to use a LDAP URL to define a set of rules that match only for group members, use the dynamic group feature. This alternative to explicit group names works with the filter values you provide. All the members of a dynamic group share a common attribute or set of attributes that are defined in the memberURL filter.

For example, suppose that your organization has two departments Admin and Operator. If the ldap attribute ‘departmentNumber’ for members of Admin department is AD, and the equivalent for the Operator department is ‘OP’, configure as follows.

Prompt	Example Value
Enter your directory URL	ldap://vminrwa04:1389
Directory System user name	tmcoperatoruser3
Search base	dc=localdomain,dc=com
UserDN Template	uid={0}, ou=Users, dc=localdomain,dc=com
Group DN Template	cn={0}, ou=Groups, dc=localdomain,dc=com
Is your LDAP instance working against dynamic groups?	Yes
Enter the attribute matching the user with the group	departmentNumber
Admin Groups	AD
Operator group	OP,AD
Keychain Formation command	keychain -O -c .tc\mgmt\keychain ldap://tmcoperatoruser3@vminrwa04:1389
Keychain password	manageAD12

Prompt	Example Value
Enter your directory URL	ldap://10.60.29.212:389
Directory System user name	tmcoperatoruser3
Search base	DC=igomega,DC=com
Admin Groups	tmcadminstgroup1,tmcadminstgroup2,tmcadminstgroup3
Operator group	tmcopstgroup1,tmcopstgroup2,tmcopstgroup3, tmcadminstgroup1,tmcadminstgroup2, tmcadminstgroup3
Keychain Formation	keychain -O -c .tc\mgmt\keychain ldap://tmcoperatoruser3@10.60.29.212:389
Keychain password	manageAD12