Plan for LDAP
This topic describes how to work with LDAP for user management.
Important considerations
Management of both LDAP and native, internal users is not supported simultaneously. After you configure for LDAP user management, you cannot return back to native, internal user management.
Tip: Native, internal users are no longer able to log in to OpenText Software Delivery Management after LDAP is configured. You have to include or import them as LDAP users. Therefore, we recommend that you deactivate these users after LDAP configuration.
How LDAP users are authenticated
OpenText Software Delivery Management authenticates LDAP users when they log in.
-
When logging in, the LDAP user enters the name and password.
-
OpenText Software Delivery Management performs the following checks:
-
It looks up the name in its list of LDAP users.
-
It locates the corresponding LDAP dn for the LDAP user.
-
It locates the user using the mapping settings defined in Settings
> Site > Servers under the LDAP Configuration section. For details, see Set up LDAP.
-
It locates the user in LDAP by dn to see if the user is authenticated.
-
Create users based on your LDAP system
You manage your users using your organization's LDAP system.
However, you use one of the following methods to take the details about existing users in your LDAP system and import them into OpenText Software Delivery Management.
Method | Description |
---|---|
Export and import |
Export LDAP users to a CSV file, and then import the CSV file using OpenText Software Delivery Management Settings. See Import LDAP users. This is useful for first-time LDAP configuration, when you have many LDAP users to add at one time. |
Add users from LDAP |
Add LDAP users in the OpenText Software Delivery Management Settings area. This is useful for adding LDAP users periodically, without having to re-export and re-import. See Set up LDAP. |
REST API |
You can create an LDAP user using the REST API by posting the user with certain LDAP attributes. You cannot use the REST API to import existing LDAP users from a CSV file. You can only create new ones manually that represent the details of the existing users in the LDAP system. For details about using the REST API to create users, see Creating LDAP users. |
How LDAP users are identified and added
This section explains how your LDAP users are mapped to existing users in OpenText Software Delivery Management, if any exist.
Determining a user match
To determine a match, the following details of each imported LDAP user are compared to the existing user information in OpenText Software Delivery Management.
LDAP User Attribute | OpenText Software Delivery Management User Field |
---|---|
The immutable LDAP UUID (universally unique ID) | uid |
The logon name | Login Name (name field in REST API) |
For a summary of how OpenText Software Delivery Management and LDAP attributes are mapped, see Mapping.
Handling a user match
If either of the above attributes match, the imported LDAP user is considered existing, and the details of the OpenText Software Delivery Management user are updated to those of the corresponding LDAP user.
Unable to match an LDAP user
When an LDAP user cannot be matched to an OpenText Software Delivery Management user, the imported LDAP user is considered new. New users are created using the details of the corresponding LDAP users, and are assigned to the default workspace with the predefined viewer role.
Unable to match any LDAP user
Because you cannot have a mix of users created with internal user management and users imported from LDAP, the non-LDAP OpenText Software Delivery Management users are unable to log in to OpenText Software Delivery Management. In this case, we recommend that you manually deactivate these users. For details on deactivating users, see Roles and permissions.
Mappings are configured in OpenText Software Delivery Management Settings. For details, see Field Mapping.
See also: