Set up LDAP

You can manage and authenticate users using your organization's LDAP system.

Caution: After you set up LDAP authentication, you cannot continue using OpenText Software Delivery Management built-in, native, internal user management. You cannot have a mix of users created with OpenText Software Delivery Management internal user management and users imported from LDAP.

Before you begin

After you configure for LDAP user management, you cannot return back to native, internal user management. Management of both LDAP and native, internal users simultaneously is not supported.

Before you continue, learn how OpenText Software Delivery Management works with LDAP for user management, and plan accordingly. For details, see Plan for LDAP.

Security Caution

OpenText encourages the customer to ensure secure communication for LDAP configuration, which is not provided by OpenText. By not implementing communication through HTTPS and LDAPS protocols, you may be exposing the system to increased security risks. You understand and agree to assume all associated risks and hold OpenText harmless for the same. It remains at all times the Customer’s sole responsibility to assess its own regulatory and business requirements. OpenText does not represent or warrant that its products comply with any specific legal or regulatory standards applicable to Customer in conducting Customer's business.

Back to top

Configure LDAP

Site admins can configure LDAP and its servers using the OpenText Software Delivery Management Settings UI any time after initial installation.

Settings are case-sensitive.

To configure LDAP:

  1. Prerequisite: Make sure your LDAP implementation is successful. For details, see Plan for LDAP.

  2. Log in as site admin, and open Settings > Site > Servers.

  3. Click Enable LDAP Authentication.

  4. In the LDAP Servers section, click in the box to edit the details for the LDAP server on which the admin DN (distinguished name) exists.

    Field Description
    Description

    Description of the LDAP server.

    Optional.

    Host

    The LDAP server host name or IP address.

    Mandatory.

    Port

    LDAP server connection port.

    Mandatory.

    Is SSL

    Whether the LDAP server uses SSL. 

    Mandatory.

    Enter Y or N.

    If Y, establish trust to the certificate authority that issued the LDAP server certificate. For details, see "Configure trust on the server" in the OpenText Software Delivery Management Installation Guide. See Install.

    Base directories

    Root of the LDAP path to use to search for users when including new LDAP users in OpenText Software Delivery Management spaces. This can be a list of common names and domain components (cns and dns), or a list of organizational units (ou).

    Separate the directories in the list with semi-colons.

    Optional.

    Default: Blank.

    Base filters

    Filters to use to refine the search for users when including new LDAP users in OpenText Software Delivery Management spaces. This is generally a list of LDAP objectClasses.

    Separate the items in the list with semi-colons.

    Optional.

    Default:  (objectClass=*)

    Authentication method

    The LDAP authentication method supported by the LDAP server.

    Mandatory.

    The following methods are supported: 

    • anonymous. In this case, skip the next two parameters: user and password

    • simple. In this case, user and password are mandatory.

    Authentication username

    User name for accessing the LDAP server. This user must have at least read permissions for the LDAP server.

    Can be blank only if the LDAP authentication method is anonymous.

    Authentication password

    Password for accessing the LDAP server.

    This password is encrypted.

    Can be blank only if the LDAP authentication method is anonymous.

    Field Mapping

    In the Field Mapping section, enter the following settings.

    OpenText Software Delivery Management attribute Sample LDAP attribute that can be used Values and descriptions
    UID
    • objectGUID (for Active Directory)

    • entryUUID (for other LDAP systems)

    The LDAP attribute that should be used as the immutable, globally-unique identifier. Mandatory.

    This is also referred to as the UUID (universally unique ID).

    • For Active Directory: To work with OpenText Software Delivery Management and Active Directory, objectGUID is used.

    • For other LDAP systems: To work with OpenText Software Delivery Management, entryUUID is generally used for OpenLDAP. However, depending on your LDAP, this attribute might be different, such as GUID or orclguid.

    The UID attribute is the attribute by which OpenText Software Delivery Management identifies each user internally for synchronization between OpenText Software Delivery Management and LDAP, including when importing users.

    You can configure other values, such as GUID or orclguid, or any other unique value.

    DN
    • distinguishedName (for Active Directory)

    • entryDN (for other LDAP systems)

    The LDAP distinguished name attribute. Unique. Mandatory.

    This attribute is typically in a format that contains the common name and organization details, such as:

    cn=<common_name>,ou=<organizational_unit>,dc=<part_of_domain>

    The dn is a unique string that typically contains other LDAP attributes, such as cn, ou, and dc.

    Example

    If in LDAP, the entryDN attribute value is: cn=<common_name>,ou=<organizational_unit>,dc=<part_of_domain>, the dn value would be mapped to: entryDN

    When exporting users from LDAP, the dn string representation of each LDAP user  would be the common name, followed by the organizational unit, followed by a part of the domain, such as: cn=Joe_Smith@nga,ou=my_org,dc=com

    First name givenName LDAP attribute for first name, such as givenName. Mandatory.
    Last name sn LDAP attribute for last name, such as sn. Mandatory.
    Full name cn LDAP attribute for full name, such as cn. Optional.
    Logon name mail

    This is the unique identifier between all OpenText Software Delivery Management users, and this attribute is used to log onto OpenText Software Delivery Management.

    In some cases, OpenText Software Delivery Management may use this attribute to identify each user internally for synchronization between OpenText Software Delivery Management and LDAP, including when importing users.

    mail is usually unique for each user, so mail is an appropriate LDAP attribute to use to map to Logon name. Mandatory.

  5. You can change the Logon name attribute mapping at any time, but make sure the Logon name is unique across all OpenText Software Delivery Management users.

  6. Email mail

    The LDAP attribute for email address, such as mail. Mandatory.

    Telephone telephoneNumber The LDAP attribute for the primary phone number, such as telephoneNumber. Optional.

    Click Save. The details are validated and you are informed if the details must be corrected.

  7. In the LDAP Configuration section, click in the box to enter general settings.

    Field Description
    connection-timeout

    Connection timeout in seconds. Optional.

    Default: 30 seconds

    admin-dn

    The user that signs in to OpenText Software Delivery Management after initially setting up LDAP authentication. Its purpose is to make sure that one workable user exists to start configuring LDAP user authentication.

    When the OpenText Software Delivery Management server starts, it checks LDAP configuration settings, verifies that this user exists, and validates this user against the LDAP data. If this attribute is not defined correctly, the server does not start. Correct the user details and restart the server.

    This user can be same user as the user entered in the octane.conf file, or a different user. After entering the value for this user, and then restarting the OpenText Software Delivery Management server, the admin user entered in the octane.conf file is overwritten. This becomes the OpenText Software Delivery Management site admin user that can be used to log into OpenText Software Delivery Management the first time.

    Note: If the admin-dn is changed and the server is restarted, both the original admin-dn and the new admin-dn exist as site admins. Modifying the admin-dn does not remove the original one.

    Click Save. Details are validated.

  8. Click Add LDAP Server to add additional LDAP servers, as necessary.

    Click the Delete sign next to an LDAP server to delete it.

    Tip: You can add and delete additional LDAP servers as necessary. However you cannot delete the LDAP server on which the admin DN exists.

  9. Restart the OpenText Software Delivery Management server for the configuration changes to take effect. For details, see Restart the server.

    At any point, you can click Validate LDAP Servers to check if any LDAP servers have lost connectivity. For example, to verify that the admin DN exists in the LDAP server.

    Note: As you modify LDAP configuration, the ldap.conf file is automatically updated to reflect these changes. You can also modify the LDAP configuration directly in the ldap.conf file as described in Modify site settings. However, we do not this because it bypasses validations.

Back to top

Restart the server

Restart the OpenText Software Delivery Management server for the LDAP configuration settings to take effect. For details, see Modify site settings.

Note: After restarting the server, any previously-defined native OpenText Software Delivery Management users (both admins and regular) can no longer access the OpenText Software Delivery Management server.

Only the AdminDN user defined in Settings > Site > Servers > LDAP Configuration has access. The AdminDN logs in using the specified dn (not the one specified in Settings > Site > Servers > LDAP Configuration).

Back to top

Export users from LDAP

Export users using your LDAP configuration tool.

Overview

These instructions describe how to export users from LDAP into a CSV file. This is useful for first-time, initial addition of LDAP users in OpenText Software Delivery Management, when many users have to be created at the same time.

After, you can import the users listed in the CSV file into OpenText Software Delivery Management. For details, see Import LDAP users.

To export users from LDAP:

  1. The LDAP admin should define the relevant filters in LDAP so that relevant users only are exported. It is unlikely that all LDAP users need to be exported into OpenText Software Delivery Management.

  2. In your LDAP configuration tool, export user details to a CSV file.

    If you have more than one LDAP server, create a separate CSV file for each server.

    Your CSV file should have the following:

    • A header line containing the attribute names. If necessary, you can check the ldap.conf file for the exact attribute names. This file by default is located in the conf folder in the OpenText Software Delivery Management installation path.

    • Lines for each user, containing the values for the attributes included in the header.

    Example

    entryDN,entryUUID,givenName,sn,cn,mail,telephoneNumber
    
    "cn=admin1,ou=pcoe_alm_users,dc=maxcrc,dc=com","b5d4a886-2347-435a-8557-e3d8561b5f38","Tony ","Stark ","Tony Stark ","TS@TheCompany.com",0133456789
    "cn=admin10,ou=pcoe_alm_users,dc=maxcrc,dc=com","e2e455ad-9248-48bf-b6ce-86ffc8d11f9c","Chris ","Thompson ","Chris Thompson ","CT@TheCompany.com",5223456789
    
    "cn=admin11,ou=pcoe_alm_users,dc=maxcrc,dc=com","10fd9c99-3ea2-4a67-bb22-053aef055635","Greg ","Santora ","Greg Santora ","GS@TheCompany.com",0120956789
    
    "cn=admin2,ou=pcoe_alm_users,dc=maxcrc,dc=com","05f85a65-f661-4a0e-a21b-567944b7e779","Kenny ","Smith ","Kenny Smith ","KS@TheCompany.com",0123456734
    
    "cn=admin3,ou=pcoe_alm_users,dc=maxcrc,dc=com","54734767-2a83-4527-86d3-260c893e52d8","Maria ","Jose ","Maria Jose ","MJ@TheCompany.com",0123555789
    
    "cn=admin4,ou=pcoe_alm_users,dc=maxcrc,dc=com","96920f66-a0dd-4d38-b25f-ee76e0bffd90","Peter ","Klein ","Peter Klein ","PK@TheCompany.com",0111156789
    

    If your CSV file was exported in such a way that it contains an extra line between the header line and the user lines, remove the extra line.

    For an example of how to do this, see this KB article.

  3. After exporting users to the CSV file, verify the following using a simple text editor: 

    • The file contains all headers.

    • The columns are in the order of the ldap.conf file.

    • The export process did not add additional columns. This is because some LDAP configuration tools add columns, such as DN, automatically when exporting.

    Caution: Do not open the file in Microsoft Excel, even just for viewing purposes. This is because opening a CSV file in Microsoft Excel can change the file to a non-CSV format and only the CSV file format is supported.

Import LDAP users

These instructions describe how to import LDAP users from a CSV file. LDAP users can be imported to the site, space, or workspace.

To import LDAP users:

  1. Prerequisite: Export users from LDAP into a CSV file. For details, see Export users from LDAP.
  2. Log in to OpenText Software Delivery Management using the login name for the AdminDn user as defined in the ldap.conf file.

  3. Open the Settings menu , click Spaces, and select a space or workspace. This determines the context in which you import the users.

    Area Import result
    Site admin

    Creates or updates a site admin user.

    New site admin users are not assigned to any shared space. If you need to assign these users to a specific shared space, you must do so manually. For details on assigning users to a shared space, see Roles and permissions.

    Space

    Creates or updates space users.

    The users are assigned the workspace and role selected in the import dialog.

    Workspace

    Creates or updates a workspace user.

    The users are assigned the role selected in the import dialog.

  4. In the Users tab, click Import.

    Permissions required: Create User

  5. In the Import Users from File dialog box:

    • Browse for the relevant CSV file. If you have more than one LDAP server, import each file separately.

      Tip: To download a CSV template with the required format, click Download import file template in the Import Users from File dialog box.

    • Choose the LDAP server from which the CSV file was exported.

    • Select a workspace for the imported users. This field is only visible when importing users in a shared space context.
    • Choose a role for the imported users.

    Click OK to import.

    Note: If an imported user already exists, the import overwrites their former details. Role assignment takes effect only for new users in the workspace or shared space. If the user already existed prior to the import, the role is not changed by the import.

  6. Check the response that is returned after the import. This includes the number of users successfully imported, and errors for each user that did not import successfully.

    The errors indicate specifically which users in the CSV file were not imported successfully. Users are identified by the index of the line number in the CSV file, keeping in mind that the first line is the header line and does not contain actual data.

    If there are errors, resolve them in your LDAP user configuration tools or in the CSV file. Then re-import the CSV file.

    An error report can also be found in the server logs by the correlation ID. See the log site.log, which is generally stored here: C:/octane/log/nga/site/site.log

Back to top

Add LDAP users

Instead of exporting and importing all LDAP users as a batch operation, you can add LDAP users in the Settings area, through a search in the LDAP tree. This is useful, for example, after all LDAP users were initially imported, and new users were later added to LDAP.

To add LDAP users:

  1. Log in to OpenText Software Delivery Management.

  2. Open the Settings menu , click Spaces, and select a space or workspace.

    If you select a workspace, the LDAP users are: 

    • Added to that workspace only.

    • Added to the workspace even if these LDAP users already exist in the corresponding space.

  3. In the Users tab grid view, click the Add LDAP Users button .

  4. In the Add LDAP Users dialog, enter the following.

    Field Description
    LDAP server

    The name of the LDAP server from which you are adding users.

    Directory base

    The root of the LDAP path from which to search for users.

    Base filter

    LDAP filters to use when searching.

    Search text

    Enter the string to search for. Asterisks are supported as wildcards.

    You can search for a specific first name, last name, email, and login name.

    Assign to role Choose a role for the selected user(s).
    In workspace Select a workspace for the selected user(s). This field is only visible when adding to a shared space.
  5. Click the Search button .

    A list of LDAP users that match your criteria is displayed in the Show New Users tab. This tab does not show any existing users. To view existing users in a read-only view, click Show Existing Users. The Add LDAP Users operation does not overwrite any existing users.

    Tip: Up to 100 results are listed. If you get this many results, you may want to refine your search criteria.

  6. Select the LDAP users that you want to add from the list of new users.
  7. Choose a role for the selected users.
  8. If you are working in the context of a shared space, you must also select a workspace.
  9. Click Add to add the selected users.

Back to top

Update LDAP server properties

LDAP server properties, such as the server IP address, might change over time. These instructions describe how to update OpenText Software Delivery Management after LDAP server properties have changed at any point after initial import.

If you update the LDAP server ID, you must also update your users in OpenText Software Delivery Management. This is because the LDAP server details are included in the details for each of the LDAP users. For details, see Update LDAP user properties.

To update LDAP server details:

  1. On the new LDAP server, use your LDAP configuration tool to export the users to a CSV file.

    When you export user details, use the exact attributes listed in the ldap.conf file, and in the exact order that the attributes are listed in the file.

  2. Restart your OpenText Software Delivery Management server. For details, see Modify site settings.

  3. In OpenText Software Delivery Management, re-import the CSV file. In the Import dialog, select the name of the new LDAP server.

Back to top

Update LDAP user properties

LDAP user properties might change over time. These instructions describe how to update OpenText Software Delivery Management after LDAP user properties have changed at any point after initial import.

Overview

When managing and authenticating users using LDAP, OpenText Software Delivery Management does not manage user details other than the user avatar and display names. Instead, user details are managed by your LDAP server.

If you make changes to users in your LDAP system, the users' properties are automatically updated in OpenText Software Delivery Management the next time the user logs in.

Caution: If changes were made to the AdminDN user in the LDAP system, the properties for the AdminDN must be manually updated in the ldap.conf file. Changes to the ldap.conf file are not automatically updated.

How to make LDAP updates take effect immediately

LDAP changes automatically take effect the next time users log into OpenText Software Delivery Management.

If you want LDAP updates to take effect immediately, do one of the following:

  • Re-import all LDAP users into OpenText Software Delivery Management. This is useful for batch operations when updates to many users are needed.

  • Update the relevant user attributes using the OpenText Software Delivery Management REST API. This is useful when you have modifications to a few users. For details, see Creating LDAP users in the OpenText Software Delivery Management Developer Help.

Add new LDAP users

If the LDAP changes involve adding new users, add them using the Include LDAP User feature in Settings. For details, see Add LDAP users.

Guidelines

Here are some scenarios that necessitate LDAP updates in OpenText Software Delivery Management, with an explanation of how the updates are handled.

Scenario Change in OpenText Software Delivery Management
User attribute changes

Changes to a specific user attribute, such as the user's last name.

Notes

  • You cannot change the OpenText Software Delivery Management user ID (uid) because this is the attribute by which OpenText Software Delivery Management identifies each user internally for synchronization with LDAP, including importing.

  • You can change the logonName attribute, but make sure the logonName is unique across all OpenText Software Delivery Management users.

For automatic updates:

  1. Update the details in the LDAP configuration tool. The changes take affect in OpenText Software Delivery Management the next time the users log in.

  2. If changes were made to the AdminDN attributes, update the attributes for this user in the ldap.conf file also.

For immediate updates:

  1. Update the details in the LDAP configuration tool.

  2. Re-export the users using a new CSV file, making sure the attributes are in the exact order as in the ldap.conf file.

    If changes were made to the AdminDN user, update the attributes for this user in the ldap.conf file also.

  3. Re-import the CSV file.

User logon name changes

Each OpenText Software Delivery Management user is uniquely identified by their logon name, which is usually the user's email address, as defined in the ldap.conf file.

If a user's logon name changes in LDAP, OpenText Software Delivery Management recognizes that user as the same user. The first time the user logs in to OpenText Software Delivery Management after the change, the user should use the current logon name. Subsequently, the user logs in with the new logon name.

Notes

  • If changes were made to the AdminDN user's logon name in the LDAP system after the initial import, the property must be manually updated in the ldap.conf file. Changes to the ldap.conf file are not automatically updated.

  • If a user's logonName is changed while the user is working in OpenText Software Delivery Management, the user might have to restart OpenText Software Delivery Management to keep working.

Back to top

See also: