LDAP authentication provider

This section describes how to use LDAP authentication instead of the default, basic authentication for remote access to Service Virtualization Server and Service Virtualization Management.

LDAP authentication

This section describes how to configure LDAP authentication for remote access to Service Virtualization Server and Service Virtualization Management.

To use LDAP authentication:

  1. Set up an LDAP server for your users, as described in your LDAP server documentation.

  2. In an editor, open the Service Virtualization Server configuration file, [INSTALLLOCATION]\Server\bin\HP.SV.StandaloneServer.exe.config.

  3. Define the membershipProviderConfiguration element, as described in Authentication Provider configuration, making sure to specify Ldap.

  4. Define an additional ldapMembershipProviderConfiguration element to configure the LDAP connection. You can also place this element in an external file using the configSource attribute.

    Attribute Description
    ldapProviderUrl

    The URL of the LDAP server.

    Example: ldap://example.com:389/DC=SV%20Lab,DC=Com

    Note: The value must be url-escaped, so, for example, set all white spaces to %20.

    connectionUsername

    Credentials to use when browsing LDAP during the login.

    Note: Many LDAP servers require a full DN in connectionUsername. The value must not be url-escaped. The user must have read access to all LDAP entries under usersSearchBase.

    connectionPassword,
    enc-connectionPassword

    Password of the user specified by connectionUsername. If a password encryption feature is enabled during installation, then the encrypted password may be stored in the enc-connectionPassword attribute.

    Use the following command to encrypt the LDAP password:
    ConfigTool.exe enc-printEncryptedValue server [LDAP password]
    loginFilter

    LDAP filter string to search for LDAP user entry during login.

    The search is performed inside the LDAP entry denoted by ldapProviderUrl and usersSearchBase combined. The $login$ string references the name that the user entered on the login page. The user found is then used to perform the actual login operation (LDAP bind operation). The LDAP entry's DN is used for the bind operation.

    usersSearchBase

    Users base DN.

    • If defined, users are retrieved only from the LDAP subtree denoted by this DN. This DN must be relative to the root specified by ldapProviderUrl.
    • If omitted, the users base DN is assumed empty. Instead, user searches are performed under the entry denoted by ldapProviderUrl.
    userDisplayNamePattern

    The pattern for constructing the user's display name as shown in the UI. Strings in curly brackets are replaced by the values of LDAP attributes. For example, the pattern "{sn}, {givenName}" will be displayed as "Shakespeare, William" in Windows AD LDAP.

    If this property is missing or if references are missing LDAP attributes, the LDAP DN is used as the display name.
    groupDisplayNamePattern

    The pattern for constructing the group's display name as shown in the UI. This syntax is similar to userDisplayNamePattern, as described above.

    svOperatorsGroupName,
    svPublishersGroupName,
    svRuntimeAdministratorsGroupName,
    svServerAdministratorsGroupName,
    svmUsersGroupName

    ACL definition groups.

    For details, see Authenticate the SV Server.

  5. (Optional) If LDAP authentication takes a long time, you can add the below queries to the LDAP configuration file to speed up the process. Queries are used to search for a list of groups to which a given user belongs. The union of groups matching any of the filters will be retrieved. The group search base is configured in the groupsSearchBase attribute.

    filterGroupsByMemberUid

    Use this filter to search for groups where the LDAP User membership is specified using the memberUid attribute. The {0} placeholder is replaced by the uid attribute of the LDAP User, when available.

    filterGroupsByMember

    Use this filter to search for groups where the LDAP User membership is specified using the member attribute. The {0} placeholder is replaced by the Domain Name (DN) of the LDAP User..

    filterGroupsByUniqueMember

    Use this filter to search for groups where the LDAP User membership is specified using the uniqueMember attribute. The {0} placeholder is replaced by the Domain Name (DN) of the LDAP User.

    If all three queries are not specified or have been removed, the default queries are used to maintain backward compatibility.

    Caution: Modifying the default query should only be performed in exceptional cases (at your own risk), and only after consulting an LDAP expert first.

    Copy code

    Example of LDAP configuration for connecting to Windows AD LDAP:

    <ldapMembershipProviderConfiguration
       ldapProviderUrl="ldaps://ldapServer.example.net:636"
       connectionUsername="sv_auto@example.net"
       connectionPassword="a secret"
       loginFilter="sAMAccountName=$login$"
       usersSearchBase="OU=EMEA,OU=Shared,DC=example,DC=net"
       groupsSearchBase="OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
       userDisplayNamePattern="{sn}, {givenName}"
       groupDisplayNamePattern="{cn}"
       svOperatorsGroupName="CN=SV_Operators,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
       svPublishersGroupName="CN=SV_Publishers,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
       svRuntimeAdministratorsGroupName="CN=SV_RuntimeAdmins,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
       svServerAdministratorsGroupName="CN=SV_Admins,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
       svmUsersGroupName="CN=SV_SVMUsers,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
       timeout="15000"
       filterGroupsByMemberUid="(&amp;(objectclass=posixGroup)(memberUid={0}))"
       filterGroupsByMember="(&amp;(|(objectclass=groupOfNames)(objectclass=mailGroup)(objectclass=group))(|(member:1.2.840.113556.1.4.1941:={0})(member={0})))"
       filterGroupsByUniqueMember="(&amp;(objectclass=groupOfUniqueNames)(uniqueMember={0}))"
    />

  6. Repeat steps 3 - 5 for SVM (Service Virtualization Manager): In an editor, open the Service Virtualization SVM configuration file, [INSTALLLOCATION]\Server\bin\SvmRoot\HP.SV.ServiceVirtualizationManager.exe.config.

Back to top

Set the authorization attribute - optional

The LDAP provider usually handles both authorization and authentication. It verifies the user's identity and returns the list of groups to which the authenticated user belongs (and thus what the user is authorized to do).

If retrieving user groups is slow, or adding a user to a group would involved a lengthy process, you can delegate the authorization effort to the File Authentication Provider. For details, see File authentication provider. This enables you to specify user groups in the users.txt file rather than retrieving this information from LDAP. In this case, LDAP is only used for authenticating users, which means that the password hash in users.txt remains empty.

To set the authorization attribute:

  1. Add the optional authorization attribute set to the value of "UsersFile" as follows:

    Copy code 
    <ldapMembershipProviderConfiguration
    ...
    ...
    authorization="UsersFile"
    ...
    ... />


  2. Add the path to the users.txt file in the membershipProviderConfiguration element:

    Copy code 
    <membershipProviderConfiguration membershipProvider="Ldap" usersFile="users.txt"
    ...
    ... />

Back to top

LDAP connection examples

Copy these code segments as a base for an LDAP connection.

Example: LDAP configuration for a connection to Windows Active Directory

Copy code 
<membershipProviderConfiguration
  membershipProvider="Ldap"
  loginUsernameTitle="MyCompany primary e-mail address"
  cachedLogonTokenLifetime="00:01:00"/>

<ldapMembershipProviderConfiguration
  ldapProviderUrl="ldaps://ldapServer.example.net:636"
  connectionUsername="sv_auto@example.net"
  connectionPassword="a secret"
  loginFilter="sAMAccountName=$login$"
  usersSearchBase="OU=EMEA,OU=Shared,DC=example,DC=net"
  groupsSearchBase="OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
  userDisplayNamePattern="{sn}, {givenName}"
  groupDisplayNamePattern="{cn}"
  svOperatorsGroupName="CN=SV_Operators,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
  svPublishersGroupName="CN=SV_Publishers,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
  svRuntimeAdministratorsGroupName="CN=SV_RuntimeAdmins,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
  svServerAdministratorsGroupName="CN=SV_Admins,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
  svmUsersGroupName="CN=SV_SVMUsers,OU=Cloud,OU=Global,OU=Shared,DC=example,DC=net"
/>

Example: LDAP configuration for a connection to OpenLDAP

Copy code 
<membershipProviderConfiguration
  membershipProvider="Ldap"
  loginUsernameTitle="MyCompany primary e-mail address"
  cachedLogonTokenLifetime="00:01:00"/>
...                                    
<ldapMembershipProviderConfiguration
  ldapProviderUrl="ldap://ldap.example.net"
  connectionUsername="cn=Manager,dc=example,dc=net"
  connectionPassword="changeit"
  loginFilter="uid=$login$"
  usersSearchBase="ou=Users,ou=Sites,dc=example,dc=net"
  groupsSearchBase="ou=Groups,dc=example,dc=net"
  userDisplayNamePattern="{cn}"
  groupDisplayNamePattern="{cn}"                
  svOperatorsGroupName="cn=svOperators,ou=Groups,ou=Sites,dc=example,dc=net"
  svPublishersGroupName="cn=svPublishers,ou=Groups,ou=Sites,dc=example,dc=net"
  svRuntimeAdministratorsGroupName="cn=svRuntimeAdmin,ou=Groups,ou=Sites,dc=example,dc=net"
  svServerAdministratorsGroupName="cn=svServerAdmin,ou=Groups,ou=Sites,dc=example,dc=net"
  svmUsersGroupName="cn=svmUsers,ou=Groups,ou=Sites,dc=example,dc=net"
/>

Back to top

See also: