User mapping – HP IO Accelerator for BladeSystem c-Class User Manual
Page 27
Adding and editing LDAP providers 27
c.
Perform an LDAP Bind with the Auth DN and Password, if one is specified.
Any errors encountered are displayed at the top of the window.
When finished, click Next Step to display User Mapping.
User mapping
A primary function of the LDAP Provider is to take a username (like jdoe) and password, and verify that the
username maps to an entry in the LDAP server, and that the user's LDAP entry along with their password can
be used to authenticate to the LDAP directory.
The application gives you two ways to map usernames to LDAP entries: an easy DN Builder (essentially a DN
template), and a traditional search-based mapping configuration.
DN Builder
In some LDAP deployments, all users reside in a single, flat container (such as
OU=people,DC=example,DC=com), and all users are named with a common naming attribute (such as
UID). In this case, it is easier to use the DN Builder to configure the User Mapping. To map a username such
as jdoe to an LDAP entry of UID=jdoe,OU=people,DC=example,DC=com, type UID into the template left
field, and OU=people,DC=example,DC=com into the right.
An example DN is shown below the Template fields in the form of
UID=${username},OU=people,DC=example,DC=com. This shows you what the resulting username
map will be, where the string "${username}" is replaced with the username entered, when a user attempts
to login.
Search
The traditional method of mapping a username to an LDAP entry is to search for the username as a unique
value of the entry that represents the user. For example, ActiveDirectory deployments often populate an
attribute called sAMAccountName with the username. Other directory deployments might populate the UID
attribute with the username.
Enter the DN of the tree branch that is hierarchically above your user entries (for example,
OU=people,DC=example,DC=com). If you previously entered a Default Base DN, you can select it from
the drop-down list.
For the search filter, you can add one or more attributes to the Search Attributes field and a search filter is
automatically created. For example, if your user entries have a UID attribute that holds their unique
username, typing UID into the Search Attributes field produces a standard LDAP search filter of
(UID=${username}).
If you need a specialized search filter, you can edit it in the Search Filter field. Use the radio buttons to toggle
between entering attributes and editing the search filter.
The special token "${username}" is replaced with the name the user is attempting to log in with when the
HP IO Accelerator Management Tool performs the authentication.
The Scope should normally be set to Subtree. It can be set to One Level if the users are all in a single
container.
Click Next Step to proceed to Role Mapping.