Configure User Repositories

The User Repositories define parameters for using LDAP servers as the source of user data for the ActivID AS system.

By configuring ActivID AS to communicate with your LDAP directory server, you enable access to user data for authentication purposes.

Each User Repository entry contains information about the Connection Settings used, the Attributes available for the users, the LDAP referrals (if any), as well as a summary of all the Groups (User Types and Admin Groups) and all the Roles that are bound to the User Repository.

Note: These procedures are performed using the ActivID Management Console.
Prerequisites: You must have the LDAP Configuration permission to configure repositories.

Add a User Repository

  1. Log on to the ActivID Management Console, select the Configuration tab and, under Environment, select User Repositories.

  1. Click Add.

  1. Enter a descriptive Name.

  2. Modify the pre-assigned Code, if necessary.

  3. From the Adapter drop-down list, select the adapter that corresponds to your directory type:

    • Microsoft Active Directory
    • Oracle Directory Server
    • Novell eDirectory
Note: The procedures are the same for the supported directories, except for attribute mapping.

The user attributes and groups attributes mapping section is used to map attributes to user group objects and user objects in the directory. This section is pre-populated with values set for the user in the directory.

  1. Click Next and then Configure the Connection Settings.

Configure the Connection Settings

  1. Enter the Host (IP address or hostname) of the server where your LDAP directory resides.

  1. Enter the Port for the LDAP directory server’s listening port.

    2. Note: By default, enter 389 for non-secure LDAP or 636 for secure LDAP. These values can be different, but they must correspond to those set for the directory.

  1. Enter the Backup Host (IP address or hostname) of the server where your backup LDAP directory resides.

  2. Enter the Backup Port for the backup LDAP directory server’s listening port.

  3. Enter the Base Node of your directory.

    Base node is the base branch from which the mapping starts. If the base node is set at a particular level, you cannot map a user to a level higher than the base node level.

  1. Select the Enable LDAPs option to connect to the LDAP via SSL.

    2. Important: If you entered a secure LDAP port number, then you must select the option Enable LDAPs. Otherwise, the connection between ActivID AS and the LDAP will fail. This must also be specified in the server configuration.

  1. Click Import LDAPs Root CA certificate to locate and import the certificate.

    2. Important: The CN attribute in the certificate must match exactly the “Host” defined above. For example, if the host name CN in the certificate is “host.company.com”, then the Host defined above must also be “host.company.com”.

    You can either View or Delete the certificate after it is imported.

  1. Under Configure user attributes and groups attributes mapping, the user/group attributes mappings are pre-populated according to the datasource adapter selected.

    2. You do not need to modify them unless your LDAP has a specific configuration.

  1. Under Configure connection login credentials, enter the user credentials to be used by ActivID AS to access the LDAP. Then enter and confirm the user’s Password.

    2. Important: You must indicate the full User DN.

  1. Click Next and then Map the Attributes.

Map the Attributes

When registering a user with ActivID AS, you will be prompted to enter the user's values for the attributes defined for the selected User Type Top level category to organize the users. Based on the User Type, users can be organized into administration groups or sub-groups.. These values will be displayed in the User Details page.

In addition to the predefined user attributes, you can also create additional ones.

LDAP user attributes can be mapped to existing ActivID AS user attributes, and they can be used within the ActivID AS like any other attribute.

Once this is done, the list of enabled user attributes for each user can be managed from the list of available attributes in the User Type settings.

  1. In the Attributes tab, select All (or Available) to view the attributes that can be mapped.

  2. Select the check box(es) of ActivID AS attributes that you want to map to and enter the names of the corresponding LDAP attributes.

  1. Click Next and then Configure the Referrals Strategy.

Configure the Referrals Strategy

Referrals strategy enables ActivID AS to search for users when multiple LDAPs are connected.

Referral is the process by which an LDAP server, instead of returning a result, returns a reference (a referral) to another LDAP server that might contain further information.

Note: Referrals must be configured within the given LDAPs according to the particular LDAP guidelines.

  1. In the Referrals Strategy tab, select the referral rule to be applied when searching for users:

    • To allow ActivID AS to search for the user in all LDAPs, select Follow all LDAP Referrals and click Save.

      • Important:
      • For a Microsoft Active Directory, the Follow all LDAP Referrals option is not supported. It is recommended to select the Follow only these listed referrals option.
      • For a Novell eDirectory, the credentials of all referral LDAP servers must be the same.

    • If you want to specify which LDAP referral(s) to apply when ActivID AS searches for a user, select Follow only these listed referrals and click Add.

      1. Enter the Domain Name and Port of the server where the LDAP directory is hosted.
      2. If the connection requires credentials that are different from those specified for the main LDAP directory, enter the Username for ActivID AS should use to authenticate to the LDAP directory (only if you have a protected directory). Then enter and confirm the Password for the account.
      Note: If the connection uses the same credentials as those specified for the main LDAP directory, leave the Username and Password fields empty.

    2. Specify the following:

    • Domain Name – the FQDN name of the base node of the referred domain, not the domain name (for example, Domain1.Unit1.mycompany.com).
    • Username – the user DN (for example, CN=Administrator,CN=Users,DC=Domain1,DC=Unit1,DC=mycompany,DC=com)

    Specify the following:

    • Domain Name – the server host name or IP address.
    • Username – the User DN (or RDN) (for example, cn=Directory Manager).

  1. Before saving the changes, Test the Connection.

Test the Connection

  1. Click Connection Test to verify that the connection to the LDAP is correctly configured.

  1. Click Save to apply the repository configuration.

View the Mapped Groups and Roles

The repository configuration includes the Admin Groups and Roles tab which enables visualizing groups and roles that are mapped to the LDAP.

This mapping can be done through the Access Administration tab once the LDAP is added to the ActivID AS.

Edit a User Repository

  1. Select the Configuration tab and, under Environment, select User Repositories.

  1. Click the Name of the user repository that you want to edit.

  2. Edit the settings as required.

    Note: If you modify the Name of the User Repository, the old name will still appear in the Advanced User Search page. You must log off from the ActivID Management Console for the change take effect. The new name appears when you log on again.

  3. Click Save.

Copy a User Repository

  1. Select the Configuration tab and, under Environment, select User Repositories.

  2. Select the check box of the user repository that you want to copy and click Copy.

    3. A copy of the repository appears in the list.

  3. Click the Name of the new repository, and edit the settings as required.

    Important: You must specify a new base node for the new repository as each user repository added must have a unique base node.

  4. Click Save.

Delete a User Repository

Prerequisites: Before deleting a User Repository, you must clear the credentials for all the LDAP users that were assigned ActivID AS authentication records. If you try to delete a repository without having successfully cleared ActivID AS credentials, then the following error message will appear.

  1. Select the Configuration tab and, under Environment, select User Repositories.

  1. Select the check box of the user repository that you want to delete and click Delete.

  1. When prompted, click Yes to delete.