...
Info |
---|
FlexDeploy uses the memberOf virtual attribute to derive a user's groups, so group mapping will not work if your LDAP does not support that attribute. |
Field | Required | Description | ||
---|---|---|---|---|
Realm Name | Yes | |||
Description | No | |||
URL | Yes | URL to access LDAP server For example, ldap://localhost:10389 | ||
System Username | Yes | Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations. For example, uid=admin,ou=system | ||
System Password | Yes | Password for specified system user name. | ||
User Search Base | Yes | User base tree in LDAP server For example, ou=users,ou=system. | ||
User Search Filter | Yes | User search filter to find user records in user search base For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0}))
| ||
Connect Timeout | No | A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout. | ||
Read Timeout | No | A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout. | ||
Follow Referrals | Yes | How to handle referrals (follow/ignore). The default is ignore. | ||
Group Mapping Enabled | Yes | Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy. | ||
Group Search Base | No* | Group base tree in LDAP server. Required if group mapping is enabled. For example, (ou=groups,ou=myrealm,dc=MyDomain) | ||
Group Search Filter | No* | Search filter to find groups in group search base. Required if group mapping is enabled. For example, (objectClass=groupOfUniqueNames) |
Group Mapping with External Directory Servers
FlexDeploy provides features to map external directory server groups to FlexDeploy groups, which makes it very easy to manage FlexDeploy users in your environment. Fine-grained access to FlexDeploy features is still controlled by FlexDeploy groups, and by mapping external directory groups to FlexDeploy groups, you essentially control access to FlexDeploy features. You can configure FlexDeploy group permissions using the Permissions page and from the Security section of individual objects supporting object-level permissions (folders/projects, target groups, releases, etc.).
In order to set up group mapping, first make sure to enable group mapping from the realm’s group mapping tab and provide the group search base and filter. If you haven’t already loaded external groups for this realm or they need to be refreshed, click the Fetch External Groups button or the Refresh External Groups button.
Select a specific FlexDeploy group to work with first. Then, search and select external groups to map to the selected FlexDeploy Group. See the figure below, where we have mapped the LDAP group Enterprise Admins to the FlexDeploy FD Administratorsgroup.
Realm configuration changes including the mapping configuration require a recycle of the FlexDeploy server process, but changes to the groups being mapped do not require a recycle.
Examples
Apache Directory Server Realm
Active Directory Realm
FlexDeploy will use the User logon name (pre-Windows 2000) username instead of the normal one for active directory. See this picture for an example.
Using ldaps
A FlexDeploy realm can be configured to use ldaps protocol, which requires adding a server certificate to Java cacerts or the application server trust store.
...