...
Info |
---|
FlexDeploy uses the memberOf virtual attribute to derive a user's groups, so group mapping will not work if your LDAP does not support that attribute. |
Configuring LDAP Realm
Only FlexDeploy Administrators can update Realm settings.
...
Click Create to create new LDAP realm.
...
Configure as explained below.
...
Field | Required | Description | ||
---|---|---|---|---|
Realm Name | Yes | |||
Description | No | |||
URL | Yes | URL to access LDAP server For example, ldap://localhost:10389 | ||
System Username | Yes | Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations. For example, uid=admin,ou=system | ||
System Password | Yes | Password for specified system user name. | ||
User Search Base | Yes | User base tree in LDAP server For example, ou=users,ou=system. | ||
User Search Filter | Yes | User search filter to find user records in user search base For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0}))
| ||
Connect Timeout | No | A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout. | ||
Read Timeout | No | A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout. | ||
Follow Referrals | Yes | How to handle referrals (follow/ignore). The default is ignore. | ||
Group Mapping Enabled | Yes | Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy. | ||
Group Search Base | No1 | Group base tree in LDAP server. For example, (ou=groups,ou=myrealm,dc=MyDomain) | ||
Group Search Filter | No1 | Search filter to find groups in group search base. For example, (objectClass=groupOfUniqueNames) |
...
Many customers are migrating from AD/LDAP to SSO to take advantage of Single sign on, 2 factor MFA, etc.
SAML and External Realm users are compatible with each other, so existing users will work fine using SAML instead, as long as their username matches up. To modify the username that is received by FlexDeploy, change the Unique User Identifier (Name ID) claim in the SAML provider. No changes are needed in FlexDeploy for this. If the username format doesn’t match, users will be asked to setup new accounts. Have a downtime window and test with a known user. If the user gets to the new user screen, then it didn’t work. Don’t have them complete the screen, instead go back and work on the name claim again.
...