Versions Compared

Old Version 4

changes.mady.by.user Chandresh Patel

Saved on

compared with

New Version 5

changes.mady.by.user Chandresh Patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

FlexDeploy uses the memberOf virtual attribute to derive a user's groups, so group mapping will not work if your LDAP does not support that attribute.

Configuring LDAP Realm

Only FlexDeploy Administrators can update Realm settings.

...

Click Create to create new LDAP realm.

...

Configure as explained below.

...

Field

Required

Description

Realm Name

Yes

Description

No

URL

Yes

URL to access LDAP server

For example, ldap://localhost:10389

System Username

Yes

Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations.

For example, uid=admin,ou=system

System Password

Yes

Password for specified system user name.

User Search Base

Yes

User base tree in LDAP server

For example, ou=users,ou=system.

User Search Filter

Yes

User search filter to find user records in user search base

For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0}))

Tip

To restrict users able to login to FlexDeploy by membership within a particular LDAP group, you can use a search filter similar to the following. This assumes that your LDAP supports the memberOf virtual attribute.

(objectClass=user)(sAMAccountName={0})(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)

Similarly, more than one group would look like this.

(&(objectClass=user)(sAMAccountName={0})(|(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)(memberOf=CN=FDAdmins,CN=Users,DC=flexagondev,DC=local))

Connect Timeout

No

A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout.

Read Timeout

No

A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout.

Follow Referrals

Yes

How to handle referrals (follow/ignore). The default is ignore.

Group Mapping Enabled

Yes

Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy.

Group Search Base

No1

Group base tree in LDAP server.

For example, (ou=groups,ou=myrealm,dc=MyDomain)

Group Search Filter

No1

Search filter to find groups in group search base.

For example, (objectClass=groupOfUniqueNames)

...

Many customers are migrating from AD/LDAP to SSO to take advantage of Single sign on, 2 factor MFA, etc.

SAML and External Realm users are compatible with each other, so existing users will work fine using SAML instead, as long as their username matches up. To modify the username that is received by FlexDeploy, change the Unique User Identifier (Name ID) claim in the SAML provider. No changes are needed in FlexDeploy for this. If the username format doesn’t match, users will be asked to setup new accounts. Have a downtime window and test with a known user. If the user gets to the new user screen, then it didn’t work. Don’t have them complete the screen, instead go back and work on the name claim again.

...