Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Create / Edit Realm

To create a new realm, click the Create button. To edit an existing realm, click the realm name or select Edit from the options menu. Note that the internal fdRealm cannot be edited. Use the Active button to activate or inactivate a specific realm. You can use the Delete option in each row’s menu to completely remove a specific realm from FlexDeploy configurations.

Any changes to a realm's configuration will require the FlexDeploy application server to be restarted for the changes to take effect. This does not include updating group mappings. You can test realm configuration details by clicking the Test Connection button.

Enter the details for the LDAP realm as described in table of inputs below. Click the Save button to save your changes.

All LDAP realm users must be under a specific branch on the LDAP server, which is searched based on the User Search Base and User Search Filter on the general tab.

FlexDeploy uses the memberOf virtual attribute to derive a user's groups, so group mapping will not work if your LDAP does not support that attribute.

Field

Required

Description

Realm Name

Yes

Description

No

URL

Yes

URL to access LDAP server

For example, ldap://localhost:10389

System Username

Yes

Read-only username to access LDAP server. This should be fully qualified username in LDAP. FlexDeploy will use the system username and system password to bind to LDAP for various operations.

For example, uid=admin,ou=system

System Password

Yes

Password for specified system user name.

User Search Base

Yes

User base tree in LDAP server

For example, ou=users,ou=system.

User Search Filter

Yes

User search filter to find user records in user search base

For example, (&(objectClass=*)(uid={0})), (&(objectClass=*)(sAMAccountName={0}))

To restrict users able to login to FlexDeploy by membership within a particular LDAP group, you can use a search filter similar to the following. This assumes that your LDAP supports the memberOf virtual attribute.

(objectClass=user)(sAMAccountName={0})(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)

Similarly, more than one group would look like this.

(&(objectClass=user)(sAMAccountName={0})(|(memberOf=CN=FDDevelopers,CN=Users,DC=flexagondev,DC=local)(memberOf=CN=FDAdmins,CN=Users,DC=flexagondev,DC=local))

Connect Timeout

No

A timeout, in seconds, for connecting to the external server. The default timeout is 30 seconds. If no value is provided, there is no timeout.

Read Timeout

No

A timeout, in seconds, for LDAP read operations. The default timeout is 120 seconds. If no value is provided, there is no timeout.

Follow Referrals

Yes

How to handle referrals (follow/ignore). The default is ignore.

Group Mapping Enabled

Yes

Enable if you want to map LDAP groups to FlexDeploy groups. LDAP server must support memberOf attribute for group mapping in FlexDeploy.

Group Search Base

No*

Group base tree in LDAP server. Required if group mapping is enabled.

For example, (ou=groups,ou=myrealm,dc=MyDomain)

Group Search Filter

No*

Search filter to find groups in group search base. Required if group mapping is enabled.

For example, (objectClass=groupOfUniqueNames)

  • No labels