LDAP domain properties

To edit properties of a created LDAP domain:
  1. Select Administration > LDAP<Domain Name>
  2. Select the domain to edit. Properties are shown in the LDAP domain properties panel.
    Configuration parameters on the New LDAP Domain panel
  3. Edit the values for any of the fields, and then click Save. The following fields are required:
    • Name
    • Host
    • Bind User Account
    • Protocol
    • Display Name
    • Distinguished Name
    • Mail Name
    • Unique Identifier
  4. If you want the domain to be the default used, click Make Default.
Name
Required. Name for the LDAP domain within Build Forge. If there is at least one LDAP domain configured, the Build Forge login form lists them by this name.
Admin DN
Account to use to provide search access to the LDAP server database. If your server allows an anonymous bind for searching the database, leave this field blank.

Some LDAP servers require an administrative bind to search the database. This setting allows you to specify the DN of the administrator account, as shown in the following example.

cn=Administrator,cn=users,dc=example,dc=com

Specify the password for the Admin DN account in the Password and Verify Password fields.

Map Access Groups
Determines whether to map group information from the LDAP server to access groups in the Management Console. The default is No. Each access group in Build Forge must have its LDAP Group DNs property set to the correct group name in LDAP.
  • If No, then LDAP groups are not mapped to Build Forge access groups. You can assign users to access groups in Build Forge after they have logged in at least once. Using this option implies that you manage access groups for users within Build Forge. Default access groups are applied when the user first logs in and has a user name created in Build Forge.
  • If Yes, the Build Forge refreshes group membership information from the LDAP server for a user every time the user logs in to Build Forge. Any changes to access group membership made for the user within Build Forge since the last login are overwritten. Using this option implies that you manage all group memberships in LDAP. The LDAP group memberships are automatically mapped (added or removed) to access groups in Build Forge. Group properties are used as follows to determine group membership for a user:
    1. If Group Name is not blank, query for the value of the keyword specified. Use the values returned as the groups for the user.
    2. If Group Name is blank or its query does not return a value, then use Groups Search Base and Groups Unique Identifier to query for LDAP groups that the user belongs to.
    3. If no group information is returned in (1) and (2), the user is allowed to log in and is assigned membership in the access groups that are specified as default access groups for new users.
Host
Required. Host name and port of the LDAP server. Examples:
ldapserver.mycompanyname.com
ldap.mycompany.com:9000
Password
Password for the Admin DN account. Required if Admin DN is specified.
Verified
Repeat entry of the Admin DN password.
Bind User Account
Required. Determines whether the Build Forge attempts to validate user credentials against LDAP at login time. The default is Yes.
  • If Yes, Build Forge checks the user name and password supplied at login with the LDAP server.
  • If No, Build Forge accepts the username without validation. This setting is used when an external password validation is implemented for Build Forge, such as Single Sign-on (SSO).
Protocol
Required. Identifies the protocol Build Forge uses to read and write data from the directory service for the purpose of authenticating Build Forge users. The default is LDAP. Enter LDAPS if you use LDAP over SSL (LDAPS). Additional setup is required for this option. See Enabling secure LDAP (LDAPS).
Display Name
Required. Enter the keyname that specifies the full name of the user.
Distinguished Name
Required. Enter the keyname that specifies the Distinguished Name for a user account.
Mail Name
Required. Enter the keyname that specifies an email address for the user.
Group Name
Enter the keyname in the LDAP schema that holds the list of groups the user is a member of. Used only when Map Access Groups is Yes or Authorized Group DN is used.
Authorized Group DN
Distinguished Name of an LDAP group. If set, then only members of the specified group are allowed to log in. If blank, then any valid LDAP user can log in to the console.
Write Access Group DN
Determines whether the user has normal or read-only access. Values may be one of the following:
  • blank - for new logins, the user type is set to Normal. Existing users keep their assigned user type (Normal, Read-only, or API). The type is set in Administration > Users.
  • * (asterisk) - all logins are given user type Normal.
  • LDAP group name - if the user belongs to the group, then the user's type is set to Normal. If the user does not belong to the group, then the user's type is set to Read-only.
  • Other - use any other value to force all users to be Read-only. Example: RO.
Search Base
Required. Search string used to query LDAP records for users. Example:
cn=users,dc=buildforge,dc=com
Unique Identifier
Required. Identifies the field in the LDAP database to compare with user name a user enters at login. Use a % character for the login name entered by the user. Example:
(sAMAccountName=%)
Groups Search Base
Requires Groups Unique Identifier. Used only when Map Access Groups is Yes or Authorized Group DN is used. Search string used to query LDAP records for group data. Needed if your LDAP database stores group membership in a database that is separate from the database used to store user records. Example:
cn=groups,dc=buildforge,dc=com
Groups Unique Identifier
Requires Groups Search Base. Used only when Map Access Groups is Yes or Authorized Group DN is used. Identifies the field in the LDAP user database to use to obtain group membership information. The filter can use any of the data fields for a user account as a key into the groups table. Use the %fieldname% syntax to identify the field. The following example works if your groups table uses the sAMAccountname field as a key for users.
sAMAccountName=%sAMAccountname%

Feedback