Administration › Options Manager › LDAP Options

LDAP Options

The following LDAP options are available for installation from Options Manager on the Administration tab.

Note: The options identified as required must be installed together to enable integration with an LDAP directory. The options identified as optional are features you can add only if the required options are installed.

default_ldap_tenant (required)

Specifies the default tenant for contacts imported from an LDAP directory into an installation that is configured for a multi-tenancy environment. The option value must set to the UUID for that tenant. You can get the tenant UUID from a database query. For example, "SELECT * FROM ca_tenant".

Important! This option is only required if multi-tenancy is enabled. Before you run the pdm_buildtenant utility, and if you want to retain the tenant value, you must modify NX.env by adding the NX_RETAIN_TENANT_VALUE variable manually, and set it to "yes". If this variable is set to "no", missing, or not set properly, the utility overwrites the tenant information.

ldap_dn (required)

Specifies the LDAP distinguishedName for logging in to the LDAP server.

Example: CN=Joe, CN=Users, DC=KLAND, DC=AD, DC=com

Depending on your site's network configuration, the userid may be used instead of a distinguishedName.

Note: If the LDAP server supports anonymous binds, this value can be empty. For example, if the LDAP directory is the CA EEM identity store, this option is not required because CA EEM allows anonymous access.

ldap_enable (required)

Specifies whether LDAP integration is enabled. The default value is Yes. In addition to this option, you install all other LDAP options indicated as required.

ldap_enable_auto (optional)

Specifies whether automatic creation of contacts from LDAP information is enabled. The default value is Yes. If you install this option, a contact is automatically created from LDAP information whenever a new user logs in.

ldap_enable_groups (optional)

Specifies whether CA SDM assigns a contact's Access Type based on LDAP Group membership. The default value is Yes.

To use this feature, you associate CA SDM Access Types with LDAP Groups.

Note: This option is only applicable for Microsoft Active Directory.

ldap_enable_tls (optional)

Specifies whether Transport Layer Security (TLS) is enabled during LDAP processing. The default option value is Yes.

ldap_group_object_class (required if ldap_enable_groups is installed)

Specifies the value of the LDAP objectClass attribute. The default value is group. This value is always included in the where clause of the automatically generated filters used to search for LDAP groups.

ldap_host (required)

Specifies the LDAP server hostname or IP address.

Note: If the LDAP directory is the CA EEM identity store, use the hostname of the machine where Ingres is installed.

ldap_port (required)

Specifies the LDAP server port number.

Note: If the LDAP directory is the CA EEM identity store, use 1684 for the port number.

ldap_pwd (required)

Specifies the password for the ldap_dn for logging in to the LDAP server.

Note: If the LDAP server supports anonymous binds, this value can be empty. For example, if the LDAP directory is the CA EEM identity store, this option is not required because CA EEM allows for anonymous access.

ldap_search_base (required)

Specifies the starting point for searches in the LDAP schema tree:

• UNIX -- You must specify a starting container, such as: CN=Users, DC=KLAND, DC=AD, DC=com
• Windows -- You do not have to specify a container and may start at the top of the schema tree, such as: DC=KLAND, DC=AD, DC=com

Note: If the LDAP directory is the CA EEM identity store, then use: cn=Users,cn=Entities,cn=iTechPoz This is only applicable when CA EEM is configured to use the MDB rather than an external directory.

ldap_service_type (optional)

Install this option to establish the LDAP service type. If the LDAP type is Active Directory, specify the string “Active Directory”. If the LDAP type is not Active Directory, specify any other string, for example, “eTrust” or “Novell”.

ldap_sync_on_null (optional)

Specifies whether existing contact attribute values are overwritten with null data if the corresponding LDAP user attribute contains a null value. The default value is Yes.

ldap_user_object_class (required)

Sets the value of the LDAP objectClass attribute. The default value is person. This value is always included in the where clause of the automatically generated filters used to search for LDAP users.

Note: If the LDAP directory is the CA EEM identity store, use pozObject. For many non-AD LDAP stores, the correct setting is inetOrgPerson.

num_ldap_agents (optional)

Specifies the number of LDAP agents. Install this option only if you have multiple LDAP agents. The default value is 2.