LDAP authentication use cases

LDAP authentication use cases
	Chapter 12. Use cases

Authenticate using Microsoft Active Directory and retrieve user group information

Set up an authenticator to authenticate user using Microsoft Active Directory. User group relationships are maintained in Active Directory and QuickBuild should respect this relationship and use it for user authorization purpose.

For each group in Active Directory you want to set QuickBuild permissions, create a group with the same name in QuickBuild, and set proper permissions.
Assume that domain of the Active Directory is pmease.com, users are managed under LDAP entry cn=Users,dc=pmease,dc=com, and groups are managed under entry ou=Groups,dc=pmease,dc=com (Refer here for how to determine LDAP entry for a particular Active Directory node).User Administrator is used to search user and group information. Create an LDAP authenticator with the following settings:
LDAP Url
Set this property to be ldap://<Active Directory server name>:389. If your Active Directory server can only be connected using SSL, please use ldaps protocol instead, and refer here for how to trust the server public key.
Bind user
Set this property to be: cn=Administrator,cn=Users,dc=pmease,dc=com
Bind password
Set this property to be password of user Administrator.
User search base
Set this property to be: cn=Users,dc=pmease,dc=com
User search filter
Set this property to be: (&(sAMAccountName={0})(objectclass=person))
User email attribute
Set this property to be: mail
Group name attribute
Set this property to be: cn
Group search base
Set this property to be: ou=Groups,dc=pmease,dc=com
Group search filter
Set this property to be: (&(member={0})(objectclass=group))
All other properties should be left empty, or just use the default value.
You should now be able to login to QuickBuild with the account managed in Active Directory.

	Tip
To browse Active Directory user and group information in a LDAP friendly way (that is, be able to browse DN and various attribute names/values), you may need to install a LDAP client (such as JXplorer) and connect it to your Active Directory using LDAP Url, Bind user and Bind password listed above. Then specify the appropriate base parameter (for example dc=pmease,dc=com ). Use LDAP authenticator with self binding if you do not want a separate binding account being used to perform search operations. In that case, the authenticator will bind to LDAP server and performs search operations using the login user's account. However not all LDAP servers support this mode well.

Tip

To browse Active Directory user and group information in a LDAP friendly way (that is, be able to browse DN and various attribute names/values), you may need to install a LDAP client (such as JXplorer) and connect it to your Active Directory using LDAP Url, Bind user and Bind password listed above. Then specify the appropriate base parameter (for example dc=pmease,dc=com ).

Use LDAP authenticator with self binding if you do not want a separate binding account being used to perform search operations. In that case, the authenticator will bind to LDAP server and performs search operations using the login user's account. However not all LDAP servers support this mode well.

Authenticate using Microsoft Active Directory, but manage user group relationship in QuickBuild

Authenticate user by using Microsoft Active Directory without using the group information. Users in Active Directory should have the same set of QuickBuild groups initially and the group information for the particular user can be modified later.

Let's assume that domain of the Active Directory is pmease.com, users are managed under pmease.com/Users, and groups are managed under pmease.com/Groups. User Administrator is used to search the user and group information. Create an LDAP authenticator with the following settings:
Default groups
Choose appropriate QuickBuild groups which will be associated with the users managed in Active Directory. Group information for the particular user can be changed by editing the user entry which will be created in QuickBuild after the first successful login of that user.
LDAP Url
Set this property to be ldap://<Active Directory server name>:389. If your Active Directory server can only be connected by using SSL, please use ldaps protocol instead, and refer here for how to trust the server public key.
Bind user
Set this property to be: cn=Administrator,cn=Users,dc=pmease,dc=com
Bind password
Set this property to be password of user Administrator.
User search base
Set this property to be: cn=Users,dc=pmease,dc=com
User search filter
Set this property to be: (&(sAMAccountName={0})(objectclass=person))
User email attribute
Set this property to be: mail
All other properties should be left empty, or just use the default value.
You should now be able to login to QuickBuild with account managed in Active Directory.

	Tip
To browse Active Directory user and group information in a LDAP friendly way (that is, be able to browse DN and various attribute names/values), you may need to install a LDAP client (such as JXplorer) and connect it to your Active Directory using LDAP Url, Bind user and Bind password listed above. Then specify the appropriate base parameter (for example dc=pmease,dc=com ). Use LDAP authenticator with self binding if you do not want a separate binding account being used to perform search operations. In that case, the authenticator will bind to LDAP server and performs search operations using the login user's account. However not all LDAP servers support this mode well.

Tip

To browse Active Directory user and group information in a LDAP friendly way (that is, be able to browse DN and various attribute names/values), you may need to install a LDAP client (such as JXplorer) and connect it to your Active Directory using LDAP Url, Bind user and Bind password listed above. Then specify the appropriate base parameter (for example dc=pmease,dc=com ).

Use LDAP authenticator with self binding if you do not want a separate binding account being used to perform search operations. In that case, the authenticator will bind to LDAP server and performs search operations using the login user's account. However not all LDAP servers support this mode well.

Authenticate uing Fedora Directory Server and retrieve user role information

Set up an authenticator to authenticate user by using Fedora Directory Server. User role relationships are maintained in Directory Server and QuickBuild should respect this relationship and use it for user authorization.

For each role in the Directory Server you want to set QuickBuild permissions, create a role with the same name in QuickBuild, and set proper permissions.
Let's assume that users are managed under ou=People,dc=pmease,dc=com, and roles are managed under ou=Role,dc=pmease,dc=com. DN cn=Manager,dc=pmease,dc=com is used to search the user and group information. Create an LDAP authenticator with the following settings:
LDAP Url
Set this property to be ldap://<Fedora Directory Server name>:389. If your directory server can only be connected by using SSL, please use ldaps protocol instead, and refer here for how to trust the server public key.
Bind use
Set this property to be: cn=Manager,dc=pmease,dc=com
Bind password
Set this property to be password of the above user.
User search base
Set this property to be: ou=People,dc=pmease,dc=com
User search filter
Set this property to be: (&(uid={0})(objectclass=person))
User email attribute
Set this property to be: mail
Group name attribute
Set this property to be: cn
User groups attribute
Set this property to be: nsroledn
All other properties should be left empty, or just use the default value.
You should now be able to login to QuickBuild with account managed in Fedora Directory Server.

	Tip
	Use LDAP authenticator with self binding if you do not want a separate binding account being used to perform search operations. In that case, the authenticator will bind to LDAP server and performs search operations using the login user's account. However not all LDAP servers support this mode well.