DTP is pre-configured to meet most LDAP system requirements, but you may have to configure additional directory settings if the minimal LDAP configuration is unsuccessful. After changing a configuration, you should click Preview Data to verify the settings. This function does not persist data and is a useful tool for ensuring that your LDAP configuration functions as expected.

In this section:

User Search Configuration

Base DN

This is the context DN where the directory objects reside. If empty, DTP will use the root DN of the directory tree. You can specify more then one base DN. This should only be configured to narrow down the users retrieved from the directory server. The following table includes examples that describe how you can filter the data retrieved from the directory server by configuring the base DN:

ExampleConfiguration
No base DN set (the root DN of the directory tree is used)
  1. Click Preview Data to return objects (users) and their immediate ancestor (parent DN) in the Preview Data overlay.
  2. Copy the parent DN(s) of users you wish to scan from the Preview Data overlay to the Base DN field to only scan for users under the specific DN(s).

Entering multiple base DNs to import specific groups of users


Organizational units (ou) and domain components (dc) are used to define directory tree structures. In this example, the directory tree is organized in following way:

ou=US,ou=People,dc=company,dc=com

ou=Europe,ou=People,dc=company,dc=com

ou=Asia,ou=People,dc=company,dc=com

You can enter the following base DNs to scan users from Europe and Asia only.

ou=Europe,ou=People,dc=company,dc=com

ou=Asia,ou=People,dc=company,dc=com

Filter

Enter an expression in the Filter field to search on specific parameters. Searches are performed on the base DN(s) and scope specified. The following table contains examples that describe some of the ways filters can be used:

ExampleConfiguration
Simple filter for users under provided base DN(&(sAMAccountName={0})(objectclass=person))
Find devel1 and devel2 users only:

(&(sAMAccountName={0})(objectclass=person)(|(sAMAccountName=devel1)

(sAMAccountName=devel2)))

Find users that are members of group Managers:

(&(sAMAccountName={0})(objectclass=person)

(memberOf=cn=Managers,cn=Users,ou=company,ou=com))

Scope

Enter a value in the Scope field to define the depth and breadth of searches, e.g. Object, OneLevel, Subtree.

Attributes

User Administration queries directory objects and maps each result object into a User Administration object. For this reason, an attribute's mapping section defines how User Administration object attributes map into directory object attributes. This is pre-configured, but you can configure attributes at any time in order to better meet your organization’s needs.

Click Preview Data to verify how the objects are mapped.

Other Configuration

ActiveActivates/deactivates the directory configuration.
Use Node ReferralsEnables/disables the JNDI lookup java.naming.referral option. This option should be enabled for Active Directory servers configured without a DNS.
Ignore Communication Er...Ignores/recognizes communication errors when Active Directory returns domain names for referrals other than the name specified in on the server.
Read Timeout (ms)Choose a value to set how long Development Testing Platform should wait for a response before timing out.
Connection Timeout (ms)Choose a value to set how long Development Testing Platform should wait when connecting to the server before timing out.
EnvironmentsField for entering JNDI environment properties in Java properties format.
Import GroupsEnables/disables queries to the server for group and group membership information. The Group Search Configuration and Membership Search Configuration sections appear if this option is enabled.

Group Search Configuration

Group Search Configuration uses the same settings as User Search Configuration. Group Search does not, however, support the Preview Data function.

Membership Search Configuration

Configure these settings to control how DTP establishes the correlation between LDAP users and LDAP groups.

Synchronizing Group Membership Based on User Information

Disable the Use Membership Attribute option (default) to allow DTP to determine group membership based on user information.

\

When a user logs into DTP for the first time, the following process occurs:

  1. Groups the user is a member of are retrieved from the server
  2. If groups don’t already exist, equivalent DTP groups are created
  3. The user is associated with the created DTP groups.

Groups cannot be synchronized individually. Options for this mode are similar to the User Search Configuration and Group Search Configuration options. See User Search Configuration for additional information.

Synchronizing Group Membership Based on Group Information

Enable the Use Member Attribute option to allow DTP to use the group information to determine possible members.

DTP will not automatically create DTP groups in this mode, but it will allow existing groups to be individually synchronized. The following settings are available:

Group Member AttributeDefines the directory object attribute key used to declare group members.
Member Attribute is DNEnable or disable to a allow or deny the value in the Group Member Attribute field to be treated as a distinguished name. Disable this option to treat the value as a user login name or group name.
Enable Nested GroupsEnable or disable to allow or deny a group to be declared as a member of another group.

Support for Active Directory Primary Groups

You can enable DTP to use Primary Group(s) on the Active Directory server:

  1. Open the $DTP_HOME\conf\PSTSecConfig.xml configuration file in an editor (the file and location are the same for Linux and Windows).
  2. Set the <use-primary-groups> element to true. This element is a child of the <ldap> node.  
  3. Restart DTP service (see Stopping DTP Services and Starting DTP Services).

When set to true, user group membership will be taken from Primary Groups if defined in Active Directory, as well as from basic Active Directory groups.

  • No labels