In this section:
Introduction
You can configure User Administration to sync with your LDAP server in the User Directories screen. You should work with your LDAP/AD administrator when configuring directory settings. This enables User Administration to authenticate against your organization's user directory service.
Click User Directories on the User Administration page to access directory configurations.
Connecting to LDAP Over SSL
Integration with external tools and services may require connections secured with TLS/SSL. DTP will reject connections to external servers if the server's certificate is not trusted or unsigned by a trusted certificate authority. To add a new trusted certificate, perform the following steps: Obtain the trusted certificate to add. These certificates can be in any format accepted by the Java keytool application. Execute the following command to import the certificate to the truststore: Enter "changeit" as the password when prompted. Confirm that you want to import the certificate when prompted. To import a certificate chain, repeat steps 1-4 for each certificate in the certificate chain in order of root certificate first to end entity certificate last. Truststores and Upgrades During an upgrade, DTP retains the existing truststore found at keytool -import -alias <new unique alias> -file <certificate file> -keystore <DTP_INSTALL>/jre/lib/security/cacerts
<DTP_INSTALL>/jre/lib/security/cacerts
. Because of this, if you have upgraded DTP multiple times, it's possible your truststore might not contain newly trusted certificate authorities. If your DTP requires connecting to an external server with a certificate signed by one of these newly trusted certificate authorities, you may need to manually update the truststore at <DTP_INSTALL>/jre/lib/security/cacerts
.
Configuring Directory Settings
Click on a directory to configure existing settings or click Create User Directory to set up a new directory. Click the trash icon to delete the user directory configuration.
You can configure the following settings:
General Settings
New directories are enabled by default, but you can prevent the directory from syncing with your LDAP server by disabling the Enable option. A name for the directory is required.
Server Settings
This setting specifies the connection to the LDAP server. Click Test Connection after you've configured the settings to verify that User Administration can communicate with your LDAP server.
Hostname | The LDAP server hostname. |
---|---|
Port | The LDAP server port. |
Use SSL | Enable this option to connect to the LDAP server over SSL. |
Credentials | |
Username | If the LDAP server requires credentials, specify the username in this field. |
Password | If the LDAP server requires credentials, specify the password in this field. |
User Import Settings
Click Test User Import Settings after configuration to verify that they are correct before saving.
Base DN | The base DN is the context DN (distinguished name) where the directory objects reside. If empty, User Administration will use the root DN of the directory tree. Organizational units (ou) and domain components (dc) are used to define directory tree structures. The following example shows how an organization could structure its directory:
In this example, you would enter the following base DNs to scan users from Europe and Asia only.
|
---|---|
Filter | Enter an expression in the Filter field to search on specific parameters. Searches are performed on the base DN(s) and specified scope. The following examples describe some of the ways filters can be used: Simple filter for users under provided base DN:
Find "devel1" and "devel2" users only:
Find users that are members of group "Managers":
About Filter Settings in Previous Versions of DTP In versions of DTP prior to 5.4, the LDAP filter configuration included an extra attribute and template: |
Restrict To Groups | Enable this option to import only the users that belong to a group specified in the Group Import Settings. Users that do not belong to a group configured in Group Import Settings will not be imported. |
Attribute Mappings The attributes mapping section defines how User Administration attributes (user login name, first name, last name, and email) map to directory object attributes (uid, givenName, sn, and email). You can use the defaults mappings or configure the attributes to align with your LDAP server. Refer to the documentation for your LDAP server. | |
Username | This field is used for the login name in DTP. The Default is |
First Name | This field is used for the user's first name in DTP. The Default is |
Last Name | This field is used for the user's last name (surname) in DTP. The |
Email Address | This field is used for the user's email address in DTP. The |
Member Of | This field is used to associate users in DTP with LDAP groups. Default is |
Group Import Settings
Click Test Group Import Settings after configuring the settings to verify that they are correct before saving.
Enable group import | If you want to import groups set in your LDAP, enable Enable Group Import. |
---|---|
Base DN | See the Base DN setting under User Import Settings. |
Filter | See the Filter setting under User Import Settings. About Group Filter Settings in Previous Versions of DTP In versions of DTP prior to 5.4, the LDAP filter configuration included an extra attribute and template: |
Enable nested groups | If groups contain other groups in your directory, you can enable this setting to retain your LDAP server's hierarchical structure. |
Ancestor groups only | A nested group may contain users, in addition to other groups. An ancestor is a user that is the immediate member of a group nested inside another group. In the following example, MEMBER B and C are the ancestors within the groups nested within GROUP A. You can enable the Ancestor groups only option and specify a group name in the Ancestor group names field to import only the immediate members associated with the nested groups. Members of the group specified in the Ancestor group names field will also be imported. |
Ancestor group names | If the Ancestor groups option is enabled, specify the name of the nested group that contains the ancestors you want to import. |
Attribute Mappings The attributes mapping section defines how Parasoft User Administration object attributes map to the connected directory object attributes. You can use the defaults mappings or configure the attributes to meet your specific needs. | |
Name | Default is cn . |
Description | Default is cn . |
Member | Default is member . See Advanced Settings for additional information. |
Advanced Settings
You can specify the scope of user and group queries User Administration performs in your LDAP.
User search scope | Choose one of the following options from the menu to set the user search scope:
|
---|---|
Group search scope | Choose one of the following options from the menu to set the group search scope:
|
Referral | Choose Follow from the menu to enable JNDI lookup. Choose this option for Active Directory servers configured without a DNS. Choose Ignore from the menu to ignore communication errors when Active Directory returns domain names for referrals other than the name specified in the server. |
Page size | This setting specifies the number of record requests per page. Setting a page size allows the server to send the data in pages as the pages are being built. Default is 1000 . |
Membership strategy | This setting specifies how group membership is correlated when importing users from LDAP. DTP can correlate users based on their
|
Sync group membership | Enable this option to update user attributes and permissions based on group membership from LDAP.If enabled, DTP will refer to LDAP as the system of record for user membership. Any user/group associations made in DTP that differ from the membership associations in LDAP will be removed or overwritten by the associations stored in LDAP. DTP applies directory configurations in reverse sequence as they appear in the User Directories page. As a result, the directory at the top of the list takes precedence and should be the directory with Sync Group Membership enabled. Default is disabled. |
Use DNs for membership | Enable this setting if DTP should expect distinguished names (DN) from your LDAP server to set user and group associations. Disable this setting to associate users and groups based on usernames and/or group attributes. Default is enabled. |
User primary groups | Enable this setting to determine user group membership information using basic and Primary Groups defined in Active Directory. Default is disabled. |
Read timeout (ms) | Specify how long DTP should wait when attempting to read data from the LDAP server before timing out. Default is |
Connection timeout (ms) | Specify how long DTP should wait when attempting to connect to the LDAP server before timing out. Default is |
Setting Directory Priority
The order of the directories is important. When searching for users and groups, User Administration checks directories in order starting from the top of the table. Click and drag directories into the order that they should be searched.
Importing Users
You can import users from your user directories after configuring your LDAP connection.
- Click User Directories on the User Administration home screen.
- Click the Import icon for the directory you want to import.
Review the users to be imported and click Next to proceed or Cancel to exit without importing. Note that there are character limits for the following attributes:
Username: 70 characters
- First Name: 49 characters
- Last Name: 81 characters
Email: 256 characters
Attributes associated with existing users will be overwritten with data from the LDAP server.
- Review the user groups to be imported. Click the disclosure triangle to view the users within a group.
- Click Next to review the import settings.
- Click Import to begin importing users.
A summary of the results will appear after the import completes.
Importing Group Members
When you have properly configured your Group Import Settings, there are a few ways you can synchronize members of LDAP groups.
- (Manual) - Click the Import icon in User Directories UI. See Importing Users.
- (Automatic) - Set up a periodic job to call the REST API. See Automating LDAP Synchronization.
- (Automatic) - Log into DTP as a user that is part of the LDAP group. If the user does not exist, it will be automatically created in User Administration.
If User Administration is configured to use multiple LDAP servers, group synchronization will be based on the first matching LDAP group available.
User Administration REST API
The User Administration module includes a dedicated API that you can use to automate user administration tasks. Choose API Documentation from the help menu on the User Administration page. The documentation describes the available endpoints. The API is only accessible from the User Administration page.
Automating LDAP Synchronization
The simplest method for automating LDAP synchronization is to set up a nightly job using an automation tool, such as Jenkins. You can trigger LDAP synchronization by using a curl command, for example, to call the User Administration REST API (/pstsec/api
) endpoint:
curl -u username:password -X POST "https://hostname:port/pstsec/api/v1.0/ldap/import/configurationName" -H "accept: application/json"
In this example, replace username
, password
, hostname
, port
, and configurationName
with your specific information.