Configuring the Lightweight Directory Access Protocol (LDAP) settings
Configuring the Lightweight Directory Access Protocol (LDAP) security for Rational® Test Control Panel works the same way as for Active Directory, except that the LDAP configuration involves setting a few additional properties.
Editing the security.config file
The security.config file
is found in the security folder in the Rational® Test Control Panel workspace.
- On Windows systems, the folder is typically at C:\IBM®\RTCP-Workspace\security.
- On Unix-like systems, the folder is typically at
/var/rtcp/security
.
Keep in mind the following guidelines while editing the security.config file:
- If the backslash character
\
needs to be used in any property value, escape it with another backslash character:\\
. For example, if the value isC:\XYZ
, specify it asC:\\XYZ
. - Optional: If any of the characters
=
,:
,#
, or!
is used in a property value, escape it with a backslash. - Set the
credentialsStore
property toLDAP
.
Property | Description | |
---|---|---|
Name in the IBM® Installation Manager GUI | Name in the security.config file | |
user filter |
userFilter |
User filter. The {0} placeholder will be replaced with the user name of the user that you are trying to authenticate. This is used to locate users within the LDAP server. |
user group filter |
userGroupFilter |
User Group filter. The {0} placeholder will be replaced with the Distinguished Name (DN) of the user that you are trying to authenticate. This filter returns the groups of which the user is a member. |
group filter |
parentGroupFilter |
Group filter. Used for recursive retrieval of parent groups of the user groups. This property is different from its Active Directory equivalent and has a different property name. |
group id attribute |
groupIdentifier |
Group identification attribute. This value is used to get the group's name for mapping groups to roles. Do not use Distinguished and partially qualified names (DNs). |
url |
url |
The address of the LDAP server. |
admin user |
adminuser |
An LDAP user with group query permissions. The user name should be a distinguished name (DN). |
group search base |
searchBase |
The location where the directory group searches should begin.
For example, dc=mycompany,dc=local . |
user search base |
userSeachBase |
The location where the directory user searches should begin. Leave this property blank if this is the same as the group search-base. |
Note: For
users to be able to log in, the following conditions must be met:
- The user's LDAP entry must exist within the user search base; that is, the user's LDAP Distinguished Name must end with the user search base.
- The user must either be in an LDAP group that has been assigned
the
user
role, or be in an LDAP group that has been assigned theadmin
role.
Sample: security.config file with Lightweight
Directory Access Protocol settings
#RTCP security configuration
#Fri Jan 16 14:41:04 GMT 2015
allGroupsFilter=(objectClass\=groupOfUniqueNames)
url=ldap\://localhost\:11589
searchBase=dc\=example,dc\=com
groupMappings=admingroup\=admin,admingroup\=user,usergroup\=user,
adminuser=Cn\=root
parentGroupFilter=(objectClass\=groupOfUniqueNames)
adminpassword=\#com.ghc.1\!c310E357A2EB7262116255340CB26A
credentialsStore=LDAP
groupIdentifier=cn
userGroupFilter=(&(objectClass\=groupOfUniqueNames)(uniqueMember\={0}))
userFilter=(&(objectClass\=person)(cn\={0}))
userSearchBase=dc\=example,dc\=com
Note: The
searchBase
parameter
is used for group search.