Central Governance 1.1.3 Users Guide Save PDF Selected topic Selected topic and subtopics All content LDAP identity store fields The following are the fields for configuring an LDAP identity store in Central Governance. Refer to these fields when you the List Identity Stores. Name Name of the identity store. This can be any unique name you want. Description Optionally, a description of the identity store. Synchronize the Identity Store Open an Identity Store in view or edit mode. You can select Synchronize to synchronize Identity Store data with Access and Security and Transfer CFT data, in the following order: Central Governance updates its cache timestamp Access and Security updates its cache timestamp with the value received from Central Governance Access and Security sends Transfer CFT the information with the new timestamp and resets the user's cache Connection Server Host(s) Fully qualified domain name or IP address of the computer running the LDAP server. You may specify multiple hosts. If the first host is unreachable, PassPort tries to connect to the next host in the list, and so on. Port Port the server listens on for connections. Encryption mode Security level to use for the connection between Central Governance and the LDAP server. Options are: None - Clear communication StartTLS - Transport Layer Security (TLS) secured connection LDAPS - Secure Lightweight Directory Access Protocol (LDAP) Certificate Click Browse to select a public-key certificate file in the format DER or PEM or a public certificate chain file in the format P7B (PKCS#7). You require a certificate that represents the LDAP server's CA (certificate authority) if you selected StartTLS or LDAPS encryption. Click Display to view the certificate details. Note Central Governance 1.1.3 SP11 is delivered with OpenJDK for java, which introduces a security restriction. The external LDAP certificate must contain the Subject Alternative Name (SAN) extension. Authentication Login User ID for logging on to the LDAP server to retrieve user roles and user groups. This data enables the administrator to map roles and groups between Central Governance and the LDAP server. Password Password for logging on to the LDAP server. Authentication mode Authentication mode for logging on to the LDAP server. Simple - Use the user's relative distinguished name (RDN) to authenticate Advanced settings Connection timeout Timeout limit in seconds for the LDAP connection. Number of retries Number of times Central Governance attempts to re-connect after the connection fails. Enable connection pooling Enables connection pooling for user login and filter searches. Click Check connection to verify whether the values are valid for the LDAP server. If the connection fails, Central Governance displays failure reasons returned by the LDAP server. LDAP tree Active directory Indicates whether the LDAP server is a Windows Active Directory implementation. Active Directory enables users to log on with the notation user@domain. If this is an Active Directory and the login does not include the @ character, Central Governance adds @domain to the login. If you specify the server is Active Directory, you optionally can provide the value for the domain in the following field. Active directory domain For Active Directory LDAP servers, the domain to be added to the user login if the domain is absent. This field is optional when Active Directory is enabled. If you leave the field blank, nothing is appended to the user name. Base DN The base Distinguished Name (DN) to authenticate on the connected LDAP server. The top level of the LDAP directory tree is the base DN.The base DN defines which node of the LDAP tree to use as the root node. Example: ou=system Prefix Prefix to add to the user login for connection to the LDAP server. Example: cn=username. Suffix Suffix to add after the user login to the LDAP server. Example: ,ou=users Prefix and suffix are optional. If you provide both, Central Governance can use the values to derive a full user DN based on the SubjectDN X500principal: prefix + user login + suffix + baseDN This allows users to enter only their user name at login. Authorization The values of the following fields specify the LDAP search queries, telling Central Governance how to retrieve objects from the LDAP structure. Central Governance uses LDAP queries at run-time to populate fields in the mapping wizard table, and also to evaluate login requests. To complete these fields it is important to carefully define which LDAP object class controls your access control. Query syntax must match the target LDAP structure, and use the same object class names as used on the server. Default values that appear in the fields reflect standard naming conventions. If your LDAP server structure includes non-standard naming, you must indicate the customized names in these fields. Cache timeout Indicates how long in hours the response to an LDAP query is considered valid. User DN Returns the user searched DN from the LDAP server. If this filter is not set, the user searched DN is replaced by the user Full DN. In other filters this will be the userSearchedDN. Role list Returns all roles on the LDAP server. Filtered roles Returns roles matching the specified filter on the LDAP server. User roles Returns all roles of a user on the LDAP server. Group roles Returns all roles of a group on the LDAP server. User groups Returns all groups of a user on the LDAP server. Mapping role attribute Attribute for identifying roles in mapping process. User mapping Select a user object class and map values of user attributes available on the LDAP server. User Filter Returns all users in a domain on the LDAP server. This filter is used for Transfer CFT access management when the Transfer CFT configuration is as follows: The access type is set to "Central Governance" The selected Organization is linked to the current Identity Store As Transfer CFT builds the authorization-persistent cache based on this filter, it is recommended that you limit the filter to only the list of users that need to access Transfer CFT. Having a large number of users (more than 200) returned by this filter may result in performance issues. For more information, see Access and security. First name attribute Value to filter for a specific user's first name. Last name attribute Value to filter for a specific user's last name. Email attribute Value to filter for a specific user's email address. See also Example LDAP setup for AD Related topics Identity stores List Identity Stores Example LDAP setup for AD Log on as LDAP user Central Governance | Document Directory Related Links
LDAP identity store fields The following are the fields for configuring an LDAP identity store in Central Governance. Refer to these fields when you the List Identity Stores. Name Name of the identity store. This can be any unique name you want. Description Optionally, a description of the identity store. Synchronize the Identity Store Open an Identity Store in view or edit mode. You can select Synchronize to synchronize Identity Store data with Access and Security and Transfer CFT data, in the following order: Central Governance updates its cache timestamp Access and Security updates its cache timestamp with the value received from Central Governance Access and Security sends Transfer CFT the information with the new timestamp and resets the user's cache Connection Server Host(s) Fully qualified domain name or IP address of the computer running the LDAP server. You may specify multiple hosts. If the first host is unreachable, PassPort tries to connect to the next host in the list, and so on. Port Port the server listens on for connections. Encryption mode Security level to use for the connection between Central Governance and the LDAP server. Options are: None - Clear communication StartTLS - Transport Layer Security (TLS) secured connection LDAPS - Secure Lightweight Directory Access Protocol (LDAP) Certificate Click Browse to select a public-key certificate file in the format DER or PEM or a public certificate chain file in the format P7B (PKCS#7). You require a certificate that represents the LDAP server's CA (certificate authority) if you selected StartTLS or LDAPS encryption. Click Display to view the certificate details. Note Central Governance 1.1.3 SP11 is delivered with OpenJDK for java, which introduces a security restriction. The external LDAP certificate must contain the Subject Alternative Name (SAN) extension. Authentication Login User ID for logging on to the LDAP server to retrieve user roles and user groups. This data enables the administrator to map roles and groups between Central Governance and the LDAP server. Password Password for logging on to the LDAP server. Authentication mode Authentication mode for logging on to the LDAP server. Simple - Use the user's relative distinguished name (RDN) to authenticate Advanced settings Connection timeout Timeout limit in seconds for the LDAP connection. Number of retries Number of times Central Governance attempts to re-connect after the connection fails. Enable connection pooling Enables connection pooling for user login and filter searches. Click Check connection to verify whether the values are valid for the LDAP server. If the connection fails, Central Governance displays failure reasons returned by the LDAP server. LDAP tree Active directory Indicates whether the LDAP server is a Windows Active Directory implementation. Active Directory enables users to log on with the notation user@domain. If this is an Active Directory and the login does not include the @ character, Central Governance adds @domain to the login. If you specify the server is Active Directory, you optionally can provide the value for the domain in the following field. Active directory domain For Active Directory LDAP servers, the domain to be added to the user login if the domain is absent. This field is optional when Active Directory is enabled. If you leave the field blank, nothing is appended to the user name. Base DN The base Distinguished Name (DN) to authenticate on the connected LDAP server. The top level of the LDAP directory tree is the base DN.The base DN defines which node of the LDAP tree to use as the root node. Example: ou=system Prefix Prefix to add to the user login for connection to the LDAP server. Example: cn=username. Suffix Suffix to add after the user login to the LDAP server. Example: ,ou=users Prefix and suffix are optional. If you provide both, Central Governance can use the values to derive a full user DN based on the SubjectDN X500principal: prefix + user login + suffix + baseDN This allows users to enter only their user name at login. Authorization The values of the following fields specify the LDAP search queries, telling Central Governance how to retrieve objects from the LDAP structure. Central Governance uses LDAP queries at run-time to populate fields in the mapping wizard table, and also to evaluate login requests. To complete these fields it is important to carefully define which LDAP object class controls your access control. Query syntax must match the target LDAP structure, and use the same object class names as used on the server. Default values that appear in the fields reflect standard naming conventions. If your LDAP server structure includes non-standard naming, you must indicate the customized names in these fields. Cache timeout Indicates how long in hours the response to an LDAP query is considered valid. User DN Returns the user searched DN from the LDAP server. If this filter is not set, the user searched DN is replaced by the user Full DN. In other filters this will be the userSearchedDN. Role list Returns all roles on the LDAP server. Filtered roles Returns roles matching the specified filter on the LDAP server. User roles Returns all roles of a user on the LDAP server. Group roles Returns all roles of a group on the LDAP server. User groups Returns all groups of a user on the LDAP server. Mapping role attribute Attribute for identifying roles in mapping process. User mapping Select a user object class and map values of user attributes available on the LDAP server. User Filter Returns all users in a domain on the LDAP server. This filter is used for Transfer CFT access management when the Transfer CFT configuration is as follows: The access type is set to "Central Governance" The selected Organization is linked to the current Identity Store As Transfer CFT builds the authorization-persistent cache based on this filter, it is recommended that you limit the filter to only the list of users that need to access Transfer CFT. Having a large number of users (more than 200) returned by this filter may result in performance issues. For more information, see Access and security. First name attribute Value to filter for a specific user's first name. Last name attribute Value to filter for a specific user's last name. Email attribute Value to filter for a specific user's email address. See also Example LDAP setup for AD Related topics Identity stores List Identity Stores Example LDAP setup for AD Log on as LDAP user Central Governance | Document Directory