To create an LDAP member source:
On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.
Click Add New Member Source.
The New Member Source screen appears.
Enter a unique name of the file member source in the Name textbox.
Type the description in the Description textbox.
Select LDAP from the Source Type drop-down list.
The LDAP Member Source screen appears
Enter the information in the LDAP member source fields.
The following table describes the directory fields for LDAP member sources.
Field Name | Description |
---|---|
Host | The Fully Qualified Domain Name (FQDN), or IP of the directory server. |
Port | The network port on the directory server where the service is listening. |
Use TLS | The TLS is enabled to create a secure communication to the directory server. LDAPS, which is deprecated, is no longer the supported protocol. TLS is the only supported protocol. |
User Base DN | The base distinguished name where users can be found in the directory. The user Base DN is used as the user search criterion in the directory. |
Group Base DN | The base distinguished name where groups can be found in the directory. The group base dn is used as a group search criterion in the directory. |
User Attribute | The Relative Distinguished Name (RDN) attribute of the user distinguished name. |
Group Attribute | The RDN attribute of the group distinguished name. |
User Object Class | The object class of entries where user objects are stored. Results from a directory search of users are filtered using user object class. |
Group Object Class | The object class of entries where group objects are stored. Results from a directory search of groups are filtered using group object class. |
User Login Attribute | The attribute intended for authentication or login. |
Group Members Attribute | The attribute that enumerates members of the group. |
Group Member is DN | The members may be listed using their fully qualified name, for example, their distinguished name or as in the case with the Posix user attribute (cn) value. |
Timeout | The timeout value when waiting for a response from the directory server. |
Bind DN | The DN of a user that has read access, rights to query the directory. |
Password/Secret | The password of the user binding to the directory server |
Parsing users from a DN instead of querying the LDAP server: By default, a user is not resolved by querying the external LDAP server. Instead, the user is resolved by parsing the User Login Attribute from the Distinguished Name that has been initially retrieved by the Member Source Service. This option is applicable only if the Group Member is DN option is enabled while configuring the Member Source. In this case, the members must be listed using their fully qualified name, such as their Distinguished Name. If the ESA is unable to parse the DN or the DN is not available in the specified format, the user is resolved by querying the external LDAP server.
Click Save.
A message Member Source has been created successfully appears.