Configuring LDAP Member Source

You use the Lightweight Directory Access Protocol (LDAP) type user source to retrieve information on users and user groups from a LDAP Server. The LDAP Server facilitates users and directory services over an IP network and provides Web Services for Application Protector.

To create an LDAP member source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name of the file member source in the Name textbox.

  4. Type the description in the Description textbox.

  5. Select LDAP from the Source Type drop-down list.

    The LDAP Member Source screen appears

    LDAP Member Source screen

  6. Enter the information in the LDAP member source fields.

    The following table describes the directory fields for LDAP member sources.

    Field NameDescription
    HostThe Fully Qualified Domain Name (FQDN), or IP of the directory server.
    PortThe network port on the directory server where the service is listening.
    Use TLSThe TLS is enabled to create a secure communication to the directory server. LDAPS, which is deprecated, is no longer the supported protocol. TLS is the only supported protocol.
    User Base DNThe base distinguished name where users can be found in the directory. The user Base DN is used as the user search criterion in the directory.
    Group Base DNThe base distinguished name where groups can be found in the directory. The group base dn is used as a group search criterion in the directory.
    User AttributeThe Relative Distinguished Name (RDN) attribute of the user distinguished name.
    Group AttributeThe RDN attribute of the group distinguished name.
    User Object ClassThe object class of entries where user objects are stored. Results from a directory search of users are filtered using user object class.
    Group Object ClassThe object class of entries where group objects are stored. Results from a directory search of groups are filtered using group object class.
    User Login AttributeThe attribute intended for authentication or login.
    Group Members AttributeThe attribute that enumerates members of the group.
    Group Member is DNThe members may be listed using their fully qualified name, for example, their distinguished name or as in the case with the Posix user attribute (cn) value.
    TimeoutThe timeout value when waiting for a response from the directory server.
    Bind DNThe DN of a user that has read access, rights to query the directory.
    Password/SecretThe password of the user binding to the directory server

    Parsing users from a DN instead of querying the LDAP server: By default, a user is not resolved by querying the external LDAP server. Instead, the user is resolved by parsing the User Login Attribute from the Distinguished Name that has been initially retrieved by the Member Source Service. This option is applicable only if the Group Member is DN option is enabled while configuring the Member Source. In this case, the members must be listed using their fully qualified name, such as their Distinguished Name. If the ESA is unable to parse the DN or the DN is not available in the specified format, the user is resolved by querying the external LDAP server.

  7. Click Save.

A message Member Source has been created successfully appears.