Creating an LDAP authorization realm
An LDAP authorization realm defines how to use an external LDAP server for group authorization.
Before you begin
About this task
To create an LDAP authorization realm, you identify the URL of the LDAP server, and define a role-based search. If you use an LDAP authentication realm, you do not need to define a user-based search. If you use an SSO authentication realm, you must also define a user-based search.
Procedure
- On the server, click Create Authorization Realm dialog box opens. . The
- In the Name field, enter a realm name.
- In the Type list, select LDAP or Active Directory.
-
In the LDAP URL field, enter the URL of the LDAP or LDAPS server.
Separate multiple servers by commas.For example,
ldap://ldap_server.my_domain.com:389,ldap://ldap_server.my_domain2.com:389,ldaps://ldaps_server.my_domain3.com:389
. -
Define a role-based search by completing one of these steps:
- Optional:
Define a user-based search by completing one of these steps:
Note: If you plan to use an SSO authentication realm with this authorization realm, you must define a user-based search. If you plan to use an LDAP authentication realm, you can skip this step.
- Optional: Secure the communication between the LDAP server and the HCL Launch server as described in Configuring SSL on Apache Tomcat and LDAP servers.
- Optional: Set the length of time for the server to wait for a response from the LDAP server. On the server, in the installed.properties file, set the property com.sun.jndi.ldap.read.timeout to the timeout period in milliseconds. Then, restart the server.
- Optional:
Enable Nested Groups. This feature enables HCL Launch to recursively search for roles in the LDAP server. Note: If a user logs in who has many
direct LDAP group mappings, this feature could generate many extra LDAP queries.
if a user logs in that has a lot of direct ldap group mappings