Configuring the Active Directory settings
You can configure HCL DevOps Test Virtualization Control Panel (Test Virtualization Control Panel) to use the Active Directory security model by using Installation Manager during installation or by using the Modify option after the installation. You can also specify the settings by manually editing the security.config file.
Creating multiple Active Directory configurations
When you enable Test Virtualization Control Panel to use the Active Directory, you can have multiple configurations by setting theconfiguration count
property
on the Installation
Manager GUI. Each configuration
can point to a different Active Directory domain (optionally, on a different Active Directory
server).When you
configure the Active Directory security model by editing the
security.config file, a second configuration is added by appending
.1
to the end of each property name, .2
for the third
configuration, and so on. For example, if url
is the property that sets the
URL for the first configuration, url.1
sets it for the second,
url.2
for the third, and so on.
Specifying user names at logins
While logging
in to Test Virtualization Control Panel,
specify only your username if you are part of the first configuration
(Active Directory domain). For all the other configurations, specify
your username in the following format: domain\username
.
Setting up Active Directory domains
-
All configurations must have the
domain
property set; otherwise, they will not be used. If the properties are omitted from the additional configurations, they default to the value that is set in the first configuration. - Each Active Directory configuration must be for a specific Active
Directory domain that holds a unique name amongst a set of Active
Directory domains with which Test Virtualization Control Panel is
configured. The requirement holds true even if the Active Directory
domains are on different servers. For example, you cannot have two
configurations for a single Active Directory domain called
DOMAIN
that are on different servers or on the same server with different values set for the other properties.
Editing the security.config file
- On Windows™ systems, the folder is typically at
C:\HCL\HQS-Workspace\security
. - On Unix-like systems, the folder is typically at
/var/hqs/security
.
- If the backslash character
\
needs to be used in any property value, escape it with another backslash character:\\
. For example, if the value isC:\IBM
, specify it asC:\\IBM
. - Optional: If any of the characters
=
,:
,#
, or!
is used in a property value, escape it with a backslash. - Set the
credentialsStore
property toACTIVEDIRECTORY
. Unlike the other properties, you need to set this property only once and you cannot modify it for individual configurations (AD domains).
Property | Description | |
---|---|---|
Name in the Installation Manager GUI | Name in the security.config file | |
url |
url |
Address of the Active Directory host. For example, ldap://host_name:port . |
admin user |
adminuser |
An Active Directory user with group query permissions. This
is the user account that Test Virtualization Control Panel uses
to log in to the Active Directory server to determine the groups to
which a particular user account belongs. In the security.config file,
specify this property in the following format: username@domain ,
where domain is the admin domain. |
password |
adminpassword |
The password for the admin user. This is stored in the security.config
file in an obfuscated form. To keep this password secure, restrict the access to the
security.config file. Only the user account under which Test Virtualization Control Panel will run,
and those users of the host computer who are trusted to edit it need access to it. If you are
editing the security.config file, ensure that you encrypt the password. For
details, see Configuring the security settings after installation by updating the security.config file. For
example, adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5 . |
admin domain |
NA | The domain to which the admin user belongs. This value is required
for logging in as the admin user to get the information about groups.
In the security.config file, this is specified
as part of the adminuser property in the format username@domain . |
default domain |
domain |
The domain to which the users belong. Typically, this is the same as the admin domain. |
group search base |
searchBase |
The base location where the directory group searches should
begin - for example, dc=mycompany,dc=local . This
value is a Distinguished Name (DN) for an Active Directory object
that contains all groups to be used to control the roles within Test Virtualization Control Panel. For
example, if you have groups named Specifying a more specific (longer) group search-base narrows down the list of groups to select from in the Installation Manager GUI for assigning roles to groups, and could marginally speed up certain operations. Specifying a less specific (shorter) group search base will make more groups available for assigning roles. |
user search base |
userSearchBase |
This is a Distinguished Name (DN) for an Active Directory object
that contains all users who need to log in at any level. It is not
necessary that they are immediate child objects. For example, if
you have two organizations in your server, one represented by For
a user to be able to log in, they must match the user search base
and they must be in an Active Directory group that has been assigned
the role |
group filter |
allGroupsFilter |
The filter expression for user groups. The default expression (objectClass=group) returns
all groups. Use this property to control the number of groups available,
to which the roles are assigned. |
Directory Groups and Test Virtualization Control Panel
Roles |
groupMappings |
In the Installation
Manager GUI,
drag groups on to roles to create mappings and drag them off to remove.
All users in a group assume roles that are assigned to that group. For
users to be able to log in, the following conditions must be met: The
groupMappings property in the security.config file
holds a comma-separated list of group=role pairs.
The group is identified by its CN Active Directory
attribute value. |
credentialsStore=ACTIVEDIRECTORY
url=ldap\://ad.mycompany.example.com
adminuser=admin@DOMAIN1
adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5
domain=DOMAIN1
searchBase=OU\=Testing,DC\=DOMAIN1,DC\=domain
userSearchBase=DC\=DOMAIN1,DC\=domain
allGroupsFilter=(objectClass\=group)
groupMappings=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
credentialsStore=ACTIVEDIRECTORY
url=ldap\://ad.mycompany.example.com
adminuser=admin@DOMAIN1
adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5
domain=DOMAIN1
searchBase=OU\=Testing,DC\=DOMAIN1,DC\=domain
userSearchBase=DC\=DOMAIN1,DC\=domain
allGroupsFilter=(objectClass\=group)
groupMappings=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
url.1=ldap\://ad.mycompany.example.com
adminuser.1=admin@DOMAIN2
adminpassword.1=#com.ghc.1!b2b312954AC84469E34BA2E5
domain.1=DOMAIN2
searchBase.1=OU\=Testing,DC\=DOMAIN2,DC\=domain
userSearchBase.1=DC\=DOMAIN2,DC\=domain
allGroupsFilter.1=(objectClass\=group)
groupMappings.1=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
credentialsStore=ACTIVEDIRECTORY
url=ldap\://ad.mycompany.example.com
adminuser=admin@DOMAIN1
adminpassword=#com.ghc.1!b2b312954AC84469E34BA2E5
domain=DOMAIN1
searchBase=OU\=Testing,DC\=DOMAIN1,DC\=domain
userSearchBase=DC\=DOMAIN1,DC\=domain
allGroupsFilter=(objectClass\=group)
groupMappings=MyCompanyEmployees\=user,MyCompanySysadmins\=admin,MyCompanySysadmins\=user,
domain.1=DOMAIN2