This is additional information to what we provide in our documentation for LDAP setup with DevTest. 

Most fields come with a tool tip (? icon by each field), this explains each field on what values should be provided. 

The LDAP admin should give you the required values for each field.

All supported DevTest releases

N/A

User Federation Settings 

Enabled - If provider is disabled it will not be considered for queries and imported and imported users will be disabled and read only until the provider is enabled again.

Values: ON or OFF (default is ON)

Console Display Name - Display name of the provider when linked in admin console.  

Value: Can be any name.

Priority - Priority of provider when doing a user lookup.  Lowest first.

Values: 0, always first, then 1, 2.  Depends on number of providers specified.

Vendor - LDAP vendor (provider)

Values: 
Active Directory - Microsoft version of LDAP.
Red Hat Directory Server - Red Hat version of LDAP.
Tivoli - IBM version of LDAP
Novell eDirectory - Novell version of LDAP.
Other - Custom LDAP.

Username LDAP Attribute - Name of LDAP attribute, which is mapped as Identity and Access Manager username. For many LDAP server vendors it can be 'uid'. For Active Directory it can be 'sAMAcountName' or 'cn'. The attribute should be filled for all LDAP records you want to import from LDAP to Identity and Access Manager.

Value: Your LDAP Admin can tell you what value should be used here. (default is cn (Common Name))

RDN LDAP Attribute - The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object. This value is set by the schema administrator. Usually it's the same as Username LDAP Attribute, however it's not required. For example, for Active Directory it's common to use 'cn' as RDN attribute when username attribute might be 'sAMAcountName'.

Value: Your LDAP Admin can tell you what value should be used here. (default is cn)

UUID LDAP Attribute - Name of LDAP atrribute, which holds a server-assigned Universally Unique Identifier UUID for the entry. For many LDAP server vendors it's 'entryUUID' however some are different. For example for Active directory it should be 'objectGUID'. If you LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supported to be unique among LDAP users in the tree. For example 'uid' or 'entryDB'.

Value: Your LDAP Admin can tell you what value should be used here. (default is objectGUID)

User Object Classes - Is a component of LDAP which defines the “type” for an object or in other words it defines the set of mandatory and optional attributes an object can have. All values of LDAP ObjectClass attribute for users in LDAP divided by comma. Newly created Identity and Access Manager users will be written to LDAP with all those object classes and existing LDAP user record are found if they contain all those object classes.

Value: Your LDAP Admin can tell you what value should be used here. (default are person, organizationalPerson, user)

Connection URL - Connection URL to your LDAP server.

Value: Your LDAP Admin can tell you what value should be used here. 

NOTE: If connecting via ldaps (secured LDAP) you will have to import the LDAP server's certificate into the iam-truststore.ks (and cacerts as of SP3) located in the following folders depending on the version of DevTest you are running:

DEVTEST_HOME/IdentityAccessManager/certs

DEVTEST_HOME/IdentityAccessManager/jdk/lib/security  (if SP3 is applied)

Users DN - Full DN of LDAP tree where your users are. The DN is parent of LDAP users.

Value: Your LDAP Admin can tell you what value should be used here. 

Authentication Type - LDAP Authentication type. 

Value: none or simple (default is simple)

Bind DN - DN of LDAP admin, which will be used by Identity and Access Manager to access the LDAP server.

Value: Your LDAP Admin can tell you what value should be used here. 

Bind Credential - Password of Bind DN.

Value: Your LDAP Admin can tell you what value should be used here. 

Custom User LDAP Filter - Additional LDAP Filter for filtering searched users.  Leave this empty if you don't need additional filter. Make sure that it starts with ( and ends with ).

Value: Your LDAP Admin can tell you what value should be used here if a filter is required.

Connection Timeout - LDAP Connetion Timeout in milliseconds.

Value: Your LDAP Admin can tell you what value should be used here if required.

Read Timeout: LDAP Read Time in milliseconds. The timeout applies for LDAP read operations.

Value: Your LDAP Admin can tell you what value should be used here if required.

Default Role - DevTest Default Role to be assigned to the LDAP users.  This would come into play if you did not map any Groups to Roles.

Values: DevTest Roles or any custom roles defined.

Allow Kerberos authentication - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens (single sign on). The data about authenticated users will be provisioned from this LDAP server.

User Federation Group Settings 

LDAP Groups DN - LDAP DN where are groups of this tree saved. For examople 'ou=groups,dc=example,dc=org'

Value: Your LDAP Admin can tell you what value should be used here.  

Group Name LDAP Attribute - Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be cn.

Value: Your LDAP Admin can tell you what value should be used here.  

Group Object Classes - Object class (or classes) of the group object. It's divided by comma if more classes needed.  In typical LDAP deployment it could be 'groupOfNames'. In Active Directory it's usually 'group'.

Value: Your LDAP Admin can tell you what value should be used here.  

Membership LDAP Attribute - Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member'. However when 'Membership Attribute Type' is "UID" then Membership LDAP Attribute could typically be memberUid.

Value: Your LDAP Admin can tell you what value should be used here.  

Membership Attribute Type - DN means that LDAP group has it's members declared in form of their full DN. For example 'member=uid=john,ou-users,dc-example,dc-com'. UID means the LDAP group has it's members declared in form of pure user uids, like memberUid:john.

Value: Your LDAP Admin can tell you what value should be used here.  

Membership User LDAP Attribute - Used just if Membership Attribute Type is UID.  It is name of LDAP attribute on user, which is used for membership mappings. 

Value: Your LDAP Admin can tell you what value should be used here.  

LDAP Filter - LDAP Filter adds additional custom filter to the whole query for retrieving LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise, make sure that filter starts with "(" and ends with ")". For example (|(cn=Team-SV*)(cn=*DevTest*)), will import the groups that have a name starting with Team-SV or contain DevTest in the name.  This would be useful if you have thousands of group and want to limit the search of LDAP groups.

Value: Your LDAP Admin can tell you what value should be used here.  

User Groups Retrieve Strategy - Specify how to retrieve groups of user.

Values: 
LOAD_GROUPS_BY_MEMBER_ATTRIBUTE (means that roles of users will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user.
GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE (means the groups of users will be retrieved by sending LDAP query to retrieve the 'memberof' attribute of the user.
LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY (means the groups of the users will be retrieved by sending LDAP query to retrieve recursively with usage of [LDAP MATCHING RULE IN CHAIN] LDAP extensions.

Your LDAP Admin can tell you what value should be used here.  Most times it will be LOAD_GROUPS_BY_MEMBER_ATTRIBUTE.

Member-Of LDAP Attribute - Used just when "user Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE. It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is the a member of. Usually it will be 'memberof'.