Using External Ldap Groups in Harvest
search cancel

Using External Ldap Groups in Harvest

book

Article ID: 39892

calendar_today

Updated On:

Products

CA Harvest Software Change Manager - OpenMake Meister

Issue/Introduction

CA Harvest SCM has the ability to create its own user groups and manage the memberships of those groups internally.  It also has the ability to leverage user groups and memberships already defined within your LDAP directory.  Harvest refers to groups defined in LDAP as "External" groups.  If you want to use "External" user groups you will need to provide Harvest with information about how to search for External groups within the LDAP directory and how to know which users are members of those groups.

NOTE: In order to be able to make use of External user groups, your Harvest server must already be configured to use the LDAP directory to authenticate some or all of the users of the Harvest software.  The configuration options described here will be added to your "HServer.arg" file.

Background:  

An LDAP directory is a database that can contain directory entries of many different types.  You might find information about users, user groups, computers, buildings, organizational units, and more.  These entries are organized in a tree structure.  In an oversimplified way, it is similar in concept to a file and folder structure on a computer system.  

The configuration of the directory entries for different types of objects is flexible.  When the administrator designs a new LDAP directory, they can choose which types of objects will be included, which fields are included for the different types of objects, and what types of data are stored in each of the fields.

When Harvest has a task that involves an External user group, what it does is contact the LDAP server using parameters provided in the HServer.arg file, connect, and search through the LDAP directory for the entry associated with the user group name of interest.

 

 

Environment

CA Harvest SCM all versions, all platforms

Resolution

To configure CA Harvest SCM to make use of user groups defined on your LDAP server, you will need to provide all of the following information:

-externalgroupenabled - This option lets Harvest know whether external user groups will be used

This value is set to a numeric 0 or 1. If the setting is 0, Harvest will NOT use external user groups. If the setting is 1, Harvest can use both internal and external user groups.

Example:

-externalgroupenabled=1

-ldapgrpfilter - When Harvest is looking for a specific group name in your LDAP server, this value will help to decide if the correct record has been found.

The LDAP group filter consists of one or more criteria.  If more than one criterion exists in the filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e., the criteria). This is the so-called "Polish Notation".

In the example below, notice the part that is in "angle brackets" ... "<example>."  This is called a "placeholder" value.  When searching the LDAP directory, Harvest will substitute the name of the group it's looking for in that location.

Example:

-ldapgrpfilter=(&(objectclass=ExampleGroupObjectClass)(exampleAttributeName=<exampleAttributeName>))

The above filter states that as I look at each object in the LDAP server, if the "objectclass" field contains the word "ExampleGroupObjectClass" and if the "exampleAttributeName" field contains the name of the group I'm looking for, then I have found the right record.

-ldapattrusrgrpname - This option lets Harvest know the name of the placeholder value (the value inside the angle brackets) in the ldapgrpfilter field

Example:

-ldapattrusrgrpname=exampleAttributeName

-ldapattrusringrp - This option lets Harvest know what field in an LDAP Group object's record will contain the list of users belonging to a selected user group

Each Group record in an LDAP directory will have a field containing a list of all users belonging to it.  This value will identify which field that is.

Example:

-ldapattrusringroup=exampleMemberAttributeName

-ldapattrgrpinusr - This option lets Harvest know what field in an LDAP User object will contain the list of groups to which the selected user belongs

Each user record in an LDAP directory will have a field containing a list of the groups to which this user belongs.  This value will identify which field that is.

Example:

-ldapattrgrpinuser=exampleMemberOfAttributeName

When configuring Harvest to work with External user groups on your LDAP server, all these settings should be added to your HServer.arg file.

An example HServer.arg file including these settings might look like this:

-datasource=<data source name>
-fipsmode=0
-authmode=openldap
-ldapmode=none
-mixedauthmode=1
-ldapserver="<ldap server name>"
-ldapport=<ldap port number>
-ldapbinddn="<distinguished name of user to connect to LDAP>"
-ldapbindpw="<password of user to connect to LDAP>"
-ldapfilter="<example filter>"
-ldapattrusrname="<LDAP attribute containing userid>"
-ldapbasedn="<LDAP base distinguished name>"
-externalgroupenabled=1
-ldapgrpfilter=(&(objectclass=ExampleGroupObjectClass)(exampleAttributeName=<exampleAttributeName>))
-ldapattrusrgrpname=exampleAttributeName
-ldapattrusringroup=exampleMemberAttributeName
-ldapattrgrpinuser=exampleMemberOfAttributeName

 

Additional Information

NOTE: The example values above will most likely not be the same as the actual values you should use in your environment when configuring Harvest to work with your LDAP directory.  Please contact your LDAP Administrator to obtain the actual values that will work in your LDAP directory environment.

Powered by Wolken Software