Description:

Q1: What is the minimum level of access that the LDAP search user needs?

Q2: Why doesn't CA PPM bind to LDAP with the credentials supplied by the user attempting to log in?

Q3: Does CA PPM need to pull LDAP information before the user logs in?

Solution:

Q1: What is the minimum level of access that the LDAP search user needs?

A1: Read

Q2: Why doesn't CA PPM bind to LDAP with the credentials supplied by the user attempting to log in?

A2: Following high-level steps in our application may explain why we use a separate search user:

Authentication

1. Bind to LDAP using search user credentials.
2. Search for the user who is attempting to log in (In order to do this we must bind with LDAP server first with a specific user's credential. See step #1)
3. If the search for the user is successful then
4. We bind to LDAP server using user's (who is attempting to login) credentials.
5. If the bind is successful then we user's authentication is successful.

Synchronization

1. Bind to LDAP using search user credentials.
2. Search for the new/modified/inactive users and/or search for the group. (In order to do this we must bind with LDAP server first. See step #1)
3. Once we get any results back then we appropriately inactivate/add/update the user record in the application.

Q3: Does CA PPM need to pull LDAP information before the user logs in?

A3: No.

We don't pull any information for the user from LDAP before the user logs in. When a user logs in to the application, all we do is bind the username/password with LDAP server (as explained above) and if the bind is successful then we let user in the application.

Reference CA PPM LDAP Configuration and Troubleshooting Guide