LDAP and eDirectory Settings

Use the LDAP Settings page to configure LOM to connect to an LDAP server.

You can select the LDAP groups that can log in to LOM.

This page shows these details:

Whether LDAP or eDirectory server is enabled for LOM
LDAP groups that can log in to LOM
Privilege level for each LDAP group

Authentication Workflow

When a user tries to log in to LOM, the first successful authentication for the username and password is used.

This is the order for authentication:

LOM internal user database
LDAP Role group 1
LDAP Role groups 2 - 5

For example, LDAP Role group 1 has User privileges and LDAP Role group 3 has Administrator privileges. If John Smith is in both LDAP Role groups, he can only log in to LOM with User privileges.

Configuring an LDAP Server

Use the LDAP Configuration Page to configure LOM to connect to an LDAP server. You can select the LDAP groups that can log in to LOM.

You can also configure TLS to encrypt the connection between LOM and the LDAP server.

Note - The LDAP settings in this guide are based on the OpenLDAP standard. Some of the details can be different for other LDAP standards.

To configure authentication from an LDAP server:

For TLS encryption, do these steps:
1. On the LDAP server, create these files:
  - CA certificate
  - Client certificate
  - Client key
2. Log in to LOM.
Make sure that the NTP Settings are the same as the LDAP server. See NTP Settings.
Select Configuration > LDAP/E-Directory.

The LDAP/E-Directory Settings window opens.
Click Advanced Settings.

The Advanced LDAP/E-Directory Settings window opens.
Enter the settings for the LDAP server.
For TLS encryption, configure these settings:
1. From Enable TLS, select Enable.
2. Select FQDN or IP Address. For FQDN, enter the FQDN of the LDAP server.
3. Click Choose File to upload each certificate file and the private key.
Click Save.

Note: If you change the Advanced LDAP settings, it is possible that you must log in to the Portal again.

Fields:

Field Name	Description
LDAP/E Directory Authentication	When selected, enables LDAP groups to log in to LOM.
IP Address	IP address of the LDAP server.
Port	The default port is 389.
Bind DN	DN for binding user. Make sure that this user has the correct permissions for the groups and users that log in to LOM. Sample format for the DN: cn=manager,ou=login,dc=domain,dc=com
Password	Password for the binding user.
Search Base	Define the node for the search in the directory tree. You can specify to start the query from an OU, or the root. Samples for the Search Base query: ou=user,ou=login,dc=domain,dc=com dc=sampledomain,dc=com
Enable TLS	When selected, enables the TLS (Transport Layer Security) LDAP extension. Use this extension to supply extra security.
Common Name Type	Select if the CN for the certificate uses the IP Address or the FQDN (Fully Qualified Domain Name) of the LDAP server.
FQDN	For certificates that use a FQDN for the CN, enter the FQDN of the LDAP server.
Current CA Certificate File	Shows the date when the CA certificate was uploaded to the LDAP server. If this field is empty, the LDAP server does not have a CA certificate for LOM.
CA Certificate File	Click Browse to install the CA certificate file for the LDAP server.
Current Certificate File	Shows the date when the certificate file was uploaded to the LDAP server. If this field is empty, the LDAP server does not have a certificate for LOM.
Certificate File	Click Browse to install the certificate for the LDAP server.
Current Private Key	Shows the date when the private key file was uploaded to the LDAP server. If this field is empty, the LDAP server does not have a private key for LOM.
Private Key	Click Browse to install the key for the LDAP server.

Adding or Modifying an LDAP Group

After you configured the LDAP server, you can create or modify role groups from the LDAP server for LOM authentication.

Group Search Base defines the node that LOM queries to authenticate LOM user.

The LOM queries each group sequentially and uses the first successful authentication for a user.

To add or modify a role group:

Select Configuration > LDAP/E-Directory.
Select the Role Group ID and click Add Role Group or Modify Role Group.

The Role Group window opens.

Configure the settings.

Field Name	Description
Role Group Name	Name for the group. Cannot contain blank spaces. Note: The Role Group Name must be the same as the group name setting on the LDAP server.
Role Group Search Base	Define the node for the search in the directory tree. You can specify to start the query from an OU, or the root. Samples for the Search Base query: ou=user,ou=login,dc=domain,dc=com dc=sampledomain,dc=com
Role Group Privilege	Select the LOM privilege that is assigned to the users in this group. See Users and Privileges.

Field Name

Description

Role Group Name

Name for the group. Cannot contain blank spaces.

Note: The Role Group Name must be the same as the group name setting on the LDAP server.

Role Group Search Base

Define the node for the search in the directory tree. You can specify to start the query from an OU, or the root.

Samples for the Search Base query:

ou=user,ou=login,dc=domain,dc=com
dc=sampledomain,dc=com

Role Group Privilege

Select the LOM privilege that is assigned to the users in this group.

See Users and Privileges.

Click Add or Modify.

Deleting an LDAP Group

Select Configuration > LDAP/E-Directory.
Select a role group and click Delete Role Group. A confirmation window opens.
Click OK.

The role group is deleted.