Bookshelf Home | Contents | Index | Search | PDF

Siebel Analytics Server Administration Guide > Security > Security Manager >

Importing Users and Groups from LDAP

---

If your organization uses Lightweight Directory Access Protocol (LDAP), you can import your existing LDAP users and groups to a repository. Once imported, all normal Siebel Analytics Server user and group functions are available. You can resynchronize your imported list at any time.

You can also authenticate against LDAP as an external source. When you do this, users are not imported into the repository. Users are authenticated, and their group privileges determined, when they log on. For more information about using LDAP authentication, see LDAP Authentication.

This section includes the following topics:

Configuring an LDAP Server
Importing Users from LDAP
Synchronizing Users and Groups with LDAP

NOTE:  If a user exists in both the repository and in LDAP, the local repository user definition takes precedence. This allows the Siebel Analytics Server administrator to reliably override users that exist in an external security system.

Configuring an LDAP Server

The following procedure explains how to configure LDAP authentication for the repository.

NOTE:  The Siebel Analytics Server uses clear text passwords in LDAP authentication. Make sure your LDAP Servers are set up to allow this.

To configure LDAP authentication for the repository

Open a repository in the Siebel Analytics Server Administration Tool in offline or online mode.
Display the security window by selecting Manage > Security.
Select Action > New > LDAP Server. Alternatively, you can select LDAP Servers in the tree in the left pane, right-click on white space in the right pane, and select New LDAP Server from the context-sensitive (right-click) menu.
Enter the information requested in the LDAP Server Initialization Block dialog box.
Host name. The name of your LDAP server.
Port number. The default LDAP port is 389.
LDAP version. LDAP 2 or LDAP 3. The default is LDAP 3.
Base DN. The base distinguished name (DN) identifies the starting point of the authentication search. For example, if you want to search all of the entries under the o=Siebel.com subtree of the directory, o=Siebel.com is the base DN.
Bind DN and Bind Password. The optional DN and associated user password required to bind to the LDAP server.

If these two entries are left blank, then anonymous binding is assumed. For security reasons, not all LDAP servers allow anonymous binding.

These fields are optional for LDAP V3, but required for LDAP V2, because LDAP V2 does not support anonymous binding.

Test Connection. Use this button to verify your parameters by testing the connection to the LDAP server.
Click the Advanced tab, and enter the requested information.

NOTE:  The Siebel Analytics Server maintains an authentication cache in memory, which improves performance when using LDAP to authenticate large numbers of users. Disabling the authentication cache can slow performance when hundreds of sessions are being authenticated.

Connection timeout. When the Administration Tool is connecting to an LDAP server for import purposes or the Siebel Analytics Server is connecting to an LDAP server for user authentication, the connection will time out after this interval.
Cache refresh interval. The interval at which the authentication cache entry for a logged on user will be refreshed.
Number of Cache Entries. The maximum number of entries in the authentication cache, preallocated at Siebel Analytics Server startup time. If the number of users exceeds this limit, cache entries are replaced using the LRU algorithm.

If this value is 0, then cache is disabled.

Importing Users from LDAP

You can import selected users or groups, or you can import all users or groups. If you have previously performed an import, you can choose to synchronize the repository with the LDAP server.

To import LDAP users and groups to a repository

Open a repository in the Siebel Analytics Server Administration Tool in offline or online mode.
Display the security window by selecting Manage > Security.
Select LDAP Servers in the left pane to display the configured LDAP servers in the right pane. Select the LDAP server from which you want to import users or groups, and select Import... from the context-sensitive (right-click) menu. (You can also select the server and then select LDAP > Import.)

You can choose to import selected users or groups, or you can import all users and groups. If you have previously done an import, you can choose to synchronize the repository with the LDAP server.

Select the users you want to import and click Import.

You can import groups by selecting Groups from the drop down list instead of Users.

Synchronizing Users and Groups with LDAP

You can refresh the repository users and groups with the current users and groups on your LDAP server. After selecting the appropriate LDAP server, select LDAP > Synchronize (or choose Synchronize from the context-sensitive menu).

Synchronization updates your list of repository users and groups to mirror your current LDAP users and groups. Users and groups that do not exist on your LDAP server are removed from the repository. The special user Administrator and the special group Administrators always remain in your repository and are never removed.

Properties of users already included in the repository are not changed by synchronization. If you have recycled a login name for another user, drop that name from your repository prior to synchronization. This assures that the process will import the new LDAP user definition.

NOTE:  With external LDAP authentication (discussed in the next section), import and synchronization are not really necessary. The primary use for import is to make it easy to copy LDAP users as Siebel Analytics users for testing.

Bookshelf Home | Contents | Index | Search | PDF