Siebel Analytics Server Administration Guide > Security in Siebel Analytics > Analytics Security Manager >

Importing Users and Groups from LDAP

If your organization uses Lightweight Directory Access Protocol (LDAP), you can import your existing LDAP users and groups to a repository. After imported, all normal Siebel Analytics Server user and group functions are available. You can resynchronize your imported list at any time.

You can also authenticate against LDAP as an external source. When you do this, users are not imported into the repository. Users are authenticated, and their group privileges determined, when they log on. For more information about using LDAP authentication, see LDAP Authentication.

This section includes the following topics:

NOTE:  If a user exists in both the repository and in LDAP, the local repository user definition takes precedence. This allows the Siebel Analytics Server Administrator to reliably override users that exist in an external security system.

Configuring an LDAP Server

The following procedure explains how to configure LDAP authentication for the repository.

NOTE:  The Siebel Analytics Server uses clear text passwords in LDAP authentication. Make sure your LDAP Servers are set up to allow this.

To configure LDAP authentication for the repository

  1. Open a repository in the Administration Tool in offline or online mode.
  2. Display the security window by selecting Manage > Security.
  3. Select Action > New > LDAP Server.
  4. Type the information requested in the LDAP Server dialog box.
    • Host name. The name of your LDAP server.
    • ADSI. (Active Directory Service Interfaces) A type of LDAP server. If you select the ADSI check box, Bind DN and Bind password are required.
    • Port number. The default LDAP port is 389.
    • LDAP version. LDAP 2 or LDAP 3. The default is LDAP 3.
    • Base DN. The base distinguished name (DN) identifies the starting point of the authentication search. For example, if you want to search all of the entries under the o=Siebel.com subtree of the directory, o=Siebel.com is the base DN.
    • Bind DN and Bind Password. The optional DN and associated user password required to bind to the LDAP server.

      If these two entries are left blank, then anonymous binding is assumed. For security reasons, not all LDAP servers allow anonymous binding.

      These fields are optional for LDAP V3, but required for LDAP V2, because LDAP V2 does not support anonymous binding.

      These fields are required if you select the ADSI check box. If you leave these fields blank, a warning message appears asking if you want to leave the password empty anyway. If you click Yes, anonymous binding is assumed.

    • Test Connection. Use this button to verify your parameters by testing the connection to the LDAP server.
  5. Click the Advanced tab, and type the requested information.

    NOTE:  The Siebel Analytics Server maintains an authentication cache in memory, which improves performance when using LDAP to authenticate large numbers of users. Disabling the authentication cache can slow performance when hundreds of sessions are being authenticated.

    • Connection timeout. When the Administration Tool is connecting to an LDAP server for import purposes or the Siebel Analytics Server is connecting to an LDAP server for user authentication, the connection will time out after this interval.
    • Cache refresh interval. The interval at which the authentication cache entry for a logged on user will be refreshed.
    • Number of Cache Entries. The maximum number of entries in the authentication cache, preallocated at Siebel Analytics Server startup time. If the number of users exceeds this limit, cache entries are replaced using the LRU algorithm.

      If this value is 0, then cache is disabled.

Importing Users from LDAP

You can import selected users or groups, or you can import all users or groups. If you have previously performed an import, you can choose to synchronize the repository with the LDAP server.

To import LDAP users and groups to a repository

  1. Open a repository in the Administration Tool in offline or online mode.
  2. Display the security window by selecting Manage > Security.
  3. Select LDAP Servers in the left pane to display the configured LDAP servers in the right pane. Select the LDAP server from which you want to import users or groups, and select Import... from the right-click menu. (You can also select the server and then select LDAP > Import.)

    You can choose to import selected users or groups, or you can import all users and groups. If you have previously done an import, you can choose to synchronize the repository with the LDAP server.

  4. Select the users you want to import and click Import.

    You can import groups by selecting Groups from the drop down list instead of Users.

Synchronizing Users and Groups with LDAP

You can refresh the repository users and groups with the current users and groups on your LDAP server. After selecting the appropriate LDAP server, select LDAP > Synchronize (or choose Synchronize from the right-click menu).

Synchronization updates your list of repository users and groups to mirror your current LDAP users and groups. Users and groups that do not exist on your LDAP server are removed from the repository. The special user Administrator and the special group Administrators always remain in your repository and are never removed.

Properties of users already included in the repository are not changed by synchronization. If you have recycled a login name for another user, drop that name from your repository prior to synchronization. This assures that the process will import the new LDAP user definition.

NOTE:  With external LDAP authentication (discussed in the next section), import and synchronization are not really necessary. The primary use for import is to make it easy to copy LDAP users as Siebel Analytics users for testing.


 Siebel Analytics Server Administration Guide
 Published: 11 March 2004