Configuring the LDAP settings and server

The LDAP settings on the Control Panel Credentials page include whether LDAP is enabled and required for authentication, the connection to the LDAP server, and whether to support batch import or export to or from the LDAP directory. The method for processing batch imports is set in portal-ext.properties.

In portal-ext.properties, the setting ldap.import.method determines how to perform batch imports from LDAP. This setting is only applied if batch import is enabled. The available values for ldap.import.method are:

Value	Description
`user`	Specifies a user-based import. This is the default value. User-based batch import uses the import search filter configured in the User Mapping section of the LDAP tab. For user-first import, Big Data Discovery: Uses the user import search filter to run an LDAP search query. Imports the resulting list of users, including all of the LDAP groups the user belongs to. The group import search filter is ignored.
`group`	Specifies a group-based import. Group-based import uses the import search filter configured in the Group Mapping section of the LDAP tab. For group-based import, Big Data Discovery: Uses the group import search filter to run an LDAP search query. Imports the resulting list of groups, including all of the users in those groups. The user import search filter is ignored.

Value

Description

user

Specifies a user-based import. This is the default value.

User-based batch import uses the import search filter configured in the User Mapping section of the LDAP tab.

For user-first import, Big Data Discovery:

Uses the user import search filter to run an LDAP search query.
Imports the resulting list of users, including all of the LDAP groups the user belongs to.
The group import search filter is ignored.

group

Specifies a group-based import.

Group-based import uses the import search filter configured in the Group Mapping section of the LDAP tab.

For group-based import, Big Data Discovery:

Uses the group import search filter to run an LDAP search query.
Imports the resulting list of groups, including all of the users in those groups.
The user import search filter is ignored.

The value you should use depends partly on how your LDAP system works. If your LDAP directory only provides user information, without any groups, then you have to use user-based import. If your LDAP directory only provides group information, then you have to use group-based import.

To configure the LDAP settings:

In the Studio header, click Configuration Options and select Control Panel.
Click Credentials.
Click Authentication and then Configure Authentication button.

The Configure Authentication dialog displays with the LDAP tab selected.
To enable LDAP authentication, select Enabled.
To require users to log in only using an LDAP account, select Required.

If this is selected, then any users that you create manually in Studio cannot log in. To allow users you create manually to log in, deselect this option.
In Provider type, select the type of LDAP server you are connecting to.

Expand Connection and specify settings for the basic connection to LDAP:

Connection settings on the LDAP tab of the Configure Authentication dialog

Field	Description
Base Provider URL	The location of your LDAP server. Make sure that the machine on which Big Data Discovery is installed can communicate with the LDAP server. If there is a firewall between the two systems, make sure that the appropriate ports are opened.
Base DN	The Base Distinguished Name for your LDAP directory. For a commercial organization, it may look something like: dc=companynamehere,dc=com
Principal	The user name of the administrator account for your LDAP system. This ID is used to synchronize user accounts to and from LDAP.
Credentials	The password for the administrative user.

After providing the connection information, click Test Connection to test the connection to the LDAP server.

Expand User Mapping and specify values for the following settings:

User Mapping section on the LDAP tab of the Configure Authentication dialog

Use the search filter fields to configure the filters for finding and identifying users in your LDAP directory.

Field	Description
Authentication Search Filter	The search criteria for user logins. If you do not enable batch import of LDAP users, then the first time a user tries to log in, Big Data Discovery uses this authentication search filter to search for the user in the LDAP directory. By default, users log in using their email address. If you have changed this setting, you must modify the search filter here. For example, if you changed the authentication method to use the screen name, you would modify the search filter so that it can match the entered login name: (cn=@screen_name@)
Import Search Filter	The search filter to use for batch import of users. This filter is used if: You enable batch import of LDAP users In portal-ext.properties, `ldap.import.method` is set to `user` Depending on the LDAP server, there are different ways to identify the user. The default setting (`objectClass=inetOrgPerson`) usually is fine, but to search for only a subset of users or for users that have different object classes, you can change this.

Field

Description

Authentication Search Filter

The search criteria for user logins.

If you do not enable batch import of LDAP users, then the first time a user tries to log in, Big Data Discovery uses this authentication search filter to search for the user in the LDAP directory.

By default, users log in using their email address. If you have changed this setting, you must modify the search filter here.

For example, if you changed the authentication method to use the screen name, you would modify the search filter so that it can match the entered login name:

(cn=@screen_name@)

Import Search Filter

The search filter to use for batch import of users.

This filter is used if:

You enable batch import of LDAP users
In portal-ext.properties, ldap.import.method is set to user

Depending on the LDAP server, there are different ways to identify the user.

The default setting (objectClass=inetOrgPerson) usually is fine, but to search for only a subset of users or for users that have different object classes, you can change this.

Use the remaining fields to map your LDAP attributes to the Big Data Discovery user fields.
After setting up the attribute mappings, to test the mappings, click Test Users.

Under Group Mapping, map your LDAP groups.
1. In the Import Search Filter field, type the filter for finding LDAP groups.
  This filter is used if:
  - You enable batch import of LDAP users
  - In portal-ext.properties, ldap.import.method is set to group
2. Map the following group fields:
  - Group Name
  - Description
  - User
3. To test the group mappings, click Test Groups.
  
  The system displays a list of the groups returned by your search filter.
The Options section is used to configure importing and exporting of LDAP user data and to select the password policy:
1. If you selected the Import Enabled check box, then batch import of LDAP users is enabled.
  
  If you did not select this box, then Big Data Discovery synchronizes each user as they log in. It is recommended that you leave this box deselected.
  
  If you do enable batch import, then the import process is based on the value of ldap.import.method.
  
  Note also that when using batch import, you cannot filter both the imported users and imported groups at the same time. For user-based batch import mode, you cannot filter the LDAP groups to import. For group-based batch import mode, you cannot filter the LDAP users to import.
2. If the Export Enabled check box is selected, then any changes to the user in Big Data Discovery are exported to the LDAP system.
  
  It is recommended that you leave this box deselected.
3. To use the password policy from your LDAP system, instead of the Big Data Discovery password policy, select the Use LDAP Password Policy check box.