Adding Active Directory servers

Add an Active Directory (AD) server to retrieve users from it.

1. Click Server Options.

The Server Options dialog box opens.

2. Select Active Directory/LDAP from the Authentication category.

3. Click Add Active Directory.

The Add Active Directory Server dialog box opens.

4. Enter a server Name, the IP address or alias for the AD server as the Host, and the Port number where the AD server resides. The default port is 389.

Note:  If the license server is running on Windows and you select the Use SSL option, the port number automatically changes to 636, which is the standard port for LDAP SSL on Windows. The standard LDAP SSL port on Linux is 389. Contact your system administrator if you do not know which port number to use.

5. Select Use SSL to encrypt authentication messages sent over the network.

Selecting this option requires the license server to use the Secure Sockets Layer (SSL) protocol when sending and receiving authentication transmissions between the license server, the LDAP server, and Helix ALM products. We recommend selecting this option if the license server is configured to use simple password encryption.

6. Enter the Windows Domain name for the AD services.

7. Enter the Username and Password for the AD user used to bind to AD.

8. Select a Single Sign-On option.

Single sign-on allows LDAP users to automatically log in to Helix ALM products using the same credentials used to log in to their computer. For example, your organization may use a non-password login method, such as a secure ID token or biometrics. Single sign-on uses the same authentication to log in to Helix ALM products. See Configuring single sign-on for Active Directory servers.

9. Click Auto Configure to query the AD server for the configuration information.

To manually enter the information, click Advanced.

  • Base DN specifies where to start searching from. For example, your Base DN is wysicorp.com and includes development, sales, and support nodes. Entering o=sales, dc=wysicorp, dc=com instructs the license server to start searching from sales.
  • User DN specifies the location of an entry based on a sequence of attributes and values. For example: cn=Administrator, cn=users, dc=addoej, dc=wysicorp, dc=com.
  • Optionally enter the Host address and Port number of a backup server. The backup server is only queried if the primary server cannot be reached.
  • To map an LDAP attribute to a license server user field, select it and click Edit. See Mapping Active Directory and LDAP attributes.

Note:  When you auto configure the settings, the license server queries the AD server for rootDSE information and retrieves the Base DN information. Next, the license server searches for the authentication user’s User DN. After this DN is found, the user’s CN value is removed and the remaining data is used as the final Base DN. For example, the license server queries an AD server for rootDSE information and retrieves “dc=wysicorp,dc=com” as the Base DN. Next, the license server queries the AD server for the authentication user's User DN and retrieves “cn=Virtual User, cn=Users,dc=wysicorp,dc=com”. Finally, the license server trims off the user’s CN value and uses “cn=Users,dc=wysicorp,dc=com” as the Base DN.

Due to performance reasons, we recommend using a subtree Base DN (e.g., cn=Users, dc=wysicorp, dc=com) instead of the topmost Base DN (e.g., dc=wysicorp,dc=com). If the topmost Base DN is used, it may cause a large amount of unnecessary network traffic. If users are dispersed across the AD tree, we also recommend that you create multiple AD server entries.

10. Select the type of Password encryption to use when sending usernames and passwords over the network.

  • Simple sends usernames and passwords as plain text. We recommend selecting the Use SSL option if you use simple password encryption. The Username and Password fields are required if this option is selected.
  • DIGEST-MD5 sends usernames and passwords as encrypted text. The Domain, Username, User DN, and Password fields are required if this option is selected.
  • GSSAPI uses advanced encryption for usernames and passwords. This option is only available if the license server is running on Windows and is recommended to ensure secure authentication.

11. Select Synchronize user activation to automatically sync user activation between AD and the license server. If a user is disabled or enabled in AD, the user is inactivated or activated on the license server.

12. Click Test Connection to test the AD server connection.

If the test is not successful, correct any mistakes and retest the connection. Click Reset to clear all information.

13. Click OK to save the changes.

The server is added.