LDAP Settings
Introduction
If an organization has an LDAP server configured at its end and maintains its users’ data in LDAP, then supports LDAP integration to import such users into the application. User authentication from LDAP/Active Directory as well as from the database is provided, considering the existence of both kinds of users in the same organization. For example, an organization can have a large number of users in who are authenticated through their Active Directory and at the same time, can have a good number of users who do not have their accounts in the Active Directory.
Authenticate and Import LDAP Users
The LDAP (Lightweight Directory Access Protocol) feature allows LDAP users to import themselves into the database. The admin needs to do the initial settings in Integration > LDAP. The LDAP should be active to define the authentication type as LDAP.
Note
Only one LDAP AD can be integrated with for authentication.
The admin credentials are now optional to set up LDAP to enable anonymous search for users to import. If your LDAP allows anonymous queries, you can proceed without entering the admin username and password on the Settings screen.
Individual LDAP users will be added to the database when they log in to . Bulk users can not be imported at once because it may cause hanging during the process.
The admin’s credentials are made non-mandatory.
Use Case: The administrator does not want to enter the admin’s username and password in the fields and save the credentials in the system. As their LDAP allows anonymous queries, they prefer to make the fields non-mandatory.
How does the functionality work?
When a user logs in to for the first time with their LDAP credentials, the system first checks the existence of the user in the database. If the user exists in the database, then this user is authenticated using the database. If the user does not exist in the database, then the credentials entered by the user are sent to the LDAP Active Directory. If the LDAP/Active Directory responds positively, the user will be added to the database. The default project and default user role are assigned to this user to allow them to access .
Now, next time when an LDAP user logs in to using LDAP credentials, the credentials are sent to LDAP/Active Directory for authentication, as the user has already been added in the database. The user is allowed to access on receiving positive authentication from LDAP.
The new functionality works with a different approach in different scenarios, as mentioned below.
Scenario | The user has an account in - | Authentication Type is set as - | Result when the user tries to log into - |
1 | database | will authenticate the user against the database. If the match is found, the user will be able to log in to . | |
2 | database | LDAP | will authenticate that user against the LDAP/AD. If the match is found, the user will be able to log in to . This scenario is only valid when LDAP is active. |
3 | LDAP | LDAP | will authenticate that user against the LDAP/AD. If the user is authenticated successfully, the user’s account will be created in having the Authentication Type set as LDAP. Once the user is created in , the default project and default role will be assigned to that user to let them log in to . Access will be automatically provided to the default Projects with the default assigned role. |
If the user doesn't have an account neither in or in the LDAP, create an account for this user locally in . The user account will be added to the database with the Authentication Type “”. The user will be able to log in to then.
The LDAP/AD server handles LDAP/AD passwords. So LDAP/AD users need to contact their network administrator for any password-related issues, like Reset Password, Forget Password, and Update Password. Other (non LDAP/AD) users can reset their passwords as usual through .
Ways to Authenticate LDAP Users
Manual User Authentication
In this method, the admin needs to manually add LDAP users and assign them a Project and corresponding role for security purposes and better control of the instance.
Steps for an admin to follow:
Make sure your LDAP settings are active.
Make sure your instance does not have any default Project assigned for new LDAP users.
Make sure your instance does not have any default role assigned for new LDAP users.
To add a new LDAP user, follow the steps below:
Go to Customization > Users. Enter the login ID of the user, which is the same as the LDAP username, and add other details.
Set the Authentication Type to LDAP.
Click Save. The new user is added successfully, but at this point, no project or role is assigned to them.
Now go to Customization > Users. Edit the user and assign projects and roles to that user.
Once this is done, ask your LDAP users to log in.
Automatic User Authentication
In this method, the admin needs to set default settings for new LDAP user by assigning them a default role and project. Once the settings are done, there is no manual intervention required from the admin. LDAP users are authenticated automatically.
Steps for an admin to follow:
Make sure your LDAP settings are active.
Set the default project assigned for new LDAP users. The following settings are required for it:
Go to Projects > Project/Release/Cycle. Open the Create screen or edit the screen of the project.
(Optional) Add in LDAP/SAML by default: Turn the flag on to assign this project to the new LDAP users as the default.
Set the default role assigned for new LDAP users. The following settings are required for it:
Go to Customization > Roles. Open the Create screen or the Edit screen of the role.
(Optional) Make this the default role for new LDAP/SAML users: Turn the flag on to assign this role to every new LDAP/SAML user.
For example, the Tester role is assigned as the default role to the LDAP users when they log in to for the first time. You can assign a different role later on. Only one role can be assigned as the default role. So the role selected last will override the role assigned earlier. You can assign multiple projects with a single user role to the LDAP users. A warning message pops up when you are going to unassign that single assigned role.
Once the settings are done from the admin side, LDAP users can directly log in to and are automatically assigned default roles and projects.
LDAP Configuration
Go to Integration > LDAP/SAML.
Select LDAP as the Integration System on the next screen.
 |
Provide the details mentioned below to configure LDAP settings:
Host: The URL contains the IP of the machine where the LDAP server is configured and the universal LDAP port number
389in the following format:
ldap://<IPAddress>:<Port No.>
LDAP Integration also supports the HTTPS protocol. So the host format could be:
ldaps:// <IPAddress>:<Port No.>
Base DN: Specify base DN values in the appropriate format, for example,
dc=qmetry,dc=com.
Bind DN: This is the username of the person (typically an admin of the instance) who imports LDAP users. If you need to authenticate to search for users, log in as this user.
For example, cn=example, cn=users, dc=example, dc=com.
Password: This is the password for the username above. If you need to authenticate to search for users, use this password. You can leave the field blank for an anonymous search.
Note
If the admin credentials are changed but are not updated in the settings, then the LDAP users will not be able to log in to .
Make sure your password does not expire automatically at certain intervals. Otherwise, you will have to change the password in this field correspondingly.
Data Attribute: The field where the Login field is stored.
First Name Attribute: The attribute in LDAP containing the first name. (If the attribute is empty, the Data attribute will be used.)
Last Name Attribute: The attribute in LDAP containing the last name. (If the attribute is empty, the Data attribute will be used.)
Email Attribute: The attribute in LDAP containing the email name. (If the attribute is empty, the Data attribute will be used.)
Sample User Name to Authenticate: This is an optional field used to test the LDAP server integration after connection. To verify the connection, enter a sample user name, for example, the email address of the LDAP user to be authenticated.
Sample User’s Password: This is an optional field. If the Sample User Name is mentioned above, provide the corresponding password in this field.
Active: The drop-down list has two options to select from:
Yes
No
If the Active field is set as Yes, then only the Authentication Type in Customization > Users can be set as LDAP, and the users will be able to log in with their LDAP password only.
If the Active field is set as No, then the Authentication Type in Customization > Users could be set as . Users are authenticated against the database for login.
Default Access Type: The Default Access Type is configured from Integration > LDAP for LDAP users. When users are imported through LDAP, the Default Access Type is assigned based on these settings.
Sample Settings Parameters
Active Directory Details (on Windows) | LDAP Directory Details (on Linux) |
Host: | Host:
|
Base DN: | Base DN: |
Bind DN: | BindDN: |
Data Attribute: | Password: Data Attribute: Sample User: Sample User Password: |
There are two buttons on the page:
Test: It authenticates the user whose password is provided in the Password field and who tries to import the user(s) from the LDAP Server. Click the Test button to verify the connection with the server. A message window pops up.
Save: Click the Save button to store the LDAP details in the database. A message window pops up.
The Authentication Type for the user is set from Customization > Users.
Default Projects are assigned from Projects > Project/Release/Cycle.
Default Roles are assigned from Customization > Roles.
Note
LDAP users can log in without an organization code for on-premise installations.