Configuring LDAP authentication and mapping LDAP accounts

To simplify administration, Crystal Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to ePortfolio, you need to map their LDAP account to Crystal Enterprise. When you map an LDAP account, you can choose to create a new Crystal Enterprise account or link to an existing Crystal Enterprise account.

Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation.

To set up LDAP authentication using Crystal Enterprise

1. Go to the Authorization management area of the CMC.
2. Click the LDAP tab.

   

3. Ensure that the LDAP Authentication is enabled check box is selected.
4. Select your server type from the LDAP Server Type list. Click Show Attribute Mappings if you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes.

   By default, each supported server type's server attribute mappings and search attributes are already set.

5. In the "LDAP Hosts" area, type your LDAP host and port information in the Add LDAP host (hostname:port) field (for example, "myserver:123"); then click Add.

   You can add more than one LDAP host of the same server type by repeating this step. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to Managing multiple LDAP hosts.

6. In the "LDAP Server Administration Credentials" area, enter the distinguished name in the Distinguished Name field and the appropriate password in the Password field.

   If your LDAP Server allows querying and comparing for anonymous users, leave this area blank—Crystal Enterprise servers and clients will bind to the primary host via anonymous logon.

7. Enter another distinguished name and password in the "LDAP Referral Credentials" area if all of the following apply:
   • The primary host has been configured to refer to another directory server that handles queries for entries under a specified base.
   • The host being referred to has been configured to not allow querying and comparing for anonymous users.
   • A group from the host being referred to will be mapped to Crystal Enterprise.

     Although groups can be mapped from multiple hosts, only one set of referral credentials can be set.

8. Enter the number of referral hops in the Maximum Referral Hops field.

   If this field is set to zero, no referrals will be followed.

9. In the Base LDAP Distinguished Name field, type the distinguished name (for example, o=SomeBase).

   Note:    If you are setting up LDAP authentication for the first time, before you add any groups, you must click Update before you can continue to the next step. This updates Crystal Enterprise with the LDAP host and base name.

10. In the "Mapped LDAP Member Groups" area, specify your LDAP group (either by common name or distinguished name) in the Add LDAP group (by cn or dn) field; click Add.

    You can add more than one LDAP group by repeating this step. To remove a group, highlight the LDAP group and click Delete.

11. Select either:
    • Assign each added LDAP alias to an account with the same name

      Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). For users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, they will be added as a user to the Enterprise account (with the user information that is stored in the LDAP account).

      or

    • Create a new account for every added LDAP alias

      Use this option when you want to create a new account for each user. If the user has already created an account through the sign-up feature in ePortfolio, the user will have separate LDAP and Enterprise accounts.

12. Click Update.
13. Click OK to confirm your changes to the member groups.