Administer > User and user group setup and security > Authenticating with an external LDAP directory service

Authenticating with an external LDAP directory service

You can configure SA to use an external LDAP directory service for user authentication. With external authentication, you do not have to maintain separate user names and passwords for SA. When users log in to the SA Client, they enter their LDAP user names and passwords.

The LDAP directory is read-only to SA. After LDAP users are imported, any changes to the user attributes in the directory will require you to reimport the users from the LDAP directory.

An SA Agent must be installed on all domain controllers in order for rosh/ttlg using Active Directory credentials to work.

Users imported into SA from an LDAP server

All SA user names must be unique, regardless of the authentication mechanism.

LDAP users must be successfully imported into SA before they can log onto SA.

Importing users from an LDAP directory must be done by the SA user administrator.

Imported users are managed in the same way as users created by the SA Client. For example, use the SA Client to assign imported users to user groups and delete imported users from SA.

If you delete an imported user with the SA Client, the user is not deleted from the external LDAP directory.

With the SA Client, search for users in the external LDAP, and then import selected users into SA. You can limit the search results by specifying a filter.

The LDAP import process fetches the following user attributes from the LDAP directory:

firstName

lastName

fullName

emailAddress

phoneNumber

street

city

state

country

SA also fetches LDAP user distinguished names (DN) during the import. The user DN is mapped to the SA user name.

After the import process, you may edit the imported user information within the SA Client. However, you cannot change the user login name or password. Importing a user is a one-time, one-way process. Changes to the user attributes you make using the SA Client are not propagated back to the external LDAP directory server.

If you use external authentication, you can still create separate users with the SA Client. However, this practice is not recommended, because of the likelihood of inadvertently creating duplicate users in the LDAP directory and in the SA Client. If there are duplicate users, the user defined in the SA Client will be used, and the user in the LDAP directory will be ignored.

To see which users have been imported in the SA Client, select the Administration tab, then select Users under the Users and Groups view. Make sure the Credential Store column is displayed. Users with Directory Server in the Credential Store column have been imported from the LDAP server.

SSL and external authentication

Although SSL is not required for external authentication, it is strongly recommended. The certificate files needed for LDAP over SSL must be in Privacy Enhanced Mail (PEM) format. Depending on the LDAP server, you may need to convert the server's Certification Authority (CA) certificate to PEM format.

Supported external LDAP directory servers

You can use the following directory server products with SA:

  • Microsoft Active Directory (Windows Server 2000, 2003, 2008, or 2012)
  • Novell eDirectory 8.7
  • SunDS 5.2