Administrators can integrate Oracle Linux Automation Manager's authentication mechanism with one or more existing Lightweight Directory Access Protocol (LDAP) servers for centralized user management and better integration with existing identity management platforms, such as Active Directory.

To configure LDAP authentication:

1. Log into Oracle Linux Automation Manager.

2. Expand the navigation menu, and click Settings.

   The Settings page appears.

3. In the Authentication panel on the Settings page, click LDAP Settings.
   The LDAP Settings page is displayed with multiple tabs to allow you to enter configuration details for several LDAP servers. Configure the Default LDAP server by clicking the Edit button and then enter information into the fields displayed on the Default tab:

   LDAP Server URI

   Provide the URI to access your LDAP server in the format: ldap://<host>:<port> where <host> is the host name of the LDAP server and <port> is the TCP port number that the LDAP server uses. This field is required. For example,

   ldap://ldap1.example.com:389

   If your LDAP server uses SSL, you can specify ldaps as the protocol within the scheme component of the URI. For example,

   ldaps://ldap1.example.com:636

   If your server uses StartTLS functionality, you can set the protocol to ldap within the URI scheme and enable the LDAP Start TLS option.

   LDAP Bind DN

   Provide the Distinguished Name (DN) used to authenticate Oracle Linux Automation Manager against the LDAP server using the Bind operation. This field is required if your LDAP server does not allow anonymous access. For example:

   uid=admin,cn=users,cn=accounts,dc=example,dc=com

   LDAP Bind Password

   Provide the Bind password for the Bind DN that you provided above. Note that the password is encrypted within the Oracle Linux Automation Manager database and is not displayed as you type it.

   LDAP Start TLS

   Either enable or disable Start TLS encryption for your LDAP server, depending on whether it is configured to support this function and valid SSL/TLS certificates are properly configured on the server. Note that you must not enable this option if you have set the protocol to ldaps within the URI Scheme component of the LDAP Server URI.

   LDAP User DN Template

   Optionally configure an LDAP User DN Template that can be used to automatically authenticate against a particular DN for a user when a user name is provided. The template can use the %(user)s variable to automatically fill in the user name. For example:

   uid=%(user),ou=Users,dc=example,dc=com

   Providing a specific User DN Template can help to improve performance when authenticating against an LDAP server because it avoids a full search for the user, however it is not required and may reduce the flexibility of the authentication process where users may be configured under multiple DNs.

   LDAP Group Type

   Select an appropriate LDAP Group Type from the drop-down selector. This option defines how the LDAP server determines group membership for users when attempting to authorize them. LDAP Group Types map onto the ObjectClasses that are defined for your groups and may vary depending on your LDAP server. The option that you select here controls the filter used in the queries that are made to determine whether a user belongs to the LDAP Require Group or LDAP Deny Group.

   LDAP Require Group

   Optionally configure an LDAP Require Group by providing the DN of the group to which the users must belong to be authenticated. This option prevents users from authenticating in Oracle Linux Automation Manager unless they belong to a specific group of users. For example, the following establishes a group called olamusers as being a required group:

   cn=olamusers,cn=groups,cn=accounts,dc=example,dc=com

   LDAP Deny Group

   Optionally configure an LDAP Deny Group by providing the DN of the group to which the users must not belong to be authenticated. This option is the opposite of the LDAP Require Group and prevents users from authenticating in Oracle Linux Automation Manager if they belong to the group specified. For example, the following establishes a group called engineers as being a denied group:

   cn=engineers,cn=groups,cn=accounts,dc=example,dc=com

   LDAP User Search

   The LDAP User Search field allows you to configure a search DN, scope and filter to be used when determining whether a user is authorized to authenticate in Oracle Linux Automation Manager. It is also used to populate information about LDAP authenticated users in Oracle Linux Automation Manager when they are viewed on the Users page under the Access section of the navigation menu. For example:

   [
     "cn=users,cn=accounts,dc=example,dc=com",
     "SCOPE_SUBTREE",
     "(uid=%(user)s)"
   ]

   LDAP Group Search

   The LDAP Group Search field allows you to configure a search DN, scope and filter to be used when determining which groups a user belongs to. This search query is also used to process the LDAP Organization and Team mappings. For example:

   [
     "cn=groups,cn=accounts,dc=example,dc=com",
     "SCOPE_SUBTREE",
     "(objectClass=posixgroup)"
   ]

   LDAP User Attribute Map

   The LDAP User Attribute Map allows you to map LDAP attributes for a user entry to Oracle Linux Automation Manager attributes that are used to populate information about the user within the UI. The Oracle Linux Automation Manager attributes that can be mapped follow:

   • email
   • first_name
   • last_name

   You can map these attributes to the attribute entries for a user within your LDAP server. For example, the following describes an attribute map:

   {
     "first_name": "givenName",
     "last_name": "sn",
     "email": "mail"
   }

   LDAP Group Type Parameters

   This setting controls the parameters used when performing a group lookup on the LDAP server. There are two possible settings here:

   {
   "member_attr": "member",
   "name_attr": "cn"
   }

   Note that if you are using Active Directory the member_attr attribute must not be set and should be excluded from the configuration.

   LDAP User Flags By Group

   The LDAP User Flags by Group field allows you to map LDAP groups to different roles within Oracle Linux Automation Manager. LDAP users belonging to a particular group can be configured as superusers and users belonging to an alternate group can be configured as auditors. All other users that are authenticated are given standard user permissions within Oracle Linux Automation Manager. For example:

   {
     "is_superuser": [
       "cn=olamadmins,cn=groups,cn=accounts,dc=example,dc=com"
     ],
     "is_system_auditor": [
       "cn=olamauditors,cn=groups,cn=accounts,dc=example,dc=com"
     ]
   }

   LDAP Organization Map

   To configure Organization mappings for Oracle Linux Automation Manager you need to provide the mappings between your LDAP groups and your Organizations in Oracle Linux Automation Manager. Organizations are presented as keys within the JSON formatted string that you provide within this field. For each organization mapping you provide keys for the group entries for users and administrators within the group. Each map can have the following keys and values:

   • admins:

     • None: organization admins are not updated based on LDAP values.

     • True: all users in LDAP are automatically added as admins of the organization.

     • False: no LDAP users are added as admins of the organization.

     • A string or list of strings that specify the group DN(s) to query for group members that should be assigned the admin role within the organization.

   • remove_admins:

     • True: users that are not a member of the admins groups are removed from the organization’s admin users.

     • False: users that are members of the admins groups are added to the organization's admin users.

   • users:

     • None: organization users are not updated based on LDAP values.

     • True: all users in LDAP are automatically added as users of the organization.

     • False: no LDAP users are added as users of the organization.

     • A string or list of strings that specify the group DN(s) to query for group members that should be assigned the user role within the organization.

   • remove_users:

     • True: users that are not a member of the users groups are removed from the organization’s users.

     • False: users that are members of the users groups are added to the organization's users.

   For example, for the Organization named "LDAP Group 1" you may have an entry similar to:

   {
       "LDAP Group 1": {
         "admins":"cn=olamadmins,cn=groups,cn=accounts,dc=example,dc=com",
         "remove_admins": true,
         "users": [ 
              "cn=olamusers,cn=groups,cn=accounts,dc=example,dc=com",
              "cn=support,cn=groups,cn=accounts,dc=example,dc=com"
                  ]
       }
   }

   LDAP Team Map

   LDAP Team Maps are similar to LDAP Organization Maps and the primary key in each entry maps onto the Team rather than the organizational unit. Key options and values for each entry include:

   • organization: an organization as defined either in your Organization mappings or within Oracle Linux Automation Manager, itself. If no entry is provided or the organization does not exist, an organization is created automatically.
   • users:

     • None: team members are not automatically updated from LDAP.

     • True: all users in LDAP are automatically added as team members.

     • False: no LDAP users are added as team members.

     • A string or list of strings that specify the group DN(s) to query for group members that should be added as team members.

   • remove:

     • True: users that are not a member of the users groups are removed from the team.

     • False: users that are members of the users groups are added to the team.

   For example, the following team mappings may be created:

   {
   "LDAP Team 1": {
     "organization": "LDAP Group 1",
     "users": "cn=olamusers,cn=groups,cn=accounts,dc=example,dc=com",
     "remove": false
   },
   "LDAP Support": {
     "organization": "LDAP Group 1",
     "users": "cn=support,cn=groups,cn=accounts,dc=example,dc=com",
     "remove": true
   }
   }