Administrators can integrate Oracle Linux Automation Manager's authentication mechanism with one or more existing Lightweight Directory Access Protocol (LDAP) servers for centralized user management and better integration with existing identity management platforms, such as Active Directory.

To configure LDAP authentication:

1. Log into Oracle Linux Automation Manager.

2. Expand the navigation menu, and click Settings.

   The Settings page appears.

3. In the Authentication panel on the Settings page, click LDAP Settings.
   The LDAP Settings page is displayed with several tabs that let you enter configuration details for several LDAP servers. Configure the Default LDAP server by clicking the Edit button and then enter information into the fields displayed on the Default tab:

   LDAP Server URI

   Provide the URI to access the LDAP server in the format: ldap://<host>:<port> where <host> is the host name of the LDAP server and <port> is the TCP port number that the LDAP server uses. This field is required. For example,

   ldap://ldap1.example.com:389

   If the LDAP server uses SSL, you can specify ldaps as the protocol within the scheme component of the URI. For example,

   ldaps://ldap1.example.com:636

   If the server uses StartTLS functionality, you can set the protocol to ldap within the URI scheme and enable the LDAP Start TLS option.

   LDAP Bind DN

   Provide the Distinguished Name (DN) used to authenticate Oracle Linux Automation Manager against the LDAP server using the Bind operation. This field is required if the LDAP server doesn't allow anonymous access. For example:

   uid=admin,cn=users,cn=accounts,dc=example,dc=com

   LDAP Bind Password

   Provide the Bind password for the Bind DN that you provided above. Note that the password is encrypted within the Oracle Linux Automation Manager database and is not displayed as you type it.

   LDAP Start TLS

   Either enable or disable Start TLS encryption for the LDAP server, depending on whether it's configured to use this function and valid SSL/TLS certificates are configured on the server. Note that you must not enable this option if you have set the protocol to ldaps within the URI Scheme component of the LDAP Server URI.

   LDAP User DN Template

   Optionally configure an LDAP User DN Template that can be used to automatically authenticate against a particular DN for a user when a username is provided. The template can use the %(user)s variable to automatically fill in the username. For example:

   uid=%(user),ou=Users,dc=example,dc=com

   Providing a specific User DN Template can help improve performance when authenticating against an LDAP server because it avoids a full search for the user, however it's not required and might reduce the flexibility of the authentication process where users might be configured under several DNs.

   LDAP Group Type

   Select an appropriate LDAP Group Type from the drop-down selector. This option defines how the LDAP server determines group membership for users when trying to authorize them. LDAP Group Types map onto the ObjectClasses that are defined for the groups and might vary depending on the LDAP server. The option that you select here controls the filter used in the queries that are made to determine whether a user belongs to the LDAP Require Group or LDAP Deny Group.

   LDAP Require Group

   Optionally configure an LDAP Require Group by providing the DN of the group to which the users must belong to be authenticated. This option prevents users from authenticating in Oracle Linux Automation Manager unless they belong to a specific group of users. For example, the following establishes a group called olamusers as being a required group:

   cn=olamusers,cn=groups,cn=accounts,dc=example,dc=com

   LDAP Deny Group

   Optionally configure an LDAP Deny Group by providing the DN of the group to which the users must not belong to be authenticated. This option is the opposite of the LDAP Require Group and prevents users from authenticating in Oracle Linux Automation Manager if they belong to the group specified. For example, the following establishes a group called engineers as being a denied group:

   cn=engineers,cn=groups,cn=accounts,dc=example,dc=com

   LDAP User Search

   The LDAP User Search field lets you configure a search DN, scope, and filter to be used when determining whether a user is authorized to authenticate in Oracle Linux Automation Manager. You can also use this field to populate information about LDAP authenticated users in Oracle Linux Automation Manager when they're viewed on the Users page under the Access section of the navigation menu. For example:

   [
     "cn=users,cn=accounts,dc=example,dc=com",
     "SCOPE_SUBTREE",
     "(uid=%(user)s)"
   ]

   LDAP Group Search

   The LDAP Group Search field lets you configure a search DN, scope, and filter to be used when determining which groups a user belongs to. This search query is also used to process the LDAP Organization and Team mappings. For example:

   [
     "cn=groups,cn=accounts,dc=example,dc=com",
     "SCOPE_SUBTREE",
     "(objectClass=posixgroup)"
   ]

   LDAP User Attribute Map

   The LDAP User Attribute Map lets you map LDAP attributes for a user entry to Oracle Linux Automation Manager attributes that are used to populate information about the user within the UI. The Oracle Linux Automation Manager attributes that can be mapped follow:

   • email
   • first_name
   • last_name

   You can map these attributes to the attribute entries for a user within the LDAP server. For example, the following describes an attribute map:

   {
     "first_name": "givenName",
     "last_name": "sn",
     "email": "mail"
   }

   LDAP Group Type Parameters

   This setting controls the parameters used when performing a group lookup on the LDAP server. Two possible settings can be used here:

   {
   "member_attr": "member",
   "name_attr": "cn"
   }

   Note that if you're using Active Directory the member_attr attribute must not be set and must be excluded from the configuration.

   LDAP User Flags By Group

   The LDAP User Flags by Group field lets you map LDAP groups to different roles within Oracle Linux Automation Manager. LDAP users belonging to a particular group can be configured as superusers and users belonging to an alternative group can be configured as auditors. All other users that are authenticated are given standard user permissions within Oracle Linux Automation Manager. For example:

   {
     "is_superuser": [
       "cn=olamadmins,cn=groups,cn=accounts,dc=example,dc=com"
     ],
     "is_system_auditor": [
       "cn=olamauditors,cn=groups,cn=accounts,dc=example,dc=com"
     ]
   }

   LDAP Organization Map

   To configure Organization mappings for Oracle Linux Automation Manager you need to provide the mappings between the LDAP groups and the Organizations in Oracle Linux Automation Manager. Organizations are presented as keys within the JSON formatted string that you provide within this field. For each organization mapping you provide keys for the group entries for users and administrators within the group. Each map can have the following keys and values:

   • admins:

     • None: organization admins aren't updated based on LDAP values.

     • True: all users in LDAP are automatically added as admins of the organization.

     • False: no LDAP users are added as admins of the organization.

     • A string or list of strings that specify the group DN(s) to query for group members that can be assigned the admin role within the organization.

   • remove_admins:

     • True: users that aren't a member of the admins groups are removed from the organization’s admin users.

     • False: users that are members of the admins groups are added to the organization's admin users.

   • users:

     • None: organization users aren't updated based on LDAP values.

     • True: all users in LDAP are automatically added as users of the organization.

     • False: no LDAP users are added as users of the organization.

     • A string or list of strings that specify the group DN(s) to query for group members that can be assigned the user role within the organization.

   • remove_users:

     • True: users that aren't a member of the users groups are removed from the organization’s users.

     • False: users that are members of the users groups are added to the organization's users.

   For example, for the Organization named "LDAP Group 1" you might have an entry similar to:

   {
       "LDAP Group 1": {
         "admins":"cn=olamadmins,cn=groups,cn=accounts,dc=example,dc=com",
         "remove_admins": true,
         "users": [ 
              "cn=olamusers,cn=groups,cn=accounts,dc=example,dc=com",
              "cn=support,cn=groups,cn=accounts,dc=example,dc=com"
                  ]
       }
   }

   LDAP Team Map

   LDAP Team Maps are similar to LDAP Organization Maps and the primary key in each entry maps onto the Team rather than the organizational unit. Key options and values for each entry include:

   • organization: an organization as defined either in the Organization mappings or within Oracle Linux Automation Manager, itself. If no entry is provided or the organization doesn't exist, an organization is created automatically.
   • users:

     • None: team members aren't automatically updated from LDAP.

     • True: all users in LDAP are automatically added as team members.

     • False: no LDAP users are added as team members.

     • A string or list of strings that specify the group DN(s) to query for group members that can be added as team members.

   • remove:

     • True: users that aren't a member of the users groups are removed from the team.

     • False: users that are members of the users groups are added to the team.

   For example, the following team mappings might be created:

   {
   "LDAP Team 1": {
     "organization": "LDAP Group 1",
     "users": "cn=olamusers,cn=groups,cn=accounts,dc=example,dc=com",
     "remove": false
   },
   "LDAP Support": {
     "organization": "LDAP Group 1",
     "users": "cn=support,cn=groups,cn=accounts,dc=example,dc=com",
     "remove": true
   }
   }