A repository administrator can delegate the authentication of repository users to an LDAP server by selecting and entering all the appropriate parameters for her environment.
Once the Repository has been configured to permit access to users authenticated by LDAP, any such user can connect to the repository without further intervention from the repository administrator. The first time that an LDAP user connects to the repository, an account is automatically created for him in the External users and Public groups.
PowerDesigner’s Repository LDAP integration provides only authentication. Authorization is still managed via the permissions set within the PowerDesigner Repository environment. Initially, members of the External users group have only the Connect right granted, and members of Public have read access to everything in the repository. The administrator will grant other rights and permissions as appropriate.
You will probably want to retain finer control of write permission on repository documents. To have everything in place before your users connect to the repository, you can manually create accounts for them and assign permissions for them before they connect (see Pre-configuring LDAP User Permissions).
To enter the LDAP configuration parameters, select > Administration > LDAP Parameters (or right-click the root node, and select Properties to open the repository property sheet, and then click the LDAP tab).
Several of the parameters in the General group box are required:
|
Parameter |
Description |
|---|---|
|
Provider URL |
[required] Specifies the URL for the LDAP provider in the format ldap://ldapserverhost:port , or as an IP address. |
|
Security protocol |
[optional] Specifies the protocol to be used when connecting to the LDAP server. If you are using SSL (which is the only protocol currently supported), then you should set this parameter to ssl. We recommend that you configure LDAP access at first without SSL, and only implement the protocol once you have access working. |
|
Default search base |
[required] Specifies the default LDAP search base to be used for authentication, roles, attribution, and self-registration. |
|
Trusted server |
[required] Specifies that the LDAP server can be trusted. |
|
Server type |
Specifies the type of the LDAP server. Selecting a server type sets silent defaults for the authentication and role filters. Since every LDAP configuration is different and these defaults may not be appropriate for your installation, we recommend that you select none. The following types are available:
|
|
Anonymous bind |
[optional] Specifies that the server supports anonymous access to the LDAP tree. If this parameter is not selected, you must specify a bind DN and password. Note that Active Directory does not support anonymous binding out of the box. |
|
Bind DN |
[required unless Anonymous bind is selected] Specifies the LDAP account that has permissions to query the Active Directory. If the Bind DN is in the same DN as the Authentication search base then the BIND DN can be just the user id for the search. Otherwise, you will need the account login and password as well as the Distinguished Name (DN) for that account. |
|
Bind password |
[required unless Anonymous bind is selected] Specifies the password to bind with when building the initial LDAP connection. |
Most of the parameters in the Authentication group box are mandatory:
|
Parameter |
Description |
|---|---|
|
Filter |
[required] Specifies the LDAP query that looks up the user information. To determine the LDAP filter you will use, you must know the properties of the users defined in the Active Directory. The property that is being used as the login could be name, samAccountName or another property. In the following example we use the samAccountName as the login (which PowerDesigner captures in the variable {uid}:
(&(samAccountName={uid})(objectclass=user))
|
|
Scope |
[required] Specifies the scope of the authentication search. You can choose between:
|
|
Method |
[required] Specifies the method to use for authentication requests. You can choose between:
|
|
Digest MD5 format |
[required] Specifies the DIGEST-MD5 bind authentication identity format. The default is DN. |
|
Search base |
[optional] If the default search base specified in the General group box does not include the location of the User list in your Active Directory, you must specify it here. |
PowerDesigner does not currently support role-based authentication, and so any values you enter in the Role group box will not be taken into account:
|
Parameter |
Description |
|---|---|
|
Filter |
Specifies the role search filter, which, when combined with the search base and scope, returns a complete list of roles within the LDAP server. There are several default values depending on the chosen server type. If the server type is not chosen or this property is not initialized, no roles will be available. |
|
Scope |
Specifies the role search scope. You can choose between:
|
|
Referral |
Specifies the treatment of referrals. You can choose between:
|
|
Name attribute |
Specifies the attribute for retrieved roles that is the common name of the role. If this value is "dn" it is interpreted specially as the entire dn of the role as the role name. The default is "cn", the common name. |
|
Search base |
Specifies the role search base. |