Automatically Adding Users from LDAP

This section describes the steps that are required to automatically add LDAP users to SBM.

Important: In order to use the Auto Add from LDAP feature, you must use LDAP or LDAP First, then Internal for user validation. You cannot use this feature with SSO LDAP. For more information, refer to "Configuring Authentication" in the SBM Installation and Configuration Guide.

Automatically Add New User Upon Successful Login

Select this checkbox to enable the auto-add settings. This enables SBM to automatically add any user that successfully authenticates against your specified LDAP directory.

Important: This feature is only relevant if you are using LDAP to check passwords. For more information, refer to "Configuring LDAP Authentication" in the SBM Installation and Configuration Guide.

When a new user attempts to log in to SBM for the first time, SBM queries your LDAP directory (using the Search base and Search filter specified in SBM Configurator) and attempts to authenticate the user. If authentication succeeds, the user is added to SBM, assigned an applicable license (seat or concurrent, depending on your system), and allowed to log in.

If no licenses are available, users receive an error when they attempt to log in, and they are instructed to contact their administrator. Additionally, an e-mail is sent to notify the administrator at the address specified in the Administrator E-mail field in the Server tab of the Settings dialog box.

Users who are automatically added are created using the mappings defined on the User Map tab. Additionally, user preferences can be created based off a template or copy of an existing user, as defined in the Import users as copies of drop-down list on the User Import tab. If no user is specified, then a default set of user preferences is provided for each new account that is created and privileges will only be set by group membership.
Note: The product-access of the user that is selected in the Import users as copies of drop-down list does not apply to auto-added users. For details on how product-access is set for auto-added users, see Assigning Licenses and Product Access.

Contact records can also be created for users created via auto-add by selecting the Create Associated Contacts option. The designated mappings on the User Map tab are used for the newly created contact record.

Assigning Licenses and Product Access

The license type and product-access for a new user are determined by a series of checks using the following fields:

For details on the Group Attributes and Query Parameters settings, see Creating Groups for Users Automatically Added from LDAP.

The following process is used to assign licenses and the product-access type:

  1. A new user successfully authenticates against LDAP.
  2. SBM compares the Group Attributes and Query Parameters on the User Map tab to the user’s LDAP record. SBM then creates the groups or adds the user to the groups if they already exist.
  3. SBM checks the Assign Occasional User License for LDAP Group field for one or more SBM group names. If the authenticated user has membership in these SBM groups (according to the Group Attributes and Query Parameters fields), and an Occasional User license is available, the user is added to SBM with Occasional User product-access.
  4. If the authenticated user does not belong to the SBM groups in the Assign Occasional User License for LDAP Group field, or if no Occasional User licenses are available, SBM checks the Assign Requestor User License for LDAP Group field for one or more SBM group names. If the authenticated user has membership in these SBM groups (according to the Group Attributes and Query Parameters fields), and a Requestor User license is available, the user is added to SBM with External User product-access.
  5. If a an access-type has not been assigned according to steps 3 or 4, SBM uses the product-access of the template user that specified on the User Import tab. If that user account has Regular, Managed Administrator, External, or Occasional product access, then that access type is granted; otherwise, the new user is granted Regular user product access if a license is available for that access-type. If a license is not available, the new user is not created and an error is returned instead.
  6. Once the product-access type is set, SBM checks the Default SBM user group for new users field and adds the user to the default SBM group (if specified). For more information, see Default SBM User Group for New Users.
    Note: The Default SBM User Group for New Users value has no effect on the product-access type of an auto-added user. Auto-added users are given membership in the default group after the access type has already been determined.

Default SBM User Group for New Users

Select the name of an existing SBM group to which newly-added users should be added by default upon successful authentication against LDAP.

In addition to the specified default group, any LDAP groups that the user belongs to can be created (if necessary) in SBM upon successful authentication by using the Group Attributes and Group Query Parameters fields on the User Map tab. These groups will initially be created without any privileges in SBM. Therefore, consider specifying a default SBM group in the drop-down box so that newly added users will have a standard set of privileges that will allow them to use SBM without the need of any immediate privilege modification.

Important: You must configure LDAP server settings in SBM Configurator before you can map LDAP user attributes or select LDAP Group Attributes and Group Query Parameters.

If <None> is selected, new users will only become members of groups that are created according to the values retrieved from the Group Attributes and Group Query Parameters that you specify on the User Map tab. See Creating Groups for Users Automatically Added from LDAP for more information.