This section describes the steps that are required to automatically add
LDAP users to
SBM.
Important: In order to use the Auto Add from LDAP feature, you
must use
LDAP or
LDAP First, then Internal for user validation. You cannot use this
feature with
SSO
LDAP. For more information, refer to "Configuring Authentication" in
the
SBM Installation and Configuration
Guide.
Automatically Add New User Upon Successful Login
Select this checkbox to enable the auto-add settings. This enables
SBM to
automatically add any user that successfully authenticates against your
specified LDAP directory.
Important: This feature is only relevant if you are using
LDAP to check passwords. For more information, refer to "Configuring LDAP
Authentication" in the
SBM Installation and Configuration
Guide.
When a new user attempts to log in to
SBM for the
first time,
SBM queries
your LDAP directory (using the
Search base and
Search filter specified in
SBM Configurator)
and attempts to authenticate the user. If authentication succeeds, the user is
added to
SBM, assigned
an applicable license (seat or concurrent, depending on your system), and
allowed to log in.
If no licenses are available, users receive an error when they attempt
to log in, and they are instructed to contact their administrator.
Additionally, an e-mail is sent to notify the administrator at the address
specified in the
Administrator E-mail field in the
Server tab of the
Settings dialog box.
Users who are automatically added are created using the mappings
defined on the
User Map tab. Additionally, user preferences can be created
based off a template or copy of an existing user, as defined in the
Import users as copies of
drop-down list on the
User Import tab. If no user is specified, then a default set of
user preferences is provided for each new account that is created and
privileges will only be set by group membership.
Note: The product-access of the user that is selected in the
Import users as copies of drop-down list does not apply to
auto-added users. For details on how product-access is set for auto-added
users, see
Assigning Licenses and Product Access.
Contact records can also be created for users created via
auto-add by selecting the
Create Associated Contacts option. The designated mappings on
the
User Map tab are used for the newly created
contact record.
Assigning Licenses and Product Access
The license type and product-access for a new user are determined by a
series of checks using the following fields:
- Assign Requestor User License for LDAP Group
– Enter one or more
SBM groups
(separated by a comma) for external users.
SBM compares
these groups to the groups that are created by the
Group Attributes and
Query Parameters that are specified on the
User Map tab. If they match, and a Requestor
license is available, the user is added with External User product-access.
- Assign Occasional User License for LDAP
Group – Enter one or more
SBM groups
(separated by a comma) for occasional users.
SBM compares
these groups to the groups that are created by the
Group Attributes and
Query Parameters that are specified on the
User Map tab. If they match, and an Occasional
User license is available, the user is added with Occasional User
product-access.
For details on the
Group Attributes and
Query Parameters settings, see
Creating Groups for Users Automatically Added from LDAP.
The following process is used to assign licenses and the
product-access type:
- A new user successfully authenticates against LDAP.
- SBM compares
the
Group Attributes and
Query Parameters on the
User Map tab to the user’s LDAP record.
SBM then
creates the groups or adds the user to the groups if they already exist.
- SBM checks the
Assign Occasional User License for LDAP Group
field for one or more
SBM group
names. If the authenticated user has membership in these
SBM groups
(according to the
Group Attributes and
Query Parameters fields), and an Occasional
User license is available, the user is added to
SBM with
Occasional User product-access.
- If the authenticated user does not belong to the
SBM groups in
the
Assign Occasional User License for LDAP Group
field, or if no Occasional User licenses are available,
SBM checks the
Assign Requestor User License for LDAP Group
field for one or more
SBM group
names. If the authenticated user has membership in these
SBM groups
(according to the
Group Attributes and
Query Parameters fields), and a Requestor User
license is available, the user is added to
SBM with
External User product-access.
- If a an access-type has not been assigned according to steps 3 or
4,
SBM
uses the product-access of the template user that specified on the
User Import tab. If that user account has
Regular, Managed Administrator, External, or Occasional product access, then
that access type is granted; otherwise, the new user is granted Regular user
product access if a license is available for that access-type. If a license is
not available, the new user is not created and an error is returned instead.
- Once the product-access type is set,
SBM checks the
Default SBM user group for new users field and
adds the user to the default
SBM group (if
specified). For more information, see
Default
SBM User Group
for New Users.
Note: The
Default
SBM User Group
for New Users value has no effect on the product-access type of an
auto-added user. Auto-added users are given membership in the default group
after the access type has already been determined.
Default
SBM User Group
for New Users
Select the name of an existing
SBM group to
which newly-added users should be added by default upon successful
authentication against LDAP.
In addition to the specified default group, any LDAP groups that the
user belongs to can be created (if necessary) in
SBM upon
successful authentication by using the
Group Attributes and
Group Query Parameters fields on the
User Map tab. These groups will initially be created without any
privileges in
SBM.
Therefore, consider specifying a default
SBM group in
the drop-down box so that newly added users will have a standard set of
privileges that will allow them to use
SBM without
the need of any immediate privilege modification.
Important: You must configure LDAP server settings in
SBM Configurator
before you can map LDAP user attributes or select LDAP
Group Attributes and
Group Query Parameters.
If
<None> is selected, new users will only
become members of groups that are created according to the values retrieved
from the
Group Attributes and
Group Query Parameters that you specify on the
User Map tab. See
Creating Groups for Users Automatically Added from LDAP for more information.
Copyright © 2001–2019 Micro Focus or one of its affiliates. All rights reserved.