To first setup a LDAP realm in Reporter, you will need to find this information from your LDAP directory administrator:
Novell e Directory
Microsoft Active Directory.
3rd Party LDAP Directory.
- The IP address of the LDAP server, and what port you'll connect to it on. (389 or 636)
- Whether or not you need to authenticate to search for users and groups.
- If cannot connect to the LDAP server anonymously, you'll need the Fully Qualified Distinguished Name (FQDN) of the user that can ,and it's password.
- Here's an example of the syntax: cn=lastname\, firstname,cn=users,dc=internal,dc=mytree,dc=com
- The attributes needed to search the tree for users, and groups.
For Microsoft Active Directory, the default is:
User Naming Attribute: sAMAccountName
Group Naming Attribute: groupclass
Group class: class
NOTE: For more information on what these attributes mean, see 000021975
- The Group and User base DNs.
- Here's an example of the syntax needed for users : cn=users,dc=internal,dc=mytreename,dc=com
- Here's an example of the syntax needed for groups: cn=groups,dc=internal,dc=mytreename,dc=com
- NOTE: Some adminstrators may have groups and users in the same context.
Once you have this information, enter it in to the LDAP realm configuration wizard, and then use the test button to ensure it works. You can find this LDAP realm wizard, by clicking on the Administration tab > General settings, External servers and LDAP/Directory.
Best practice: If you have multiple group and user base DNS all over your tree that are spread over multiple partitions and servers, Bluecoat suggest you configure more than one LDAP realm and point them to each base DN. At the time of writting this Knowledge base article, Reporter 9.1.x versions did not support searching through multiple LDAP partitions and servers.
Configuring roles to use with LDAP:
Once you have your LDAP realm successfully configured, it is now time to connect the LDAP groups to roles in Reporter.
In the administration section of Reporter, click on "Access Control" and then Roles.
Once here, configure a role for a database with the filters you desire. To facilitate greater granularity, you can also configure this same role to only show certain fields in your database. Roles cannot directly control which report you can run, but they can control, down to the field, what data it will see. So, while all reports will still run, the restricted data in that report will not show.
The next step, is to troll the LDAP tree for a role, and connect to the role you configured above. The option, right below roles, is called Ldap Groups- click on this. Here you can conduct LIVE searches of your LDAP tree for groups and linke them to the Roles you created above.
TIP: You can type in any search string to find the groupname you desire to connect to. Remember though, the list you see coming back to you is from your LDAP tree.
TIP: We do not support nest groups in any LDAP tree with versions fo Reporter 9.1.x. For information on how to configure this feature, in version 9.2.x and later, see 000010794
TIP: If you are seeing a empty list here, the most probable cause is that the user you were logging in as does not have rights to pull a group list, or the context you provided the Group base DN is wrong.
Once the LDAP group is connected to a Role in Reporter, all users in in that group will have the same access given to that role.
NOTE1: Links to other LDAP articles:
Occasionaly you may choose a nested group, without realizing it, and see this message when you log in:
" in order to view reports in Reporter, your system administrator must set up a database for you to have access to."
Please see this 000014773 for troubleshooting steps on how to solve this.
For a list of the LDAP error codes you may see in the journal see 000015695
For an explanation on how you can use IWA methods on your SG, to authenticate, while you use LDAP on your Reporter, see 000015509
For more details on how to your base DN on Active Director ( AD) , see 000010438
For details on how to use the search user, and what rights it needs in AD, see 000007755
For details on how LDAP nested groups work in Reporter, see 000010794
For details on what the LDAP atributes mean, see 000021975