Configuring LDAP authentication and mapping LDAP accounts

To simplify administration, Crystal Enterprise supports LDAP authentication for user and group accounts. Before users can use their LDAP user name and password to log on to Crystal Enterprise, you need to map their LDAP account to Crystal Enterprise. When you map an LDAP account, you can choose to create a new Crystal Enterprise account or link to an existing Crystal Enterprise account.

Before setting up and enabling LDAP authentication, ensure that you have your LDAP directory set up. For more information, refer to your LDAP documentation.

To set up LDAP authentication using Crystal Enterprise

1. Go to the Authentication management area of the CMC.
2. Click the LDAP tab, and then click "Start LDAP Configuration Wizard".

   The LDAP Configuration Wizard will lead you through the setup of LDAP authentication, step by step.

3. The first screen of the wizard asks for information about your LDAP host. Type your LDAP host and port information in the Add LDAP host (hostname:port) field (for example, "myserver:123"); then click Add.

   Repeat this step to add more than one LDAP host of the same server type if you want to add hosts that can act as failover servers. If you want to remove a host, highlight the host name and click Delete. For more information on multiple hosts, refer to Managing multiple LDAP hosts.

4. Click Next.
5. Select your server type from the LDAP Server Type list. Click Show Attribute Mappings if you want to view or change any of the LDAP Server Attribute Mappings or the LDAP Default Search Attributes.

   By default, each supported server type's server attribute mappings and search attributes are already set.

6. Click Next.
7. In the Base LDAP Distinguished Name field, type the distinguished name (for example, o=SomeBase).
8. Click Next.
9. Enter the credentials required by the LDAP hosts.
   • In the "LDAP Server Administration Credentials" area, type the distinguished name and password for a user account that is authorized to administer your LDAP server.

     If your LDAP Server allows anonymous binding, leave this area blank—Crystal Enterprise servers and clients will bind to the primary host via anonymous logon.

   • Enter another distinguished name and password in the "LDAP Referral Credentials" area if all of the following apply:
     • The primary host has been configured to refer to another directory server that handles queries for entries under a specified base.
     • The host being referred to has been configured to not allow anonymous binding.
     • A group from the host being referred to will be mapped to Crystal Enterprise.

       Although groups can be mapped from multiple hosts, only one set of referral credentials can be set. Therefore if you have multiple referral hosts, you must create a user account on each host that uses the same distinguished name and password.

10. Enter the number of referral hops in the Maximum Referral Hops field.

    If this field is set to zero, no referrals will be followed.

11. Click Next.
12. Select the type of SSL authentication (none, Server Authentication, or Mutual Authentication) your LDAP hosts uses to establish a connection with Crystal Enterprise. Click Next.
13. If you selected Server Authentication or Mutual Authentication, choose one of the following options:
    • Always accept server certificate

      This is the lowest security option. Before Crystal Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive a security certificate from the LDAP host. Crystal Enterprise does not verify the certificate it receives.

    • Accept server certificate if it comes from a trusted Certificate Authority

      This is a medium security option. Before Crystal Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, Crystal Enterprise must find the Certificate Authority that issued the certificate in its certificate database.

      Tip:    Java applications (such as the Java version of the Crystal Enterprise web desktop) always use this option, regardless of the setting you choose.

    • Accept server certificate if it comes from a trusted Certificate Authority and the CN attribute of the certificate matches the DNS hostname of the server

      This is the highest security option. Before Crystal Enterprise can establish an SSL connection with the LDAP host (to authenticate LDAP users and groups), it must receive and verify a security certificate sent to it by the LDAP host. To verify the certificate, Crystal Enterprise must find the Certificate Authority that issued the certificate in its certificate database. It must also be able to confirm that the CN attribute on the server certificate exactly matches the host name of the LDAP host as you typed it in the "Add LDAP host" field in the first step of the wizard. That is, if you entered the LDAP host name as ABALONE.rd.crystald.net:389, using CN =ABALONE:389 in the certificate would not work.

      Tip:    The host name on the server security certificate is the name of the primary LDAP host. Therefore if you select this option you cannot use a failover LDAP host.

14. In the SSL host box, you must next add the host name of each machine in your Crystal Enterprise system that uses the Crystal Enterprise SDK. (This includes the machine running your Crystal Management Server and the machine running your Web Component Server or your Web Component Adapter.)

    Type the host name of each machine in the SSL Host box, and then click Add.

    

15. Now configure the SSL settings for each SSL host in the list, starting with the default host.
    • To select settings for the default host, first clear the Use default value boxes. Then type your values for the path to the certificate and key database files, the password for the key database. Type a nickname for the client certificate in the cert7.db if you selected mutual authentication.

      The settings for the default host are used:

      • for any setting (for any host) where you leave the "Use default value" box checked.
      • for any machine whose name you do not explicitly add to the list of SSL hosts.
    • To select settings for another host, select its name in the list on the left. Then type the appropriate values in the boxes on the right.
16. Click Next.
17. The next screen of the wizard controls how Crystal Enterprise maps LDAP users to Crystal Enterprise users.

    New Alias Options allow you to specify how LDAP aliases are mapped to Enterprise accounts. Select either:

    • Assign each added LDAP alias to an account with the same name

      Use this option when you know users have an existing Enterprise account with the same name; that is, LDAP aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and LDAP account, are added as new LDAP users.

      or

    • Create a new account for every added LDAP alias

      Use this option when you want to create a new account for each user. If the user has already created an account through the sign-up feature in Crystal Enterprise, the user will have separate LDAP and Enterprise accounts.

18. Update Options allow you to specify if LDAP aliases are automatically created for all new users. Select either:
    • New aliases will be added and new users will be created

      Use this option to automatically create a new alias for every LDAP user mapped to Crystal Enterprise. New LDAP accounts are added for users without Crystal Enterprise accounts, or for all users if you selected the "Create a new account for every added LDAP alias" option.

      or

    • No new aliases will be added and new users will not be created

      Use this option when the LDAP directory you are mapping contains many users, but only a few of them will use Crystal Enterprise. Crystal Enterprise does not automatically create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to Crystal Enterprise.

19. New User Options allow you to specify properties of the new Enterprise accounts that are created to map to LDAP accounts. Select either:
    • New users are created as named users

      New user accounts are configured to use named user licenses. Named user licenses are associated with specific users and allow people to access the system based on their user name and password. This provides named users with access to the system regardless of how many other people are connected. You must have a named user license available for each user account created using this option.

    • New users are created as concurrent users

      New user accounts are configured to use concurrent user licenses. Concurrent licenses specify the number of people who can connect to Crystal Enterprise at the same time. This type of licensing is very flexible because a small concurrent license can support a large user base. For example, depending on how often and how long users access Crystal Enterprise, a 100 user concurrent license could support 250, 500, or 700 users.

20. Click Finish to save your LDAP settings.

    The LDAP Server Summary page appears.