LDAP Tab

Code Insight supports user authentication and authorization through LDAP (Lightweight Directory Access Protocol). The LDAP tab on the Administration page configures the synchronization of user identification data from LDAP to Code Insight, thus enabling LDAP user authentication for Code Insight. For detailed information about the fields on this tab and about the configuration in general, see “Configuring Code Insight for LDAP” in the Code Installation and Configuration Guide.

The tab contains the following columns and fields:

LDAP Tab

Category

Column/Field

Description

LDAP enablement

This option enables the use of LDAP for your Code Insight system. When LDAP is enabled, the settings used to configure Code Insight for LDAP are made available for editing on this tab. You can use this option to turn off LDAP whenever necessary.

Enable LDAP

Select Yes or No to determine if LDAP will be used for user authentication. The default is No.

LDAP Connection Details

These settings configure the Code Insight connection to the LDAP server. This connection is required for each synchronization process of LDAP user information to Code Insight and for authentication each time a user logs into Code Insight.

LDAP URL

Specify the URL of the LDAP server in the following format:

ldap://<ldap_server_host>:<ldap_port> 

where <ldap_server_host> is either the hostname or IP address of the LDAP server; and <ldap_port> is the port on which the server listens for requests.

The following is an example URL, which uses the standard LDAP server port 389:

ldap://acme.com:389 

If using SSL to provide data encryption security for user information passed over the network, specify the ldaps:// protocol with the port 636, which is the default dedicated port for SSL:

ldaps://acme.com:636 

Note:When the LDAP directory service is Active Directory, requests from users located outside the global catalog's base domain will fail to authenticate if you use the port specified above. This occurs because requests sent to the default LDAP port 389 (or 636 if SSL is used) search for objects only within the global catalog's base domain. To authenticate users from outside the base domain, change the LDAP port to 3268 (or 3269 if SSL is used). Requests sent to this port search for objects in the entire forest.

 

Authentication Type

Select the type of LDAP authentication used to establish a connection with the LDAP server:

Anonymous—Code Insight will establish a connection with the LDAP server without the use of user credentials. (When this option is selected, the LDAP Username and LDAP Password fields in this section are disabled.) This authentication type is generally used for testing purposes.
Authenticated—Code Insight requires the user credentials provided in the LDAP Username and LDAP Password fields to authenticate and establish a connection with the LDAP server.

LDAP Username

Depending on your LDAP setup, enter either of the following to identify the user used connect to the LDAP server:

The user’s login ID, such as mburns 
The user’s Distinguished Name (DN), such as:

CN=Monty Burns,OU=usa,DC=acme,DC=com 

For more information about providing the DN, see “Distinguished Name for an Object” in the Code Installation and Configuration Guide.

This identification, along with the associated password (see the next field), is used to authenticate the connection to the LDAP server. Note that the user must have READ permissions to query the LDAP server (and therefore does not need to be an administrator).

This field is disabled if Anonymous is selected for Authentication Type.

LDAP Password

Enter the password associated with the user specified for LDAP Username. This field is disabled if Anonymous is selected for Authentication Type.

LDAP Query Details

The following fields define the query that identifies the subset of users on the LDAP server to be synchronized to Code Insight. This query is used for the initial synchronization process and for each subsequent synchronization performed per the LDAP User Sync Frequency value.

LDAP Base

Specify the Distinguished Name (DN) of the LDAP base domain in the Directory Information Tree (DIT) on your LDAP server. This domain is the top-level directory to which all other objects in the directory structure belong; it typically represents your organization. The base domain is identified by domain controller objects (DCs), which make up its DN. For example, the base domain in the example DIT in Figure 2-1 is the following:

DC=acme,DC=com 

In some cases, a sub-domain can be a part of the base domain:

DC=software,DC=acme,DC=com 

For more information, see “LDAP Base” in the Code Installation and Configuration Guide.

LDAP Search Base

Specify the DIT directory, relative to the LDAP base directory, under which you store all Code Insight objects on the LDAP server and from which you search for Code Insight users.

In reference to the example DIT in Figure 2-1, if you enter OU=usa for the search base, all searches for user information will be performed below the directory “usa”. (LDAP internally identifies the DN for this directory as the LDAP Base + LDAP Search Base value.)

If you leave this field blank, the search is performed at the LDAP base level.

For more information, see “Setting Up a User Search” in the Code Installation and Configuration Guide.

LDAP Search Query

Specify the search query used to retrieve the users from LDAP Search Base directory to synchronize to Code Insight. Each attribute in a query is listed in parenthesis in the format (attribute=value), such as in the following, which searches for only those users belonging to the “engineering” group under the “usa” node:

(&(objectClass=person)(memberOf=CN=engg,OU=usa,DC=acme,DC=com)) 

For other search query examples, see “Setting Up a User Search” in the Code Installation and Configuration Guide.

 

Use Paging

Select Yes if the LDAP server has paging enabled for synchronization results. If you select Yes, the LDAP Page Size field is enabled, enabling you to customize the page size.

Select No if the server does not have paging enabled. If you select No, the server sends 1000 elements per page by default unless this behavior is changed at the organization level on the LDAP server.

LDAP Page Size

Indicate the page size you want for the synchronization results. The default page size is 1000 elements.

LDAP User Sync Frequency

Specify the frequency at which Code Insight will synchronize user data with the LDAP server:

Never—Select this option to disable the automatic user synchronization. A synchronization occurs only if the user clicks the Sync Now button. For all other values, automatic user synchronization is enabled per the configured frequency. (This is the default value.)
Hourly—Enter an integer value representing the number of hours between user synchronizations.
Daily— Select a time at which the user synchronization will run every day.
Weekly—Select a day of the week and a time of the day when the user synchronization will run each week.

Search Sub-tree

Select this checkbox to enable deep searches through the subtree of the path defined by LDAP Base + LDAP Search Base. Note that, while helpful in locating users in certain cases, a deep search can negatively affect performance (and therefore, by default, is not enabled). For more information, see “Setting Up a User Search” in the Code Installation and Configuration Guide.

LDAP User Property Mappings

The following information maps LDAP attribute labels to their corresponding labels in Code Insight (the field names shown below). These mappings are used for LDAP synchronization to Code Insight and for user authentication each time a user logs into Code Insight.

Login

Enter the user attribute label on your LDAP server corresponding to the user Login field in Code Insight. This is the same attribute that the user will use to log into Code Insight.

First Name

Enter the user attribute label on your LDAP server corresponding to the user First Name field in Code Insight.

Last Name

Enter the user attribute label on your LDAP server corresponding to the user Last Name field in Code Insight.

Email

Enter the user attribute label on your LDAP server corresponding to the user Email field in Code Insight.

Note:Only those users with a valid email address specified as a user attribute on the LDAP server will be synchronized. Therefore, ensure that you have entered the correct label here for the email attribute on your LDAP server and that each user has valid email for this attribute on the server. See “Setting Up a User Search” in the “Code Installation and Configuration Guide” for more information.

Login Filter

Specify a filter for the user-login search performed in the LDAP search base location. For example, the value (sAMAccountName={0}), when used against the LDAP Search Query results, searches for each entry where the sAMAccountName is equal to the user login name.