Controlling Repository Access with LDAP

A repository administrator can delegate the authentication of repository users to an LDAP server. Once the repository has been configured to permit access to users authenticated by LDAP, any such user can connect without further intervention from the repository administrator. The first time that an LDAP user connects to the repository, an account is automatically created for him in the External users and Public groups.

Note: Before configuring the PowerDesigner Repository for Active Directory authentication you should contact your Active Directory administrator who will provide the information you need to complete the process, and may give you access to a tool such as an LDAP Browser utility.

PowerDesigner’s repository LDAP integration provides only authentication. Authorization is still managed via the permissions set within the repository environment. Initially, members of the External users group have only the Connect right granted, and members of Public have read access to everything in the repository. The administrator will grant other rights and permissions as appropriate (see Granting Access Permissions on Repository Items).

To retain finer control of write permission on repository documents and to have everything in place before LDAP users connect to the repository, the administrator can manually create accounts and assign permissions for them before they connect (see Pre-Configuring LDAP User Permissions).

To enter the LDAP configuration parameters, select Repository > Administration > LDAP Parameters (or right-click the root node, and select Properties to open the repository property sheet, and then click the LDAP tab).

General LDAP Parameters

Several of the parameters in the General group box are required:

Parameter

Description

Provider URL

[required] Specifies the URL for the LDAP provider in the format ldap://ldapserverhost:port , or as an IP address.

Security protocol

[optional] Specifies the protocol to be used when connecting to the LDAP server. If you are using SSL (which is the only protocol currently supported), then you should set this parameter to ssl. We recommend that you configure LDAP access at first without SSL, and only implement the protocol once you have access working.

Default search base

[required] Specifies the level at which the query begins its search for users in the LDAP tree. As a minimum this should include the DCs of the LDAP server. For example if your ldap url is http://ldap.sybase.com then your DC would be dc=sybase, dc=com. Your default search base can include the location of the User directory such as OU=Users, dc=devpd, dc=local . The values you enter here affect what you put in the Authentication search base. If you do not put the location of the Users in the default search base then you must include them in the Authentication Search Base.

Trusted server

[required] Specifies that the LDAP server can be trusted.

Server type

Specifies the type of the LDAP server. Selecting a server type sets silent defaults for the authentication and role filters. The following types are available:
  • none - [recommended]
  • sunone5 - for SunOne 5.x OR iPlanet 5.x
  • msad2k - for Microsoft Active Directory, Windows 2000
  • nsds4 - for Netscape Directory Server 4.x
  • openldap - for OpenLDAP Directory Server 2.x
Since every LDAP configuration is different and these defaults may not be appropriate for your installation, we recommend that you select none.

Anonymous bind

[optional] Specifies that the server supports anonymous access to the LDAP tree. If this parameter is not selected, you must specify a bind DN and password. Note that Active Directory does not support anonymous binding out of the box.

Bind DN

[required unless Anonymous bind is selected] Specifies the LDAP account that has permissions to query the Active Directory. If the Bind DN is in the same DN as the Authentication search base then the BIND DN can be just the user id for the search. Otherwise, you will need the account login and password as well as the full Distinguished Name (DN) for that account. For example If the DefaultSearchBase is ou=people,dc=Onebridge,dc=qa, and you have a user cn=csitest,cn=users,dc=Onebridge,dc=qa, then the Bind DN cannot just be csitest, but must be cn=csitest,cn=users,dc=Onebridge,dc=qa.

Bind password

[required unless Anonymous bind is selected] Specifies the password to bind with when building the initial LDAP connection.

Authentication Parameters

Most of the parameters in the Authentication group box are mandatory:

Parameter

Description

Filter

[required] Specifies the LDAP query that looks up the user information. To determine the LDAP filter you will use, you must know the properties of the users defined in the Active Directory. The property that is being used as the login could be name, samAccountName or another property. In the following example we use the samAccountName as the login (which PowerDesigner captures in the variable {uid}:
(&(samAccountName={uid})(objectclass=user))

Scope

[required] Specifies the scope of the authentication search. You can choose between:
  • onelevel [default] - only the level specified in the the Search base is searched

  • subtree - the search begins at the level of the Search base, but also searches any subnodes.

Method

[required] Specifies the method to use for authentication requests. You can choose between:
  • simple - clear text authentication.

  • DIGEST-MD5 - hashed password authentication, which requires that the server use plain text password storage.

Digest MD5 format

[required] Specifies the DIGEST-MD5 bind authentication identity format. The default is DN.

Search base

[optional] If the default search base specified in the General group box does not include the location of the User list in your Active Directory, you must specify it here. Users may be in a common node such as cn=Users or an organization unit such as OU=Users. To determine the correct search base, you should use an LDAP browser to look at the full distinguished name of a user. Note that your Bind DN may be a user in a different node in the tree than general users so it is very important that you have the correct information for each.

Role Parameters

PowerDesigner does not currently support role-based authentication, and so any values you enter in the Role group box will not be taken into account:

Parameter

Description

Filter

Specifies the role search filter, which, when combined with the search base and scope, returns a complete list of roles within the LDAP server.  There are several default values depending on the chosen server type.  If the server type is not chosen or this property is not initialized, no roles will be available.

Scope

Specifies the role search scope. You can choose between:
  • onelevel [default]

  • subtree

Referral

Specifies the treatment of referrals. You can choose between:
  • ignore [default]

  • follow

  • throw

Name attribute

Specifies the attribute for retrieved roles that is the common name of the role.  If this value is "dn" it is interpreted specially as the entire dn of the role as the role name. The default is "cn", the common name.

Search base

Specifies the role search base.