Connecting to an LDAP Server for User Authentication

A repository administrator can delegate the authentication of repository users to an LDAP server. PowerDesigner supports authentication via Active Directory and a number of other LDAP implementations. You can optionally allow automatic creation of repository accounts when an LDAP user connects to the repository for the first time.

Note: PowerDesigner LDAP integration provides only authentication. Authorization is still managed via the rights and permissions granted within the repository environment.
  1. Connect to the repository and select Repository > Administration > LDAP Parameters (or right-click the root node, and select Properties to open the repository property sheet, and then click the LDAP tab).
  2. Select the appropriate Server type from the list to set default values for the other parameters.
    For Active Directory, if your environment supports anonymous binding, you may be able to connect without further configuration. Click the Test Connection button and follow the instructions on the dialog. If your connection succeeds then consider enabling the Use Secure Socket Layer (SSL) and Auto-create user accounts in repository options and go directly to step 6.
  3. Modify any appropriate parameters in the General group box:

    Parameter

    Description

    Server type
    Specifies the type of the LDAP server and sets default values for the server. The following types are available:
    • Active Directory - if your environment supports anonymous binding, you may be able to connect without further configuration. Click the Test Connection button and follow the instructions on the dialog.
    • Netscape Directory Server
    • OpenLDAP
    • Oracle Directory Server
    • Other
    If you edit any parameters and want to revert to the defaults, click the Default Settings button.
    Provider URL
    Specifies the URL for the LDAP provider. By default, for Active Directory, PowerDesigner will automatically detect the nearest LDAP server and use this for authentication, initializing this field to:
    LDAP://_ldap.domain:389
    For other servers, this field is initialized to:
    LDAP://ldap.domain:389
    and you should replace ldap with the name or IP address of your LDAP server.
    Use Secure Socket Layer (SSL)
    Instructs PowerDesigner to connect to the LDAP server using SSL, changing the LDAP provider port to the standard secure 636. If you have deployed the PowerDesigner Portal, you must obtain and register a certificate authority certificate in the Java installation (see Importing an LDAPS Certificate for the PowerDesigner Portal).
    Note: In most corporate environments using Active Directory, the necessary certificate is already registered on client machines. If this is not the case, or for other LDAPS servers, users installing PowerDesigner will need to contact their administrator to obtain a certificate and use \Windows\System32\certmgr.msc to register it. Right-click Trusted Root Certification Authorities and select All Tasks > Import, then follow the wizard instructions.
    Default search base
    Specifies the level at which the query begins its search for users in the LDAP tree. By default this is initialized to the domain components (DCs) of the LDAP server. For example:
    dc=sybase, dc=com
    You could include the location of the User directory such as OU=Users, dc=devpd, dc=local . If the location of the User directory is not specified here, then you must include it in the Authentication Search Base.
    Anonymous bind
    [default] Specifies that the LDAP server supports anonymous access. If you deselect this parameter, you must specify a bind user distinguished name (DN) and password for an account that has permissions to query the LDAP server.
    Note: If the Bind user DN is in the same DN as the Authentication search base then you can simply enter the user id for the search. Otherwise, you must enter the full DN for that account. For example, if the Default search base is ou=people,dc=Onebridge,dc=qa, and you have a user cn=csitest,cn=users,dc=Onebridge,dc=qa, then the Bind DN must be cn=csitest,cn=users,dc=Onebridge,dc=qa.
    Auto-create user accounts in repository

    Specifies that any users corresponding to the LDAP authentication search filter can connect to the repository, and will have an account created for them in the repository when they do so. If you do not select this option, then an administrator must create an account for each user before they can connect.

  4. Modify any appropriate parameters in the Authentication group box:

    Parameter

    Description

    Search filter
    Specifies the LDAP query that selects users for authentication. By default this is initialized to (for Active Directory):
    (&(objectClass=person)(userPrincipalName={uid}))
    and for other servers:
    (&(objectClass=person)(cn={uid}))
    To determine an alternative filter, you must know the properties of the users defined in the Active Directory, and which property (for example, name or samAccountName) is being used as the login name.
    Search base

    Specifies the location of the User list in your LDAP server. By default this is initialized to the same value as the Default search base. If the default search base does not include your users you must specify an appropriate search base here. Users may be in a common node such as cn=Users or an organization unit such as OU=Users. To determine the correct search base, you should use an LDAP browser to look at the full distinguished name of a user. Note that your Bind DN may be a user in a different node in the tree than general users so it is very important that you have the correct information for each.

    Search scope
    Specifies the scope of the authentication search. You can choose between:
    • subtree - [default] the search begins at the level of the Search base and also searches any subnodes.

    • onelevel - only the level specified in the the Search base is searched

    Authentication method
    Specifies the method to use for authentication requests. You can choose between:
    • simple - [default] clear text authentication. If SSL is enabled, then the password will be encrypted.

    • DIGEST-MD5 - hashed password authentication. If you select this option, you must specify a digest format.

  5. Click the Test Connection button and follow the instructions on the dialog to verify your connection.
  6. Click OK to save your changes.

    If you have not selected the Auto-create user accounts in repository option, you must create repository accounts for each user that you want to be able to connect.

    Note: Even if you select this option, we recommend that you create appropriate user accounts in advance in order to grant appropriate rights and permissions on your various repository folders and documents. By default, LDAP users connecting to the repository are added to the External users and All users groups, and are limited to read access on the repository.