Purpose

To define the LDAP server settings that will be used for ADF and web services security.

SubSystem

Security

System LDAP Configuration block:

• LDAP Usage Code
• Host
• Port

Connection Tab

• Connection User
• Connection Password

User DN Tab

• Users Base DN
• Users DN Attribute
• Users Password Attribute
• Password Hash Type

User Identifier Tab

• Users Mapping Attribute*
• Delete User (check box)
• Create User (check box)
• SMS Identifier
• Alternate Person ID Type
• WS End User Identifier
• WS End User Alternate Person ID Type

Pages Tab

• Pages Base DN
• Pages DN Attribute
• Pages Member Attribute

Object Class block:

Attributes block:

Rules/Notes:

In the System LDAP Configuration block you can only update, you can’t insert or delete.

User DN tab:

The Users Base DN field is used to specify the distinguished name (dn) of the node that holds all users. It should be the full dn.

The Users DN Attribute field is used as the relative distinguished name (rdn) for user entries. It is populated with either the Oracle username or the Callista Person ID depending on what is set in the SMS Identifier field (see below).

The attribute used to form the distinguished name (DN) in LDAP is set using the 'Users DN Attribute' on the User DN Tab.
The DN for a user is created by using the 'Users DN Attribute', the identifier for the user, and the 'User Base DN'.

The User Identifier tab is used to specify the type of Callista identifier or LDAP identifier to which an end-user username must be mapped when the end user attempts to access a web service, for example.

The 'Users Mapping Attribute' is the name of the attribute that will contain the information that Callista functionality requires to map the LDAP user (distinguished name (DN)) to a person in Callista SMS using either the Person ID value or the username value.
(It is used for mapping to the value held in LDAP for the user who is logging in, as well as mapping the web service end user.)
For example, if the 'Users Mapping Attribute' field is set to 'CallistaUsername' then when the system searches for a Person by their distinguished name (DN), a set of attributes may be returned: none, one or many, depending on the way the institution wants to use the LDAP repository. The functionality in Callista looks up the user (distinguished name (DN)) and gets the attribute for the User Mapping ('Users Mapping Attribute') in order to determine the Callista Person ID of the LDAP user that logged into the system.

A value must be specified in the 'Users Mapping Attribute' field if one of the following fields is set to LDAP Person ID or LDAP Username:

• the SMS Identifier field (in this form) - see below,
• the WS End User Identifier field (in this form) or
• the WS End User Identifier field in SECF0097 or SECF0099.

Notes:

• If the SMS Identifier value is set to 'LDAP Person ID' then you can enter any value (including null) in the WS End User Identifier field, except 'LDAP Username'.
• If the SMS Identifier value is set to 'LDAP Username' then you can enter any value (including null) in the WS End User Identifier field, except 'LDAP Person ID'.

If the WS End User Identifier field is set to 'LDAP Person ID' or 'LDAP Username', then the override value specified in the WS End User Identifier field at Person level (SECF0097) and/or at the Role level (SECF0099), must match the WS End User Identifier value in this form (SECF0100).

Note: If the SMS Identifier or WS End User Identifier field is set to something other than LDAP Person ID or LDAP Username, then the User Mapping Attribute field is not involved, and the identifiers do not have to be the same.

The SMS identifier value can be one of the following:

• Person ID - Person ID of the end user who is to be added to the LDAP. (The usernames of LDAP users must match the Person IDs of the Callista SMS users.)
• Username - Oracle username of the user to be added to the LDAP. (The username of LDAP users must match the Oracle usernames of the Callista SMS users.)
• Alternate Person ID - Alternate Person ID of the end user who is to be added to the LDAP. (The usernames of LDAP users must match the Alternate Person ID of the Callista SMS users where the Alternate Person ID type is recorded in this field.)
• LDAP Person ID - The end user's Person ID is stored as an attribute in their LDAP account. Any attribute can be used for this, but it must be the same attribute for all LDAP users.
  To use this option in this form, set the SMS Identifier to 'LDAP Person ID', leave the Alternate Person ID Type as null and set 'Users Mapping Attribute' to the LDAP attribute which is being used to store the end user's Person ID.
  Note: If the SMS Identifier is set to 'LDAP Person ID' then you can enter any value, except 'LDAP Username', in the WS End User Identifier field.
• LDAP Username - The end user's Oracle username is stored as an attribute in their LDAP account. Any attribute can be used for this, but it must be the same attribute for all LDAP users.
  To use this option, set the SMS Identifier to 'LDAP Username', leave the Alternate Person ID Type as null and set 'Users Mapping Attribute' to the LDAP attribute which is being used to store the user's/Person's Oracle username.
  Note: If the SMS Identifier value is set to 'LDAP Username' then you can enter any value ,except 'LDAP Person ID', in the WS End User Identifier field.

Note: Although the SMS Identifier can be set to Alternate Person ID, LDAP Person ID or LDAP Username, the Create and Delete User functionality in SECJ0100 cannot be executed for these settings.

The 'WS End User Identifier' and 'WS End User Alternate Person ID Type' fields are used to define the mapping that will be used to map the Web Service end-user username (supplied in the HTTP Header via GENF4720) to a Person ID within Callista SMS, by specifying the Callista Person ID or Callista Alternate Person ID Type of end-users who will run web services. These fields are also used to map the ID for Access Logging.
Note: These values can be overridden at the Security Role (SECF0099) or Person (SECF0097) level by specifying a value in the 'WS End User Identifier' and/or 'WS End User Alternate Person ID' fields in SECF0099 or SECF0097. For example, if an end user accessing a specific web service has a different identity mapping to other applications, then these values would be specified for the Person in SECF0097.
If the WS End User Identifier value is 'Alternate Person ID' then a value must be entered in the 'WS End User Alternate Person ID Type' field.

For more information, see the technical information in the Callista Product Centre (wiki.callista.com.au/display/CPC).

If the Create User check box is selected, the SECJ0100 job will determine which new user entries need to be created in the LDAP directory. If there is an entry in SMS that is not in LDAP then a new user entry will be created.

If the Delete User check box is selected, the SECJ0100 job will determine which existing user entries need to be removed from the LDAP directory. If an entry exists in LDAP that is not in SMS then the user entry must be deleted.

The Object Class Usage field is used to define if the Object Class will apply to the Page entry or the User entry. i.e. Object Class Usage values may be Page or User.

The LDAP Object Class field contains the actual name of the Object Class to be used for the LDAP entry.

The Attribute field is used to list each attribute associated with an Object Class that will be inserted as part of the Page or User entry.

The name of the Object Class and Attribute need to match exactly to the value used in the LDAP directory, including any capital and lowercase letters.
The process will check each Attribute defined for both the User and Page entries and determine a value that will be inserted into the LDAP directory for the Attribute.