.. include:: /includes.rst.txt .. comments - headings # with overline, for parts * with overline, for chapters = for sections - for subsections ^ for subsubsections " for paragraphs .. index:: pair: Configuring ; LDAP Servers .. _ldap_servers: LDAP Servers (Service Providers) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ EDG can support multiple LDAP service providers (e.g., multiple Active Directory domains or LDAP servers). For each one, click the plus sign “+” to create a new LDAP stanza (parameter group). Before applying any LDAP changes, please double-check all settings for accuracy. Inconsistencies with remote LDAP systems could result in the loss of EDG permissions, which could be especially problematic for administrators (i.e., users having roles with ``AdministratorGrp`` group privileges; see Rights Management). *Please verify before proceeding.* Losing administrator permissions would block access to Administration pages, including this one, thereby requiring external access to the EDG system environment to modify the configuration files directly. Configuration parameters """""""""""""""""""""""" For each LDAP server, open **Server Configuration > Edit > Configuration parameters > “+”** and enter the following server parameters. To delete an LDAP server configuration, open **Edit** and click its **“x”**. .. list-table:: :header-rows: 1 :widths: 20 10 70 :class: tight-table * - Parameter - Default - Description * - *Connection URL* - - LDAP service provider’s connection URL * - *Username for server connection* - - Username for connection login * - *Password for server connection* - - This appears only if other LDAP parameters are set, and it is set *after* **Save Changes** has completed. * - *User pattern string* - - Based on the *Tomcat JNDIRealm* (for LDAP), this is the **userSearch** and **userBase** *(e.g., “sAMAccountName={0},CN=Users,DC=sharepoint,DC=tqinc,DC=info”)* * - *Role definition base* - - **roleBase**: The base DN for role searches *(e.g., “OU=Roles,DC=sharepoint,DC=tqinc,DC=info”)* * - *Role name identifier* - - **roleName**: The name of the attribute that has the role-entry’s name *(e.g., “cn”)* * - *Role search string* - - **roleSearch**: The LDAP search filter for selecting role entries *(e.g., “(member={0})”)* * - *Membership search string* (OPTIONAL, Recommended) - - For certain LDAPs *(e.g., Active Directory)*, this is the reverse of roleSearch, used to find role memberships for a given user *(e.g., “(memberOf={0})”)*.