Product Selector

Fusion 5.9
    Fusion 5.9

    Security LDAP Realm that Connects to Active Directory

    Configure Fusion for a Security LDAP Realm that Connects to Active Directory

    1. Log in as an admin to Fusion and go to Security Realms.

      ad ldap 1

    2. Go to the Security Realms tab and click Add Security Realm.

      ad ldap 2

    3. Give it a name and choose type: ldap.

      • If you want an AD user to be automatically created in Fusion when they are seen for the first time, leave “Auto-create users” checked. Typically, you will leave this checked. Otherwise, you have to preload Fusion with users prior to them logging in.

      • Specify what Roles you want users to have by default when logging in to this realm.

        ad ldap 3

    4. Specify your AD server hostname. Choose port 389 for non-SSL, and 636 for SSL.

      ad ldap 4

    5. For Authentication Method: search, choose Search from the 3 options.

      1. In the Search Based Login: Base DN field, specify the DN of the lowest place in the AD tree where your users will need to be searched for. in my example, it is cn=users,dc=sptest,dc=local.

      2. For the Search Based Login: Filter Template, use (&(sAMAccountName={})(objectClass=person)).

        ad ldap 5

    6. For Super User - Bind DN enter the DN of a user with access to crawl and enter that user’s password.

      This says “Super User”, but the AD account does not need to be an Administrator. Your user only needs to be able to read group member attributes.

      ad ldap 6

    7. Next is the Group / Role Mapping.

      1. For Group Search: Base DN, similar to what you did for the user DN, enter the lowest level of the AD tree where applicable groups can be found.

      2. For Group Search: Name Attribute, enter sAMAccountName.

      3. For Group Search: Filter Template, enter (&(member={})(objectClass=group)).

      4. For Group Mapping, enter a mapping of each Fusion role name to the DN of a group you want to be in that role.

        Example:

        ad ldap 7

    Creating a Delegation of Control of the bind user

    The LDAP Realm needs to be able to get a user’s groups in order to do the Group Mapping.

    By default, Active Directory allows all Authenticated Users to list group memberships. So chances are, everything will work.

    But, if your security is tightened in your environment, the user you choose in Super User section may not have access to list group memberships. This will result in your users having no roles because the role lookup will not be able to connect your user’s AD groups with their Fusion roles.

    In this case, you may need to delegate control of this account to be able to Read the tree.

    1. Go to Active Directory Users and Computers → Action → Delegate Control.

      ad ldap 8

    2. Enter the user:

      ad ldap 9

    3. Add the Read all user information checkbox.

      ad ldap 10

    4. Finish.

      ad ldap 11