Connecting to Customer-Deployed LDAP Service

To use customer-deployed LDAP service for Fabric Manager authentication:

Using vi or any other text editor as “sudo”, edit the /usr/local/ffm/config/shiro.ini file.
Change the attributes as directed in the following lines and save the file:
1. In the following line, replace <localhost:port no> with the IP address of the system where the customer’s LDAP service is running, followed by the port number.
```
ldapRealm.contextFactory.url = ldap://<localhost:port no>
```
2. In the following line, replace <cn=root,dc=unisys,dc=com> with the user name.
```
ldapRealm.contextFactory.systemUsername = <cn=root,dc=unisys,dc=com>
```
3. In the following line, type the password:
```
ldapRealm.contextFactory.systemPassword = <LDAPAdmin@1>
```

Note: Restart Fabric Manager services for the changes to take effect.

You can now authenticate using the customer-deployed directory service. Ensure that the systemUsername has read-only permission to the LDAP directory. To know about user authentication with the customer-deployed LDAP service, see the documentation provided by the vendor.

Note: Directory structure of the customer-deployed directory service should match the directory structure defined for FFM OpenLDAP. The following figure depicts the high level schema used by OpenLDAP in the Fabric Manager:

Modify the /usr/local/ffm/config/shiro.ini file and replace the following with appropriate values applicable to the customer-deployed LDAP service:

userdnTemplate: Refers to a pattern used by the LDAP Server to authenticate the user. {0} will be replaced with the actual username when authenticating against the LDAP Server.
The default value used in FFM is uid={0},ou=users,dc=unisys,dc=com. Refer the left tree in the schema, from bottom up, to understand how this value is derived.
uniquememberAttribute: Refers to the attribute under each group where all the members (users) of the group are stored. The default value in the Fabric Manager is "uniqueMember." Hence there can be multiple "uniqueMember" values under a single group allowing multiple users to be added to a group.
uniquememberAttributeValueTemplate: Refers to the pattern to read each uniqueMember of a group. {0} will be replaced with the actual username. This value needs to be explicitly specified because this can be different from "userDnTemplate".
The default value used in the Fabric Manager is uid={0},ou=users,dc=unisys,dc=com
groupNameAttribute: Attribute under a group to get the name of the group.
There are multiple attributes by which a group name can be specified under different LDAP Server. Hence, you should have an understanding of which attribute should be used as the group name so that it can be mapped against a role.
The default value in the Fabric Manager is cn..
userGroupSearchCtx: Specifies the location of all the group objects in the schema.
Because the users are members of groups, it is important to have a prior understanding of location of the groups. The default value in the Fabric Manager is "ou=groups,dc=unisys,dc=com" because all the groups are under ou=groups which is under "dc=unisys,dc=com". Refer the right tree in the schema, from bottom up, to understand how this value is derived.

To know how to map the groups to roles, see Mapping Groups to Roles.