LDAP Integration with the CA TDM Portal

LDAP enables your security teams to authenticate user access and privileges from a central location. The CA TDM Portal lets you integrate with the following LDAP implementations:
tdm47
LDAP enables your security teams to authenticate user access and privileges from a central location. The CA TDM Portal lets you integrate with the following LDAP implementations:
  • Microsoft Active Directory (MS AD)
  • Oracle Directory Services
Where examples on this page refer to integration with Active Directory (AD), integration with other supported LDAP implementations requires the same process in TDM Portal.
The following topics cover the integration-related information:
3
2
Tutorial Video
Watch the following video for a visual walk-through of a use case of integrating AD with the CA TDM Portal:

Integration Flow
The following diagram shows a simplified version of the integration:
Active Directory Integration with the CA TDM Portal
Active Directory Integration with the CA TDM Portal
Considerations
Review the following considerations:
  • Only a single Active Directory and Active Directory with a sub-Active Directory (child) are supported. No disjoint Active Directories are supported.
  • When you upgrade from a previous CA TDM Portal release (based on the supported upgrade path) to this release, all existing Active Directory users in the previous Portal release are automatically migrated to this release. You do not need to perform this task manually.
  • Administrators can decide to hide Native Users in LDAP Mode.
Process
The following diagram shows the detailed process steps:
AD integration process steps
AD integration process steps
To allow appropriate LDAP users to access the CA TDM Portal, ensure that you perform the following tasks:
  1. .
    1. Set the authentication mode.
    2. Specify the Integration parameter values.
    3. Validate the authentication.
    4. Configure the default LDAP groups.
  2. .
    • Map LDAP groups to the CA TDM Portal user groups.
    • Add LDAP users to the CA TDM Portal user groups.
Configure the LDAP Integration Settings
The first step in integrating LDAP with the CA TDM Portal is to specify appropriate LDAP integration settings. The settings include selecting AD/LDAP as the authentication mode, providing values for the related parameters, and specifying default LDAP groups.
Follow these steps:
  1. Access the CA TDM Portal as an administrator (super administrator).
  2. Click
    Configuration, Authentication
    in the left pane.
    The
    Authentication
    page opens.
  3. Configure the following parameters to integrate LDAP with the CA TDM Portal:
    • Source
      Specifies the type of authentication that you want to use—Active Directory authentication or native authentication:
      • AD/LDAP
        In Active Directory authentication, the user authentication happens against Active Directory. Select
        AD/LDAP
        as the authentication mode to integrate LDAP with the CA TDM Portal, and proceed to specify information for the remaining fields in this procedure.
      • Native TDM
        In native authentication, the CA TDM repository is used to verify whether a specific user is present in the repository. If the user is present, the user is authenticated and is allowed to log into the application. For native authentication, select
        Native TDM
        and click
        OK
        .
      Note:
      You do not need to restart the CA Test Data Manager Portal service when you change the authentication mode.
    The following are the basic settings:
    • Host Name
      Specifies the host name or IP address of the computer where LDAP is available.
      Example:
      192.168.255.255
    • Port Number
      Specifies the port where LDAP is listening.
      Example:
      389
    • Base DN
      Specifies the base distinguished name to use for searching users and groups in the LDAP server.
      Example:
      DC=ca,DC=com
      or
      CN=users,DC=ca,DC=com
    • User DN
      Specifies the distinguished name of the user to use when connecting to the LDAP server.
      Example:
      CN=administrator,CN=users,DC=ca,DC=com
      or
    • Password
      Specifies the password that is associated with the user specified in the
      User DN
      field.
      Example:
    The following are the additional settings:
    • Referral Strategy
      Specifies whether you want to Follow or Ignore the reference to another source if the user in one group is also a part of the other group. Select the respective option from the drop-down list.
    • Use SSL
      Specifies whether the secure SSL connection is enabled on the LDAP server. Select this option to enable the secure SSL connection to the LDAP server. Verify that you use the appropriate port number (for example,
      3269
      ) in the
      Port
      field for the SSL connection.
    • User Class
      Specifies the name of the LDAP user object class to use when loading the users.
      Example:
      PERSON
    • User ID Attribute
      Specifies the attribute field to use when loading the user name. Based on the setting configured on your LDAP server, use the related attribute to uniquely identify the users. For example, your LDAP server can use
      CN
      ,
      mail
      ,
      uid
      , or
      userPrincipalName
      to identify the users. You must, therefore, enter the relevant value in this field.
      Example:
      CN
    • User Organization
      Specifies the organization of the LDAP user object class to use when loading the users.
      Example:
      CN=users
      If users are spread across different organizational units, leave this parameter value empty. Additionally, for performance reasons, you can configure your LDAP server host name parameter to point to the Global Catalog server (for example,
      192.168.255.255:3268
      ) instead of the specific LDAP server.
    • Group Object Class
      Specifies the name of the LDAP group object class to use when loading the groups.
      Example:
      group
    • Group ID Attribute
      Specifies the attribute field to use when loading the group name.
      Example:
      CN
    • Group Organization
      Specifies the organization unit of the LDAP group object class to use when loading the groups.
      Example:
      CN=users
    • Group Member Attribute
      Specifies the attribute field to use when loading group members from the group.
      Example:
      member
  4. Click
    Test
    to verify that the configuration details are valid and are working. This testing also verifies the availability of LDAP users and LDAP groups in the specified LDAP configuration. That is, at least one LDAP user must be present and at least one LDAP group has one LDAP user.
    A success message indicates that the details are valid.
  5. Click
    OK
    .
  6. Click
    Next
    ; the following actions happen:
    • All specified details are saved.
    • The
      Default Group Configuration
      page opens. This page lets you define the default LDAP groups so that they can get the admin and tester access. This setting is optional.
      By default, when a project is created in the CA TDM Portal, two default CA TDM Portal user groups—ADMIN and TESTER—are also created. The CA TDM Portal also lets administrators select specific LDAP groups as the default LDAP groups for the admin and tester access. The CA TDM Portal achieves this by mapping the selected LDAP groups to the ADMIN and TESTER user groups. This mapping ensures that the two LDAP groups are automatically mapped to the ADMIN and TESTER user groups whenever a new project is created in the Portal. These mapped LDAP groups then become the default LDAP groups for the created project. This ability eliminates the administration overhead of manually mapping the default LDAP groups every time a new project is created. Users belonging to the default LDAP groups get the appropriate privileges depending on the mapped default Portal user group.
  7. To configure the default LDAP groups, do the following:
    • Select default AD group(s) for ADMIN access
      Lets you search for and select the required LDAP group to which you want to provide the administrator access. The selected LDAP group is mapped to the ADMIN user group. All members of the LDAP group get the administrator access for the created project.
    • Select default AD group(s) for TESTER access
      Lets you search for and select the required LDAP group to which you want to provide the tester access. The selected LDAP group is mapped to the TESTER user group. All members of the LDAP group get the tester access for the created project.
  8. Click
    Finish
    .
    A message states that the authentication settings are configured successfully.
  9. Click
    OK
    .
You have successfully configured the LDAP integration settings. You can now proceed to provide access to the LDAP users.
Provide Access to LDAP Users
Users who are members of the default LDAP groups have access to the CA TDM Portal. But, they get access to all the projects that are created after the configuration. In your organization, you might have users whom you do not want to include in these default LDAP groups. You want to give them access based on the business requirements; for example, give them access only to a specific project. To do so, you can use the following methods:
  • Map LDAP Groups to CA TDM Portal User Groups.
  • Add LDAP Users to CA TDM Portal User Groups.
Map LDAP Groups to CA TDM Portal User Groups
You can map LDAP groups to the CA TDM Portal user groups. With this mapping, when users belonging to a mapped LDAP group try to log into the CA TDM Portal for the first time, they are automatically added to the CA TDM repository. You do not need to add them explicitly to the CA TDM Portal user group. Such users can then log into the CA TDM Portal using their LDAP credentials. They get access to the same resources that are available to the other users who are already members of the mapped CA TDM Portal user group.
You can complete this mapping from the following places in the CA TDM Portal:
Add LDAP Users to CA TDM Portal User Groups
You can directly add LDAP users to the appropriate CA TDM Portal user groups. When you add LDAP users to the CA TDM Portal user groups, they are automatically added to the CA TDM repository. They can then log into the CA TDM Portal using their LDAP credentials. This ability helps you avoid overhead tasks that are associated with the manual process of adding LDAP users to the repository.
For more information about how to add LDAP users to the CA TDM Portal user group, see User and Group Management.
Log in LDAP Users
After you configure the LDAP integration settings and provide access to LDAP users, all relevant LDAP users can then log in to the CA TDM Portal using their LDAP credentials. The logged in LDAP users can perform all the required operations depending on their association with the CA TDM Portal user group.
Example
The Example: Active Directory Integration article includes an example scenario that explains the complete end-to-end integration.
Troubleshooting
Review the following troubleshooting information:
Some Valid LDAP Users are Unable to Log in
Symptom
In my organization, some valid LDAP users are unable to log into the CA TDM Portal; whereas, some other LDAP users can without any issue. How can I resolve this problem?
Solution
If users are spread across different organizational units, you must ensure that the LDAP server host name is configured to point to the Global Catalog server instead of the specific LDAP server. For example, Joe belongs to HRGroup and John to FinanceGroup. You have configured the LDAP server to point only to HRGroup. In this scenario, Joe can log in without any issue. However, John cannot log in, because the LDAP server host information is not configured for FinanceGroup. To ensure both the users belonging to different groups can log into the application, point the LDAP server to the Global Catalog server that covers both the groups. This allows users who are members of different groups to log into the application.