LDAP_URL

This is a LDAP URL as defined by Internet Standard rfc2255. The purpose of this entry is to define the LDAP Server host name, port number and specify how to locate users. Full details can be found in rfc2255 - see opposite for a brief description.

ServiceOptimizer only uses a subset of the values as detailed below, any values supplied beyond these are ignored, for example:

ldap://rtan/O=servicepower,dc=com/?dn?sub?(&objectclass=inetorgperson)(uid=%s)

Field	Value	Description
Scheme	“ldap” use “ldaps” for SSL	Currently LDAPS is not supported.
Hostport	rtan	the default port for ldap is 389 or 636 for SSL, to define a port append it to the host name as follows: rtan.sbs:123 or rtan:400
DN	O=servicepower,dc=com,	identified the base of a search or (in ServiceScheduling only) optionally the base of a user DN.
Attributes	dn	LDAP attribute types to return, defaults dn in our case
Scope	sub	how deep to search the directory, defaults to base (as per rfc2255)
Filter	(&objectclass=inetorgperson)(uid=%s)	how to search the directory. In ServiceScheduling we look for the %s character and replace it with the username/userid. The LDAP libraries will parse the %s string so it needs to be escaped to maintain its meaning, replace %s with %25s (i.e. hex char for % This parameter is the key to configuring ServiceScheduling’s LDAP authentication. A command line utility (described later) allows the user to validate this prior to starting up a ServiceOptimizer system.

LDAP URL

ldapurl = scheme "://" [hostport] ["/" [dn ["?" [attributes] ["?" [scope] ["?" [filter] ["?" extensions]]]]]]
scheme = "ldap" / "ldaps"
attributes = attrdesc *("," attrdesc)
scope = "base" / "one" / "sub"
dn = distinguishedName
hostport = hostport
attrdesc = AttributeDescription
filter = filter
extensions = extension *("," extension)
extension = ["!"] extype ["=" exvalue]
extype = token / xtoken
exvalue = LDAPString
token = oid
xtoken = ("X-" / "x-") token

LDAP Version

The current LDAP version is Version 3, some LDAP Servers may only accept connections from specific LDAP clients, e.g. a Version 3 server could be configured to reject connects from a Version 2 client. Our application is Version 3 and can communicate with either a Version 2 or Version 3 server. The default setting is 3. If your LDAP Server is Version 2 then you will need to set this to 2.

LDAP_DN

In order to authenticate against an LDAP Server a user must supply their DN and password. For various reasons it is not practical for users to enter this into a login dialog. ServiceScheduling stores a users ‘user_id’ in sp085_users. Using this information (sp085_users.user_id) we need to be able to construct a users DN. In order to support different Directory schemas and Directory requirements we have devised two methods to map user_ids to DN, the sp083_SYSTEM_PARAMETERS.VALUE field identifies which method to use.

SEARCH

CONCATENATE

This is the default and preferred method. To be able to use this method a Directory Server must allow anonymous binds. The way this works is that the sp085_users.user_id value is substituted for the ‘%s’ string in the search filter and a directory search is performed from specified base DN. The resulting DN is used as the user DN for authentication. For example:

ldap://rtan/O=ServicePower,c=GB???(cn=%25s)

First we take the filter ‘(cn=%25s)’ and substitute the sp085_users.user_id (e.g. Joe) and our search filter is ‘cn=Joe’.

Next we do an anonymous bind to the Directory Server and search for object ‘cn=Joe’, starting at ‘O=ServicePower,c=GB’, doing a subtree (default) search and return the DN (default).

If the Directory Server (or Administrator) does not allow anonymous binds and the users in the Directory are in a flat structure then the other mapping from user_id to DN can be used. Here the base DN and filter are concatenated together to form a DN. For example:

ldap://rtan/OU=Support,O=servicepower,c=GB???(CN=%25s)

We substitute the user_id in the filter string as above and get ‘cn=Joe’, we then simply concatenate this RDN to the base DN to get ‘cn=Joe,OU=Support,O=ServicePower,c=GB

Browser not supported