LDAP User Properties
This topic describes the various configuration tabs available in the LDAP User Properties.
gateway83
This topic describes the various configuration tabs available in the LDAP User Properties.
When an LDAP Identity Provider is configured, user details are stored and managed in the external LDAP server. The Policy Manager can display this information in read-only format, with the exception of user roles.
To access the properties for an LDAP user
:- Search the LDAP identity provider;
- Click the user to view and then click [Select]. The properties for that user are displayed.
- Click [OK] when done.
Configuring the [General] Tab
The [General] tab displays the name and email address for the user. All information is managed on the LDAP repository and cannot be modified here.
Configuring the [Roles] Tab
The [Roles] tab is used to assign or remove LDAP users from roles and is available only when administrative access has been enable for the LDAP Identity Provider (set via the "Allow assignment to administrative roles" check box in Step 1 of the LDAP Identity Provider Wizard). At least one role must be set if the user will be logging in to the Policy Manager.
The table at the top lists the roles currently assigned to the user:
- Name: The name of the role.
- Type: "System" indicates a role that is either predefined or automatically generated (see Predefined Roles and Permissions). "Custom" indicates a user-defined role (see Manage Roles).
- Inherited: "No" means the user is assigned to the role directly; "Yes" means the user is a member of a group assigned to that role .
The Role properties section at the bottom displays the complete description for the selected role.
To add the user to a role
:- Click [Add]. A list of eligible roles is displayed.
- Select the role(s) to which to add the user.To locate a role more easily, enter some text in the "Filter on name" box. This filters the roles list to display only those roles containing the filter text. Delete the filter text to restore the full list of roles.
- Click [Add] to close the dialog.
To remove a user from a role
:- Select the role(s) to be removed from the user. Hold down the [Ctrl] key to select multiple roles.You can only remove roles that are not inherited. To remove a user from an inherited role, remove the user from the group that has the role.
- Click [Remove].(1) Users who need to log on to the Policy Manager must be assigned to at least one role. For more information, see Manage Roles. (2) If a role is both assigned and inherited, the interface will display "No" in the "Inherited" column and you are permitted to remove the role. Once removed, that role remains in the list, but the "Inherited" column changes to "Yes".
Configuring the [Groups] Tab
The [Groups] tab displays the groups to which the LDAP user belongs. The information is managed on the LDAP repository and cannot be modified here.
Configuring the [Certificate] Tab
The [Certificate] tab is used to manage the certificate for the LDAP user.
- To import a certificate for the user, click [Import] and then complete the Add Certificate Wizard. The import option is not available if the user already has a certificate in the LDAP repository.If the user has no certificate in the LDAP or the "Enable user certificates in this LDAP" check box in the LDAP Identity Provider Wizard (Step 1) is not selected, then a certificate can be imported for this user.The imported certificate is not stored on the LDAP repository but rather in the client certificate store within theAPI Gateway.
- To export a certificate, click [Export] and then specify a file name and location.
- To revoke a certificate, click [Revoke] and then click [OK] to confirm. Revoking removes both the certificate and the user's password.The Revoke option is not available for LDAP users who have a client certificate in the LDAP repository. Revoking a certificate in this case requires either removing it from the LDAP repository or revoking the certificate and then specifying an appropriate revocation checking policy.