Directory Services Settings

The following tables list the settings used when the User Provisioning option is set to Directory Services.

Authentication

Setting

Default

Description/Values

Type

Active Directory

Select your authentication server type:

Active Directory
OpenLDAP

Follow Referrals

Enabled

Referral following is enabled when this checkbox is checked (default).

When enabled and HMP's LDAP client searches for users or groups, it recursively creates new connections to search other servers referenced by the Directory Services server that is currently being searched.
When disabled, the LDAP client does not connect to any other servers besides the one specified by the Connection settings.

Tip

In certain environments, you may want to disable referrals: For example, in troublesome environments or in places where referral servers do not add any useful information about the configured users.

Connection

Setting	Default	Description/Values
IP Address	—	The IP address or domain name of the server that hosts the authentication server.
Port	389	The communications port that the authentication service uses. The default value is 389 (the standard port used for LDAP connections). The default is 636 for SSL connections.
Connection	Basic	Select the encryption protocol: Basic: Unencrypted connection SSL: Secure Socket Layer (recommended)
Username	—	The username for HMP to connect to your authentication system and query it for the required information. The user account needs to have permission to connect to the server and read the information in the authentication directory.
Password	—	The password that corresponds with the user name provided for the Username field.
Sync Interval	60 minutes	The directory server sync interval. Tip Changing this value triggers a sync of the directory server. We recommend setting this value to once per day (1440 minutes). If you would like the sync to occur at a certain time of day, at that time of day change this value to 1440.

Query

Setting	Default	Description/Values
Base DN	—	The Base DN (Distinguished Name) used by your authentication system. This setting should be provided by your AD/LDAP administrator. For example: `ou=staff,dc=haivision,dc=com` Note Spaces are not allowed unless they are part of the path. Important If the Base DN is wrong, HMP is not able to access the groups. When the connection test succeeds, a list of the first 10 users and groups appears. (See example in Connecting to a Directory Server.)
User Context	—	The DN of the context (container) where your authentication system users can be found. This setting should be provided by your AD/LDAP administrator. For example: `ou=people,dc=haivision,dc=com` Important If the User Context is wrong, users are not able to sign in correctly. For example, they may only have the anonymous privileges or even a blank screen. Note To simplify management of user bases, you can specify separate search bases for User and Group objects. You can also input multiple User Contexts (separated by line feeds, i.e., each line is a new context).
Group Context	—	The DN of the context where your authentication system groups can be found. This setting should be provided by your AD/LDAP administrator. Note See previous note to input multiple Group Contexts.
User Attribute	sAMAccountName	The user attribute your directory system uses. OpenLDAP systems normally use `cn` or `uid`. Active Directory systems normally use `sAMAccountName`; However, `userPrincipalName` is also supported for signing in using email addresses.
Member Attribute	memberOf	The member attribute your directory system uses. OpenLDAP systems normally use `member` or `memberUid`, while Active Directory systems normally use `memberOf`.
Group Object Class	(\|(objectClass= group) (objectClass= groupOfNames ))	Object class query for groups. The default works with almost all directory servers
User Object Class	(objectClass= person)	Object class query for users. The default works with almost all directory servers.
Query Page Size	1000	Sets the size of a page for paged results. Paged results are typically supported, but the supported page size may need to be configured for your site. If the requested size is not supported by the LDAP server, a non-paged query is attempted. The default on most directory servers is 1000.

Data Mapping

Setting	Default	Description/Values
Group Name	cn	HMP needs these fields to read from the directory server. The defaults should work on most systems. If your system uses different attribute names, configure them here.
Display Name	displayName
Email	mail
User Principal Name	userPrincipalName

Single Sign-On

Setting	Default	Description/Values
Single Sign-On	Off	To configure Single Sign-on, see Integrating HMP with Single Sign-On (SSO) Environments.