For a successful connection between Orchestrator and the directory server, you must configure the LDAP authentication settings to match the specific LDAP server settings.

Table 1. LDAP Authentication Options

Options

Descriptions

Primary LDAP host

The IP address or the DNS name of the first host on which Control Center verifies user credentials.

Secondary LDAP host

The IP address or the DNS name of the host on which Control Center verifies user credentials, if the primary LDAP host becomes unavailable.

Port

The value of the lookup port of your LDAP server.

Note:

Orchestrator supports the Active Directory hierarchical domain structure. If your domain controller is configured to use Global Catalog, you must use port 3268. You cannot use the default port 389 to connect to the Global Catalog server.

Root

The root namespace container.

If your domain name is company.org, your root container is dc=company,dc=org.

Note:

To improve the performance in large service directories, you can narrow the search base by defining a specific container in the tree structure. For example, rather than searching in the entire directory, you can specify ou=employees,dc=company,dc=org. This search filter returns all the users in the Employees organizational unit.

The values that you enter in the required text boxes generate the following LDAP connection URL: ldap://DomainController:389/ou=employees,dc=company,dc=org.

Use SSL

If this option is enabled, the connection between Orchestrator and LDAP is encrypted.

Note:

If your LDAP uses SSL, you must first import the SSL certificate and restart the Orchestrator server service. See Import the LDAP Server SSL Certificate.

User name

The name of a user account that has permissions to browse the directory tree.

You can specify the user name in Active Directory in one of the following formats:

  • Bare user name, for example:user

  • Distinguished name, for example: cn=user,ou=employees,dc=company,dc=org

  • Principal name, for example: user@company.org

Password

The password for the user account that has permissions to browse the directory tree.

User lookup base

An LDAP container or organizational unit where Orchestrator searches for potential users.

Admin group

The Admin group must be an LDAP group to which you grant administrative privileges for Orchestrator.

For example, Domain Admins.

Request timeout

A value in milliseconds that determines the period in which the Orchestrator server sends a query to the service directory and expects a reply.

If the timeout period elapses, modify this value to check whether the timeout occurs in the Orchestrator server.

Host reachable timeout

A value in milliseconds that determines the timeout period for the connectivity check to the destination host.

Dereference links

When this option is selected, the LDAP server resolves user aliases to the searched user object.

Filter attributes

Filters the LDAP attributes that the LDAP lookup returns. Selecting this check box makes searching in LDAP faster by not returning certain attributes.

However, you might need to use some extra LDAP attributes for automation later.