Configuring CA Harvest SCM to use external groups

Document ID : KB000039892
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

CA Harvest SCM has the ability to create its own user groups and manage the memberships of those groups internally.  It also has the ability to leverage user groups and memberships already defined within your LDAP directory.  Harvest refers to groups defined in LDAP as "External" groups.  If you want to use "External" user groups you will need to provide Harvest with information about how to search for External groups within the LDAP directory and how to know which users are members of those groups.

NOTE: In order to be able to make use of External user groups, your Harvest server must already be configured to use the LDAP directory to authenticate some or all of the users of the Harvest software.  The configuration options described here will be added to your "HServer.arg" file.

Background:  

An LDAP directory is a database that can contain directory entries of many different types.  You might find information about users, user groups, computers, buildings, organizational units, and more.  These entries are organized in a tree structure.  In an over-simplified way it is similar in concept to a file and folder structure on a computer system.  

The configuration of the directory entries for different types of objects is flexible.  When the administrator designs a new LDAP directory he or she can choose which types of objects will be included, which fields are included for the different types of objects, and what types of data are stored in each of the fields.

When Harvest has a task to do that involves an External user group, what it does is contact the LDAP server using parameters provided in the HServer.arg file, connect and search through the LDAP directory for the entry associated with the user group name of interest.

Environment:  

CA Harvest SCM all versions, all platforms

Instructions: 

To configure CA Harvest SCM to make use of user groups defined on your LDAP server you will need to provide all of the following information:

-externalgroupenabled - Lets Harvest know whether external user groups will be used

This value is set to a numeric 0 or 1.  If the setting is 0 it means that Harvest will NOT be using external user groups.  if the setting is 1 it means that Harvest is able to use both internal and external user groups.

Example:

-externalgroupenabled=1

-ldapgrpfilter - When Harvest is looking for a specific group name in your LDAP server, this value will help to decide if the correct record has been found.

The ldap group filter consists of one or more criteria.  If more than one criterion exist in the filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e. the criteria). This is the so-called "Polish Notation".

In the example below notice the part that is in "angle brackets" ... "<cn>".  This is called a "placeholder" value.  When searching the LDAP directory, Harvest will substitute the name of the group it's looking for in that location.

Example:

-ldapgrpfilter=(&(objectclass=Group)(cn=<cn>))

The above filter states that as I look at each object in the LDAP server, if the "objectclass" field contains the word "Group" and if the "cn" field contains the name of the group I'm looking for, then I have found the right record.

-ldapattrusrgrpname - Lets Harvest know the name of the placeholder value (the value inside the angle-brackets) in the ldapgrpfilter field

Example:

-ldapattrusrgrpname=cn

-ldapattrusringrp - Lets Harvest know what field in an LDAP Group object's record will contain the list of users belonging to a selected user group

Each Group record in an LDAP directory will have a field containing a list of all users belonging to it.  This value will identify which field that is.

Example:

-ldapattrusringroup=member

-ldapattrgrpinusr - Lets Harvest know what field in an LDAP User object will contain the list of groups to which the selected user belongs

Each user record in an LDAP directory will have a field containing a list of the groups to which this user belongs.  This value will identify which field that is.

Example:

-ldapattrgrpinuser=member_of

When configuring Harvest to work with External user groups on your LDAP server, all these settings should be added to your HServer.arg file.

Additional Information:

NOTE: The example values above will most likely not be the same as the actual values you should use in your environment when configuring Harvest to work with your LDAP directory.  Please contact your LDAP Administrator to obtain the actual values that will work in your LDAP directory environment.