How to import LDAP users into Unified Self Service (USS)/Open Space without using Common Administrative Services

Document ID : KB000030143
Last Modified Date : 01/02/2019
Show Technical Document Details

CA Service Management's Common Administrative Services offering is the preferred approach to import LDAP users into CA Service Management (including CA Unified Self Service (USS)/CA Open Space). If there is no CA Service Catalog implementation, then importing LDAP users into Unified Self Service (USS)/Open Space can be done within the USS Control Panel.

This document outlines the method used to import users into CA Unified Self-Service 3.0 from an LDAP directory such as Active Directory.

Unified Self Service / Service Management 14.1 and higher
Access the USS Control Panel control panel as a tenant administrator.
Example: http://<Company_Host_Name>:8686/group/control_panel

Note: For a default tenant, login to the http://<CA_Open_Space_Server_Name>:8686/group/control_panel URL as the administrator.
1. Click Portal Settings, Authentication, LDAP.
2. Select Enabled and Import Enabled check boxes.

User-added image

3.                  Click Add to enter the LDAP details.

User-added image

4. Test the LDAP connection using the Test LDAP Connection button. You should see the following:
 User-added image
5. In USS Control panel, set the Authentication Search filter to '(&(objectCategory=person)(sAMAccountName=@screen_name@))' and the Import Search Filter to '(&(objectClass=User))'. 
6. Then map the LDAP user fields as in the following screenshot:
User-added image
Note: Authentication Search Filter is optional and is needed only if USS should authenticate with native LDAP Authentication. If not, say EEM authentication method is being used, then this step can be skipped.  The value of this field should be something like:

Note: For LDAP import to work successfully, UserPassword (or an equivalent) password storage attribute of the LDAP server needs to be specified in the above screen. If the LDAP configuration is in such a way that, the userPassword attribute is NOT stored on the same LDAP architecture but in some other location/application, then it is suggested to configure USS with EEM authentication.  EEM can be configured to authenticate to the above LDAP server and USS would then point to EEM for authenticating USS users.  This way, LDAP import is not needed.
7. Click the 'Test LDAP Users' button so it displays a subset of LDAP users. This is needed to ensure that the LDAP connectivity is good and also that the settings are correct. You should see something like the following:
User-added image
8. Save your changes
9. Now go to the USS server and edit the file \Program Files\CA\Self Service\OSOP\ and add the following parameters:
10. Change the value of 'scheduler.enabled' in \Program Files\CA\Self Service\OSOP\ from false to true and Save the file
11.  Restart the CA Unified Self-Service Server and CA Unified Self-Service Jetty Server services. 
Please note that the import doesn't happen as soon as the USS services are restarted. It depends on the value of the ldap.import.interval. In the above case it is set to 5 minutes. After approximately 5 minutes, check that the users have been imported in the Users and Organisations tab in the control panel.

Additional Information:
Note that CA Unified Self-Service will only import LDAP users that have an email address defined in their LDAP attributes. This is a LifeRay requirement.