This chapter describes the steps required for using the synchronized NT/LDAP group management method.
|1.||Enable the NT/LDAP authentication by selecting the Windows NT and/or LDAP options in the "Authentication method" sub-section of the QPR Foundation Server / General section in the QPR Configuration Manager.|
•Either: In the User Management Client, create a new group that has the same name as that in the NT domain/LDAP server and to which you would like to grant access to a QPR product.
•Or: Create a group that will be a default user group for users imported from the NT domain or the LDAP server. There is no need to have a similarly named group in the NT domain/LDAP server.
•Open the QPR Configuration Manager utility
•Go to the QPR Foundation Server / General section
•Select "Synchronized with NT/LDAP" in the "User Group" sub-section.
•In the same sub-section, insert the new group's name into the Default User Group field.
|3.||For this group, select the appropriate access rights settings for each QPR product.|
If the new group is named after an existing NT/LDAP group, the users of a corresponding group within the NT domain/LDAP server have access rights to those QPR products for which access was granted to in step 3. If there is no corresponding group and the Default User Group setting has been defined, all new users will be added to the Default User Group when:
•Their login to a QPR product is successful (this requires that the default user group has rights to that product).
•They do not belong to an NT/LDAP group that exists in the User Management System and has rights to QPR products.
For users who belong to groups that have a similar name in both the NT domain/LDAP server and QPR UMS, the administrator can easily deny a user's access to the QPR product by simply removing the user from the group in NT domain/LDAP server. To do this, no modifications need to be made from within the QPR User Management System. Users' rights are defined by the rights of the group the user is part of in the QPR User Management System. However, users in the default user group are never removed automatically, so those users must be removed manually from UMS.
With LDAP you can also use synchronization between UMS and LDAP so that groups are kept in sync automatically. This means that whenever a user is added to LDAP to a group which exists also in QPR UMS, the user is added to QPR UMS during the next synchronization run without the user having to log into QPR products. In addition, updates to user details (full name, e-mail, telephone number, and description) done at LDAP are synchronized to QPR UMS during the next synchronization in the case the user exists in a similarly named group in both LDAP and QPR UMS. See the [UMS Settings] section in Appendix A for more details about the necessary configuration.
NOTE If the Synchronized NT/LDAP Group Management is used, then the user is automatically either created or transferred to the UMS group under the same name as the user's NT/LDAP group or to the default user group when the user logs into some QPR product. If the user belongs to more than one NT/LDAP group and groups with the same names exist in UMS, the user is added to those groups in UMS.