Collecting LDAP information

Describes information required and questions to be answered in order to set up LDAP for Rational® ClearQuest®

In many organizations the Rational ClearQuest administrator and the LDAP administrator are two different people. Use the questionnaire in Table 1 to collect necessary information from your LDAP administrator. If your team uses MultiSite to replicate the Rational ClearQuest database set, complete this questionnaire for each site. To see how the example answers in Table 1 are used with the installutil subcommands to configure the database set for LDAP authentication, see LDAP configuration steps for Rational ClearQuest.

Table 1. LDAP information worksheet
Question Example answer Your answer
A. What is the host name of the LDAP server? You can specify multiple hosts so that Rational ClearQuest attempts to connect to an alternate host if it cannot connect to the first one. 
'ourldapserver.ourcompany.com 
altldapserver.ourcompany.com'
  
B. What is the TCP port number where the LDAP server listens for communications? 
389
  
C. Does the LDAP server allow anonymous searches? If it does not, specify a service account that has sufficient privileges to allow Rational ClearQuest to search the directory for LDAP-authenticated Rational ClearQuest users (C1 and C2). 
No
  
C1. What is the distinguished name (DN) of the service account? 
cn=search_user,cn=Users,
dc=cqldapmsft,dc=com
  
C2. What is the password of the service account? 
secret_password
  
D. What is the base DN from which to start searching for LDAP user directory entries that correspond to Rational ClearQuest users? The base DN must be high enough in the directory hierarchy to include all users that might need to be authenticated; however, a base DN that is too high in the hierarchy might slow login performance. 
ou=my_dept,dc=cqldapmsft,dc=com
  
E. What is the scope of the search from the base DN?: sub (subtree); one (one level below); or base (base DN only). 
sub
  
F. What is the LDAP attribute that is used to store the user entry login name values? Rational ClearQuest uses the text string entered in the Rational ClearQuest Login window to search the LDAP directory for a user entry whose LDAP attribute value matches the login name. This LDAP attribute must store unique values for all user entries that Rational ClearQuest searches. You also use this attribute in the answer to the next question. 
sAMAccountName
  
G. What is the LDAP search filter that Rational ClearQuest must use to select the LDAP user entry based on the attribute specified in the previous question? Use %login% as the user's login name; Rational ClearQuest substitutes the text string the user enters in the Rational ClearQuest login window. 
sAMAccountName=%login%
  
H. What is the LDAP attribute of the user entry to be used to map the user to a corresponding Rational ClearQuest user profile record? You can map an attribute to one of the following Rational ClearQuest user profile record fields: CQ_EMAIL, CQ_FULLNAME, CQ_LOGIN_NAME, CQ_MISC_INFO, or CQ_PHONE. The Rational ClearQuest administrator and LDAP administrator need to work together to determine this mapping. 
sAMAccountName
  
I. What is the login name of a user entry that can be used to validate that Rational ClearQuest can correctly authenticate a user against the LDAP directory? This can be a test account or an actual user account. 
test_user
  
J. What is the password for the user entry specified in the previous question? 
test_pwd
  
Parent topic: Setting up LDAP authentication
Related concepts:
LDAP configuration steps for Rational ClearQuest
MultiSite considerations
Common LDAP configurations
Enabling SSL Encryption with GSKit
Configure FIPS 140-2 approved data encryption
Related tasks:
Disabling LDAP authentication
Configuring Rational ClearQuest with LDAP user authentication for TLS 1.2 to support NIST SP 800-131A guidelines
TLS 1.0/1.1 ciphers disabled by default for secure LDAP connections
Related reference:
Quick-reference LDAP worksheet