Configuring the Lightweight Directory Access Protocol (LDAP) settings

Configuring the Lightweight Directory Access Protocol (LDAP) security for HCL Quality Server works the same way as for Active Directory, except that the LDAP configuration involves setting a few additional properties.

Editing the security.config file

The security.config file is found in the security folder in the HCL Quality Server workspace.
  • On Windows systems, the folder is typically at C:\HCL\HQS-Workspace\security.
  • On Unix-like systems, the folder is typically at /var/hqs/security.
Keep in mind the following guidelines while editing the security.config file:
  • If the backslash character "\" needs to be used in any property value, escape it with another backslash character: "\\". For example, if the value is C:\XYZ, specify it as C:\\XYZ.
  • Optional: If any of the characters "=", ":", "#", or "!" is used in a property value, escape it with a backslash.
  • Set the credentialsStore property to LDAP.
Property Description
Name in the IBM Installation Manager GUI Name in the security.config file  
user filter userFilter User filter. The {0} placeholder will be replaced with the user name of the user that you are trying to authenticate. This is used to locate users within the LDAP server.
user group filter userGroupFilter User Group filter. The {0} placeholder will be replaced with the Distinguished Name (DN) of the user that you are trying to authenticate. This filter returns the groups of which the user is a member.
group filter parentGroupFilter Group filter. Used for recursive retrieval of parent groups of the user groups. This property is different from its Active Directory equivalent and has a different property name.
group id attribute groupIdentifier Group identification attribute. This value is used to get the group's name for mapping groups to roles. Do not use Distinguished and partially qualified names (DNs).
url url The address of the LDAP server.
admin user adminuser An LDAP user with group query permissions. The user name should be a distinguished name (DN).
group search base searchBase The location where the directory group searches should begin. For example, dc=mycompany,dc=local.
user search base userSeachBase The location where the directory user searches should begin. Leave this property blank if this is the same as the group search-base.
For information about the other properties, see Configuring the Active Directory settings.
Note: For users to be able to log in, the following conditions must be met:
  • The user's LDAP entry must exist within the user search base; that is, the user's LDAP Distinguished Name must end with the user search base.
  • The user must either be in an LDAP group that has been assigned the user role, or be in an LDAP group that has been assigned the admin role.
Sample: security.config file with Lightweight Directory Access Protocol settings
#RTCP security configuration
#Fri Jan 16 14:41:04 GMT 2015
allGroupsFilter=(objectClass\=groupOfUniqueNames)
url=ldap\://localhost\:11589
searchBase=dc\=example,dc\=com
groupMappings=admingroup\=admin,admingroup\=user,usergroup\=user,
adminuser=Cn\=root
parentGroupFilter=(objectClass\=groupOfUniqueNames)
adminpassword=\#com.ghc.1\!c310E357A2EB7262116255340CB26A
credentialsStore=LDAP
groupIdentifier=cn
userGroupFilter=(&(objectClass\=groupOfUniqueNames)(uniqueMember\={0}))
userFilter=(&(objectClass\=person)(cn\={0}))
userSearchBase=dc\=example,dc\=com
Note: The searchBase parameter is used for group search.
Feedback