the list of members of the group) from the remote database. This means that if you modify the membership ofthe group by add<strong>in</strong>g new users, or delet<strong>in</strong>g users from the group, those changes will not appear <strong>in</strong><strong>Cornerstone</strong> until the Group Cache Life value has expired and <strong>Cornerstone</strong> can reload that <strong>in</strong>formation.Therefore, if you have a dynamic system where the users/groups change frequently, set the Group Cache Lifevalue to a short value, such as 300 seconds (5 m<strong>in</strong>utes). The same applies to the <strong>User</strong> Cache Life sett<strong>in</strong>g. If youmake a change to a user account <strong>in</strong> the back‐end authentication server, these changes will not appear <strong>in</strong><strong>Cornerstone</strong> until the <strong>User</strong> Cache Life value has expired on that user account. The exception to the rule is theuser’s password. <strong>Cornerstone</strong> MFT never caches user passwords so any changes to the user’s password <strong>in</strong> theActive Directory user database will take effect immediately.Warn<strong>in</strong>g: Avoid sett<strong>in</strong>g the Cache Life values too small. If you set the values too small, the performance coulddegrade because <strong>Cornerstone</strong> will be spend<strong>in</strong>g too much time flush<strong>in</strong>g and reload<strong>in</strong>g the user/group<strong>in</strong>formation from the authentication server.If you add and delete users frequently, change the Group Cache to 300 seconds.6. Type your Groups Base DN, Group Category Filter, Group Class Filter, <strong>User</strong>s Base DN, <strong>User</strong> Category Filterand <strong>User</strong> Class Filter.* To Use paged search, be sure that the check box is checked. Click the Advanced**button for additional configuration options. When you are f<strong>in</strong>ished, click Next.*<strong>Cornerstone</strong> MFT needs to be configured with the proper search str<strong>in</strong>gs <strong>in</strong> order to locate user and group<strong>in</strong>formation <strong>in</strong> <strong>LDAP</strong>. For most <strong>LDAP</strong> <strong>in</strong>stallations, the default values can be used and will return the properuser and group <strong>in</strong>formation from <strong>LDAP</strong>. However, there are some <strong>in</strong>stances where these values may need tobe enhanced to allow <strong>Cornerstone</strong> MFT to f<strong>in</strong>d the user <strong>in</strong>formation <strong>in</strong> <strong>LDAP</strong>.Group/<strong>User</strong> Base DN—These values specify the <strong>LDAP</strong> search str<strong>in</strong>g(s) necessary to search the varioustrees/paths <strong>in</strong> <strong>LDAP</strong>. By default, <strong>Cornerstone</strong> MFT will search under the <strong>User</strong>s and BuiltIn paths of <strong>LDAP</strong>. S<strong>in</strong>cethese paths are sub‐paths under the Doma<strong>in</strong> that you specified <strong>in</strong> step 6, the full Dist<strong>in</strong>guished Name (DN) forthe search path needs to <strong>in</strong>clude the parent doma<strong>in</strong>. To search the USERS path, the DN needs to be “CN=<strong>User</strong>s,DC=SRT”. If the doma<strong>in</strong> name that you specified was “XYZ.COM”, then the DN would be“CN=<strong>User</strong>s,DC=XYZ,DC=COM”. S<strong>in</strong>ce <strong>Cornerstone</strong> MFT will search multiple paths, each path is separated witha semicolon. The complete entry to search both <strong>User</strong>s and BuiltIn is “CN=<strong>User</strong>s,DC=SRT;CN=BuiltIn,DC=SRT”.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.5
Group/<strong>User</strong> Category—These values are used to filter out certa<strong>in</strong> categories of users and groups. In generalyou will want to <strong>in</strong>clude all users and groups, so this value should rema<strong>in</strong> as an asterisk.Group/<strong>User</strong> Class Filter—These values are used to filter out certa<strong>in</strong> classes of users and groups. Multipleclasses should be separated by semicolons.**If you wish to configure Advanced <strong>User</strong> and Group Attributes, type your <strong>in</strong>formation and then click OK. Youwill then click Next to test your sett<strong>in</strong>gs.7. Click Test* to test the configuration and ensure that you are able to communicate with the <strong>User</strong><strong>Authentication</strong> Server.*If this process fails, the most common reason is that either the <strong>LDAP</strong> Doma<strong>in</strong> Name is not specified correctly,or the <strong>LDAP</strong> Server Name is not accessible. Click the Back button to return to previous pages and adjust thevalues.If <strong>Cornerstone</strong> MFT can successfully communicate with the <strong>LDAP</strong> <strong>Authentication</strong> database the message thatdisplays is Success. Click OK. (If an error is displayed, <strong>Cornerstone</strong> was not able to connect to the server.)8. After <strong>Cornerstone</strong> MFT successfully connects to the database, <strong>Cornerstone</strong> will attempt to generate a list ofgroups. Click Yes to test the generation of a list of groups.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.6