Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.

Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |

Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
LDAP Authentication and Mappings
Automatic user creation from LDAP servers and mapping groups in BVD simplifies the user management process for administrators as authentication is performed through the LDAP server.
Learn More

You can use an external LDAP server to store user information (user names and passwords) for authentication purposes, instead of using the internal BVD service. You can manually create BVD users and LDAP users, and use LDAP servers to automatically create LDAP users in BVD and map LDAP groups to groups in BVD.
For optimal performance, it is recommended that LDAP servers be in the same subnet as the BVD server.
For optimal security, it is recommended to either configure a TLS connection between the BVD server and the LDAP server, or to have the BVD server and the LDAP servers on the same secure internal network segment. Authentication is performed by the LDAP server, and authorization is handled by the BVD server.
You configure the LDAP server for authentication and automatic user creation using the BVD configuration wizard. For details, see How to Configure the Connection to the LDAP Server.

BVD users can automatically get all permissions that are assigned to BVD groups when a mapping between the LDAP groups and the BVD groups has been previously established. When the user logs in the first time, the LDAP group is used to identify the mapped BVD group. The user then automatically gets all permissions that are assigned to the group.
LDAP users who do not yet exist in BVD, are created as BVD users. Their permissions are determined as follows:
-
If the users belong to a mapped LDAP group, they automatically get the permissions assigned to the BVD group that is mapped to their LDAP group, as set in BVD User Management.
-
If their group is not mapped to a BVD group, or if they do not belong to an LDAP group, they are created as a BVD user with no group mapping and therefore no permissions. Login of such users to BVD is successful but no dashboards are visible in BVD due to the missing permissions.
If users are moved between LDAP groups mapped to BVD groups, their permissions change according to the roles assigned to the mapped BVD groups.

The following section contains overviews of user management processes when LDAP is enabled:

-
The BVD administrator uses the BVD configuration wizard to configure an LDAP server connection and enable automatic creation of users. In addition, the BVD administrator maps BVD groups to LDAP groups in BVD User Management.
-
The BVD user logs on to BVD with their login name or email address and their company password (defined in the LDAP server). The domain name is the unique identifier of an LDAP connection.
-
The BVD server authenticates the user with the LDAP server, creates the user, gets the group membership from the LDAP server and identifies the corresponding BVD groups that have been mapped.
Note When setting up LDAP configurations in BVD, ensure that no local BVD user exists that has the same login name as the unique ID attribute (for example, sAMAccountName
or email
) of an LDAP user. If such a local user already exists, the LDAP user will not be automatically created and will not be able to log in to BVD.

-
The BVD administrator uses the BVD configuration wizard to configure an LDAP server connection and to disable automatic creation of users. In addition, no BVD groups are mapped to LDAP groups in BVD User Management.
The BVD administrator creates a new user with the LDAP User check box selected and with the unique identifier as the login name (or any other unique LDAP ID that has been configured), manually assigns roles to the user, and places them in groups.
-
The LDAP or BVD-LDAP user logs in to BVD with their domain name and/or email address as the login name and their company password (defined in the LDAP server).
-
The BVD server authenticates the user against the LDAP server.

-
Mixed mode is enabled by default in the BVD configuration wizard
-
The BVD administrator configures an LDAP server connection and optionally enables automatic creation of users.
-
A BVD user logs in to BVD. An LDAP user logs in to BVD.
-
BVD authenticates the users against LDAP and, if this is not successful, against BVD. With mixed mode disabled, BVD users that are not flagged as LDAP users are not able to log in to BVD.
Note Mixed mode authentication can be disabled for hardening purposes in the BVD configuration wizard, either when configuring BVD for the first time or when reconfiguring BVD. When you disable mixed mode during the initial configuration of BVD, the built-in super-admin is created as LDAP user. When you disable mixed mode after the initial configuration, the built-in super-admin is authenticated against BVD (you can manually create additional LDAP super-admins).
When you disable mixed mode after the initial configuration of BVD, the super-admin built into BVD becomes an LDAP user and the configuration tries to authenticate this user against the LDAP server. Therefore, you must make sure that the name and password that are specified for the Administrator in the configuration wizard exist on the LDAP server; if not, the configuration will fail.

To view LDAP users in BVD, click Manage Users on the main BVD User Management page. LDAP users are marked by the icon.

To log into BVD, an LDAP user must match the values of the Root Entry for User Search settings defined in the BVD configuration wizard.
Any new LDAP user who satisfies the users search filter and authenticates successfully with the LDAP password will be created as a BVD user on first login. Ask your LDAP administrator to help you narrow down the filter definition so that only appropriate users can gain access to BVD.

Users that have been removed from the LDAP server are still displayed as BVD users, even though they are no longer registered as LDAP users and cannot log in to BVD.

If you configured LDAP in OMi, you will notice there are differences between the LDAP properties in OMi and BVD. Because BVD and OMi use different libraries, the wording of the properties is not always the same.
See the following table to map the OMi LDAP properties to the BVD LDAP properties from the configuration wizard or the silent configuration file.
OMi LDAP Property | BVD Configuration Wizard | BVD Silent Configuration |
---|---|---|
LDAP Server URL Example ldap://192.168.
|
Combination of the URL and the Distinguished Name (DN) of the Root Entry for User Search |
Combination of url and searchBase Example
searchBase=CN=
|
Unique domain | LDAP Domain | domain |
Distinguished Name of Search-Entitled User | Distinguished Name (DN) of the User Entitled to Search LDAP | bindDn |
Password for Search-Entitled User | Password of the User Entitled to Search LDAP | bindCredentials |
Users filter | Search Filter for the Root Entry for User Search | searchFilter |
Groups base DN | Distinguished Name (DN) for the Root Entry for Group Search | groupSearchBase |
Groups search filter | Search Filter for the Root Entry for Group Search | groupSearchFilter |
No equivalent in OMi Note In most LDAP environments, these properties can use the default value |
Identifying Properties for Users and Groups | For users bindProperty, for groups groupDnProperty |
Tasks

You configure the LDAP server for authentication and automatic user creation using the BVD configuration wizard:
-
Start the configuration wizard by running the following command:
Windows:
<BVD_Install_Dir>\BVD\bin\configure.bat
Linux:
/opt/HP/BVD/bin/configure.sh
- In a browser, enter the URL:
http://localhost:5000
Note
localhost:5000
uses the default port5000
. If this port is already in use, follow the instructions displayed in the command line to identify the correct URL. - Enter the password for the configuration wizard and click Submit.
-
Navigate to the step LDAP, click Use LDAP and complete the following settings:
-
LDAP Domain
-
Specify the LDAP domain used to uniquely identify the LDAP server connection.
Example
If you specify
emea
, users will be able to log in to BVD in the formatemea\janedoe
.Alternatively, users can log in using the mail address format, for example,
jane.doe@example.com
. In the case of email addresses, the domain suffix (example.com
) has to be chosen as the unique domain name. -
URL
-
The URL to the LDAP server including the port number. The URL defines whether an LDAP or LDAPS connection is established.
The required format is:
ldap(s)://<LDAP_FQDN>:<port>
LDAP servers typically use port 389 or secure port 636.
If an LDAPS URL is specified, provide the server's CA certificates in LDAPS CAs. You can also choose to use LDAPS without certificates by disabling Verify Server Certificate.
Example
ldap://192.0.2.24:389
-
Verify Server Certificate
-
The LDAP server certificate is verified against the trusted CA certificates that are uploaded in LDAPS CAs.
-
LDAPS CAs
This setting is only required if the secure LDAP (LDAPS) protocol is used for communication with the LDAP server. Upload trusted CA certificate files. The certificate files must be PEM-encoded.
Example
/tmp/ca1_certificate.crt
-
Mixed Mode
-
When selected, both LDAP users and local users can log into BVD. Otherwise only LDAP users are able to log in.
-
Auto Create User
-
When selected, BVD automatically creates a user for every LDAP user when the user logs into BVD with correct credentials for the first time. When not selected, an LDAP user can only log into BVD when created manually in BVD User Management.
-
User Entitled to Search LDAP
-
Define the Distinguished Name (DN) and password of a user with search privileges on the LDAP directory server.
Note Some LDAP servers allow anonymous search.
Example
CN=Administrator,CN=Users,DC=hpe,DC=com
-
Root Entry for User Search
Specify the root entry for your LDAP user search.
-
Distinguished Name (DN)
The Distinguished Name (DN) of the LDAP entity from which you want to start your user search.
Example
CN=Users,DC=omi,DC=hpe,DC=com
-
Search Filter
Enter the relevant parameters to indicate which attributes are to be included in the user search.
Note
You must use the literal
{{username}}
to search for the given login name.BVD by default uses the
??sub
scope; other scopes are not supported.Example
(cn={{username}})
(sAMAccountName={{username}})
-
Root Entry for Group Search
Specify the root entry for your LDAP group search.
-
Distinguished Name (DN)
The Distinguished Name (DN) of the LDAP entity from which you want to start your group search.
Example
groupSearchBase=CN=Groups,DC=hpe,DC=com
-
Search Filter
Enter the relevant parameters to indicate which attributes are to be included in the group search.
You can configure the search attribute in the Identifying Properties For Group setting.
Note
-
You must use the literal
{{dn}}
to search for group members with a given distinguished name. -
You can search for group members that are part of one out of two groups by using nested queries (see second example).
-
BVD does not support dynamic LDAP groups. Dynamic groups are therefore ignored in groups search.
Examples
(member={{dn}})
(member=(&(objectCategory=Person)(userPrincipalName={{username}})(|(memberOf=slk-Admin,OU=Groups,OU=slk-Acc,DC=slka,DC=slkb,DC=slkc)(memberOf=cn=slk-Viewer,OU=Groups,OU=slk-Acc,DC=slka,DC=slkb,DC=slkc)))
-
-
Identifying Properties
Specify the LDAP properties to use when authenticating users or group members in the LDAP search.
-
For User
Optional. When an LDAP user tries to log on, the search-entitled user specified in User Entitled to Search LDAP searches the LDAP server entities for that user. When found, the user is authenticated against LDAP based on one of the user's LDAP properties, by default the distinguished name. You can use this option to specify another user property to use for authentication (for example,
sAMAccountName
oremail
). -
For Group
Optional. By default, the distinguished name is used to identify users in groups. You can use this setting to specify other properties.
-
-
Click Next until you arrive at the Summary page. Review the configuration settings, then click Download to download your settings as configuration file or Apply to start the configuration.

-
LDAP must be configured in the BVD configuration wizard as described in How to Configure the Connection to the LDAP Server.
Make sure the Root Entry for Group Search settings are configured.
-
Open User Management in BVD:
Administration > User Management
-
Click the Manage Groups button and select the group you want to edit or create a new group.
-
In the properties section of the selected group, search for and assign LDAP groups in the Mapped LDAP groups field as required. When done, save the group.
Note Although dynamic groups can be selected, they are not supported by BVD and therefore ignored in groups search.