Versions Compared

Old Version 2

changes.mady.by.user Yeok Hong Ng

Saved on

compared with

New Version Current

changes.mady.by.user Kevin Wu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

User authentication is by default performed in Image Removedin MediationZone. As an alternative, you can connect Image Removed to connect to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups.

...

Users that are already included in the Access Controller's Users Tab can still login to the system even when the LDAP Server is down.

Note
title

Note!

User created using the Users Tab in Access Controller will not be impacted nor will they have an impact on external authentication servers. 

Note

...

Note!

LDAP users will not appear in Access Controller Users Tab.

LDAP Authentication Preparations

...

The LDAP directory that is used for authentication must conform to the following requirements:

  1. The cn attribute of group entries must match an access group defined in

...

  1. the system.
     

    Note
    titleNote!

    The platform performs case sensitive comparisons of the cn attributes and access groups. 


  2.  For each user in a group entry, the memberUid attribute must be set.

  3.  All group entries must belong to the object class posixGroup.

  4.  All user entries must belong to the objectclass posixAccount

  5. The username must be unique. It cannot duplicate a username that already exists in

...

  1. the system.

title
Note

Note!

If a user requires administration rights, they must be added to the Administrator access group, which is a default access group in Image Removed, and you . You must create a group named Administrator in the LDAP directory.

...

The following steps are required before configuration of authentication with LDAPS or LDAP over TLS:

  1.  Obtain the server certificate for the authentication server from your LDAP administrator.
     

  2.  Start a command shell and copy the server certificate to the platform host.
     

  3.  Change directory to $JAVA_HOME/lib/security on the platform host.
     

  4.  Install the server certificate using the Java keytool command:

    Code Block
    languagetext

...

  1. keytool -import -file <certificate> -keystore cacerts

Active Directory Important Information

...

The LDAP directory that is used for authentication must conform to the following requirements:

  1. All user entries must belong to the objectclass user .

  2. User's groups have to be provided via memberOf attribute.

  3. User's login has to be provided via samaccountname attribute.

  4. The username must be unique. It cannot duplicate a username that already exists in

...

  1. the System.

LDAP Configuration

Select LDAP in Authentication Method dropdown list in the Access Controller Advanced tab.

...

Access Controller - Advanced tab with LDAP Authentication example


Setting

Description

Authentication Method

Select the authentication method to be used. The following settings are available:

  • Default

  • LDAP

The default setting is authentication performed

by Image Removed

by MediationZone.

The selected authentication method becomes effective when the configuration is saved.

Note
title

Note!

Authentication for the user mzadmin is always performed

by Image Removed

by MediationZone regardless of the selected authentication method. 

URL

Enter the URL for the external authentication server. The default ports, 389 for LDAP and 686 for LDAPS, are used unless other ports are specified in the URL.

Info
title

Example of LDAP URL

ldap://ldap.example.com:389

Info

title

Example of LDAPS URL

ldaps://ldap.example.com:636

Test Connection

Click this button to test the connection to the authentication server. LDAP attributes and other settings than the URL are not used when testing the connection.

User Base DN

Enter the LDAP attributes for user lookups in the external authentication server. The substring %s in this value will be replaced with the username entered at login to produce an identifier that is passed to the LDAP server.

Info
title

Example of User Base DN

uid=%s,ou=users,dc=digitalroute,dc=com

Group Base DN

Enter the LDAP attributes for group lookups in the external authentication server.

Info
title

Example of Group Base DN

ou=groups,dc=digitalroute,dc=com

Info

Note

: The

The name of the groups created in LDAP Server must be identical to the names configured in Access Controller Access Groups tab.


Use TLS

Select this check box to enable Transport Layer Security.

Note
title

Note!

The following must be considered when using TLS:

  • LDAPS and TLS is not a valid combination.

  • The URL must contain a fully qualified DNS name or the authentication will fail.

  • The default LDAP port, 389, should be used.

Use Active Directory  Naming

Select this check box if you want to use Active directory specific naming.

Enable Group Search Bind Credentials

Select this check box if you want to enable group search. You must also populate the Bind DN and Password fields. If you want to run an anonymous lookup, leave this check box empty.

Bind DN

If you want to use a specific Bind DN to search for the group, enter the Bind DN.

Password

If you want to use a specific Bind DN to search for the group, enter the password to connect LDAP Server.