LDAP Authentication(4.3)
User authentication is by default performed in . As an alternative, you can connect to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups.
When you create a new user in the Access Controller Users tab, the system will verify against the LDAP Server to make sure that the new user name does not already exist in the LDAP Server. If the LDAP Server is down, you will not be able to create or edit any LDAP users in Users tab.
Users that are already included in the Access Controller's Users Tab can still login to the system even when the LDAP Server is down.
Note!
User created using the Users Tab in Access Controller will not be impacted nor will they have an impact on external authentication servers.
Note!
LDAP users will not appear in Access Controller Users Tab.
LDAP Authentication Preparations
Directory Structure
The LDAP directory that is used for authentication must conform to the following requirements:
The
cn
attribute of group entries must match an access group defined in .
Note!
performs case sensitive comparisons of the cn attributes and access groups.
- For each user in a group entry, the
memberUid
attribute must be set. - All group entries must belong to the object class
posixGroup
. All user entries must belong to the objectclass
posixAccount
.The username must be unique. It cannot duplicate a username that already exists in .
Note!
If a user requires administration rights, they must be added to the Administrator access group, which is a default access group in , and you must create a group named Administrator in the LDAP directory.
Secure Access
The following steps are required before configuration of authentication with LDAPS or LDAP over TLS:
- Obtain the server certificate for the authentication server from your LDAP administrator.
- Start a command shell and copy the server certificate to the platform host.
- Change directory to
$JAVA_HOME/lib/security
on the platform host.
Install the server certificate using the Java keytool command:
keytool -import -file <certificate> -keystore cacerts
Active Directory Important Information
Directory Structure
The LDAP directory that is used for authentication must conform to the following requirements:
All user entries must belong to the
objectclass
user .User's groups have to be provided via
memberOf
attribute.User's login has to be provided via
samaccountname
attribute.The username must be unique. It cannot duplicate a username that already exists in .
LDAP Configuration
Select LDAP in Authentication Method dropdown list in the Desktop Online Access Controller Advanced tab or Desktop Client Access Controller Advanced tab.
Desktop online Access Controller - Advanced tab with LDAP Authentication example
Setting | Description |
---|---|
Authentication Method | Select the authentication method to be used. The following settings are available:
The default setting is authentication performed by . Note! Authentication for the user mzadmin is always performed by regardless of the selected authentication method. |
URL | Enter the URL for the external authentication server. The default ports, 389 for LDAP and 686 for LDAPS, are used unless other ports are specified in the URL. Example of LDAP URL ldap://ldap.example.com:389 Example of LDAPS URL ldaps://ldap.example.com:636 |
Test Connection | Click this button to test the connection to the authentication server. LDAP attributes and other settings than the URL are not used when testing the connection. |
User Base DN | Enter the LDAP attributes for user lookups in the external authentication server. The substring %s in this value will be replaced with the username entered at login to produce an identifier that is passed to the LDAP server. Example of User Base DN uid=%s,ou=users,dc=digitalroute,dc=com |
Group Base DN | Enter the LDAP attributes for group lookups in the external authentication server. Example of Group Base DN ou=groups,dc=digitalroute,dc=com Note: The name of the groups created in LDAP Server must be identical to the names configured in Access Controller Access Groups tab. |
Use TLS | Select this check box to enable Transport Layer Security. Note! The following must be considered when using TLS:
|
Use Active Directory Naming | Select this check box if you want to use Active directory specific naming. |
Enable Group Search Bind Credentials | Select this check box if you want to enable group search. You must also populate the Bind DN and Password fields. If you want to run an anonymous lookup, leave this check box empty. |
Bind DN | If you want to use a specific Bind DN to search for the group, enter the Bind DN. |
Password | If you want to use a specific Bind DN to search for the group, enter the password to connect LDAP Server. |