LDAP Authentication


Definition

LDAP (Lightweight Directory Access Protocol) is a TCP/IP protocol used to run queries in the corporate directory. It is used by applications that run procedures to authenticate users.

EndDefinition

Note: Authentication can be performed via:

  • Service Manager: Internal user authentication using the user's app login and password.
  • The corporate SSO system, e.g. SAML, CAS, ADFS.

General remarks on authentication and authorizations

  • Three methods of authentication are available in Service Manager:
    • SSO: Users are authenticated via the SSO system. Service Manager supports the standard versions of SAML v2, CAS 2.0, ADFS.
    • LDAP: A read-only account is used to read and browse through corporate LDAP directories and to validate user authentication information.
    • Service Manager internal authentication: Service Manager has its own internal user account database.
       
  • Each method can be enabled or disabled at any time throughout the project. It can be combined with one or more authentication methods.
     

Order of authentication methods

  • When SSO is enabled, it will become the default authentication method.
  • The call to the URL https://site/index.php can be forced if you want to use LDAP or proprietary authentication, based on the enabled authentication methods:
    • If authentication is performed using a login and password via corporate directories
    • For proprietary authentication, users are retrieved from the corporate directory based on their login and password

Methods for configuring LDAP authentication

You can configure LDAP authentication in two ways:

  • Via the SMOAuthService service that enables you to:
    • Manage multiple directories
    • Modify the configuration without restarting the entire platform

Note: The service does not manage authorizations. This is managed by Service Manager.

  • Via Service Manager that enables you to:
    • Configure LDAP authentication only for one directory
    • Manage authorizations in the directory only for connections via LDAP

Notes

  • Irrespective of the LDAP authentication method used, you define and manage authorizations via user profiles and domains in Service Manager. These must first be declared and configured in Service Manager.
  • The management of authorizations can be delegated to LDAP only if:
    • The LDAP directory is fully configured via the Service Manager interface
    • Only one LDAP directory is queried
    • Authorizations are not managed by proprietary or SSO authentication methods.
  • Authorizations managed via LDAP authentication do not lead to any modifications to the product's internal authorizations.
  • Authorization and domain management can only be delegated to the LDAP directory, provided that LDAP authentication is configured via the Service Manager interface. This is not possible when SSO authentication or Service Manager internal authentication is used. If any of these two authentication methods is used, authorizations will be managed in Service Manager.
  • For SSO and proprietary authentication methods, the management of internal access rights for the product is the one taken into consideration.
  • The login field used, e.g. sAMAccountName, UPN, Email, must be unique, regardless of the authentication method used.
    • This field is the ID used with each authentication method.
    • It serves as a link to the Service Manager directory.

Best Practice

  • Configure LDAP authentication via the SMOAuthService service instead of Service Manager. This way, you can manage several LDAP directories.

Caution

  • For SaaS-based customers, the configuration of LDAP authentication via the Service Manager interface must never be used. Please contact the EasyVista CMC if you want to configure the SMOAuthService service.

Screens description

Configuration of LDAP authentication via the SMOAuthService service

Note: Only for customers using the on-premises solution. For SaaS-based customers, please contact the EasyVista CMC if you want to configure the SMOAuthService service.

         Configuration via SMOAuthService service.png

Access: Run the SMOAuthEditor.exe executable. Open url.png See the procedure.

Host: Name or IP address of the machine hosting the directory. 

Port: TCP port for connecting to the directory.

  • Usually port 389 or 686.

Login: Login of the account with bind rights to validate user authentication.

Password: Password for connecting to the directory.

Base DN: Node used for the query. 

Login Attribute: Field in the LDAP directory corresponding to the ID in Service Manager.

  • Note: This should be specified only if the LDAP directory administrator modified the default attribute, sAMAccountName.

Protocol Version: Version of the LDAP protocol used to connect to the directory.

Client Certificate: Location of the directory certificate.

Host Recovery: Name or IP address of the secondary machine hosting the directory.

Accounts: List of platform environments where the directory is active.

example  50004: production environment; 50005: test environment

Configuration of LDAP authentication via Service Manager

         Configuration via Service Manager.png

Menu access: Administration > Parameters > LDAP Authentication

LDAP Authentication: Information required for connecting to the corporate directory.

Active: Used to indicate if the authentication elements used are those from the LDAP directory (box is checked) or those from Service Manager (box is not checked).

LDAP Server: Name or IP address of the machine hosting the directory. 

Port: TCP port for connecting to the directory.

  • Usually port 389 or 686.

User DN: Path to the directory records (FQDN or Fully Qualified Domain Name): CN=Administrator, CN=users, DC=easyvista, DC=priv

Password: Password for connecting to the directory.

  • In VMware, the default value = staff.

Base DN: Node used for the query. 

Login Attribute: Login for connecting to the directory.

  • Note: This should be specified only if the LDAP directory administrator modified the default attribute, sAMAccountName.

 

LDAP Authorization: Information required for mapping user profile and domain fields in the directory with those in Service Manager.

Active: Used to indicate if the authorizations used are those from the LDAP directory (box is checked) or those from Service Manager (box is not checked).

Attribute of Profile: In the corporate directory, the name of the column where profile IDs are stored. 

Attribute of Domain: In the corporate directory, the name of the column where domain IDs are stored. 

Procedures

How to configure the SmoAuthenticate service

Note: Only for customers using the on-premises solution.

1. Run the SMOAuthEditor.exe executable.
It is located in the Service Manager executables folder on each application server of the platform.

2. Define the configuration of the service.

3. Click Update configuration file to save the configuration of the service.

4. Restart the SmoAuthenticate service on each application server to take the new configuration into account.

What to do in the event of a connection error

1. Check the SmoAuthenticate service logs and take note of the LDAP error codes.

2. Check that the SmoAuthenticate service is started on the application servers in all lines.
Restart it if required.

3. Open the smoServer.ini file and check that the Log_Type row contains the | LtAuthentication value.
If required, add it and then restart Service Manager.

4. Check if there are errors in the SmoServerAppAuthentication.xml file.

Tags:
Last modified by Christine Daussac on 2020/03/30 14:33
Created by Administrator XWiki on 2013/03/25 18:09

Shortcuts

Powered by XWiki ©, EasyVista 2020