LDAP Authentication
Definition
LDAP (Lightweight Directory Access Protocol) is a TCP/IP protocol used to run queries in the corporate directory. It is used by applications that run procedures to authenticate users.
EndDefinition
User authentication methods in Service Manager
Three methods of user authentication are available in Service Manager.
Note: Each method can be enabled or disabled at any time throughout the project. It can be combined with one or more authentication methods.
- Authentication using the SSO system (Single Sign-on). Service Manager supports the standard versions of SAML v2, CAS 2.0, ADFS.
- Authentication using LDAP: A read-only account is used to read and browse through corporate LDAP directories and to validate user authentication information.
- Service Manager internal proprietary authentication: Service Manager has its own user account database. The authentication is done by using user's app login and password.
Processing order for authentication methods
- When SSO is enabled, it will become the default authentication method.
- The call to the URL https://site/index.php can be forced if you want to use LDAP or proprietary authentication, based on the enabled authentication methods:
- If authentication is performed using a login and password via corporate directories.
- If proprietary authentication. Users are retrieved from the Service Manager directory based on their login and password.
Methods for configuring LDAP authentication
You can configure LDAP authentication in two ways:
- Via the SMOAuthService service that enables you to:
- Manage multiple directories.
- Modify the configuration without restarting the entire platform.
Note: The service does not manage authorizations. This is managed by Service Manager.
- Via Service Manager that enables you to:
- Configure LDAP authentication only for one directory.
- Manage authorizations in the directory only for connections via LDAP.
Notes
- Irrespective of the LDAP authentication method used, you define and manage authorizations via user profiles and domains in Service Manager. These must first be declared and configured in Service Manager.
- The management of authorizations can be delegated to LDAP only if:
- The LDAP directory is fully configured via the Service Manager interface.
- Only one LDAP directory is queried.
- Authorizations are not managed by proprietary or SSO authentication methods.
- Authorizations managed via LDAP authentication do not lead to any modifications to the product's internal authorizations.
- Authorization and domain management can only be delegated to the LDAP directory, provided that LDAP authentication is configured via the Service Manager interface. This is not possible when SSO authentication or Service Manager internal authentication is used. If any of these two authentication methods is used, authorizations will be managed in Service Manager.
- For SSO and proprietary authentication methods, the management of internal access rights for the product is the one taken into consideration.
- The login field used, e.g. samAccoutNane, UPN, Email, must be unique, regardless of the authentication method used.
- This field is the ID used with each authentication method.
- It serves as a link to the Service Manager directory.
Best Practice
- Configure LDAP authentication via the SMOAuthService service instead of Service Manager. This way, you can manage several LDAP directories.
Screens description
LDAP authentication via the SMOAuthService service
Access: Run the SMOAuthEditor.exe executable. 
See the procedure.
Host: Name or IP address of the machine hosting the directory.
Port: TCP port for connecting to the directory.
- Usually port 389 or 686.
Login: Login of the account with bind rights to validate user authentication.
Password: Password of the account.
Base DN: Node used for the query in the directory.
- Enter the top of the tree.
Attribut Login: Field used as login. It serves as a link to the Service Manager directory.
- The field must be a unique ID, e.g. samAccoutNane, UPN, Email.
Protocol Version: Version of the LDAP protocol used to connect to the directory.
- Specify 2 or 3 if required to force the version of the LDAP protocol.
Client Certificate: Location of the directory certificate. It is required to access the LDAP server.
Host Recovery: Name or IP address of the secondary machine hosting the directory. It is used if the host becomes unreachable.
- Hosts are defined in SMOAuthEditor.
Accounts: List of EasyVista accounts of the platform that are authorized to use the application server and where the directory is active.
- Enter the accounts, separated by a comma.
example 50004, 50005
SSL: Used to indicate if the SSL protocol is active (box is checked) or inactive (box is not checked).
- You must check the box to activate the protocol.
Domain: Domain to query on the directory.
- Enter the domain as @domaine.com.
LDAP authentication via Service Manager
Menu access: Administration > Parameters > LDAP Authentication
LDAP Authentication: Information required for connecting to the corporate directory.
Active: Used to indicate if the authentication elements used are those from the LDAP directory (box is checked) or those from Service Manager (box is not checked).
LDAP Server: Name or IP address of the machine hosting the directory.
Port: TCP port for connecting to the directory.
- Usually port 389 or 686.
User DN: Path to the directory records (FQDN or Fully Qualified Domain Name): CN=Administrator, CN=users, DC=easyvista, DC=priv.
Password: Password for connecting to the directory.
- In VMware, the default value = staff.
Base DN: Node used for the query in the directory.
Login Attribute: Login for connecting to the directory.
- Note: This should be specified only if the LDAP directory administrator modified the default attribute, samAccoutNane.
LDAP Authorization: Information required for mapping user profile and domain fields in the directory with those in Service Manager.
Active: Used to indicate if the authorizations used are those from the LDAP directory (box is checked) or those from Service Manager (box is not checked).
Attribute of Profile: In the corporate directory, the name of the column where profile IDs are stored.
Attribute of Domain: In the corporate directory, the name of the column where domain IDs are stored.
Procedures
How to configure the SmoAuthenticate service
Notes:
- You must configure the SmoAuthenticate service on each application server of the platform.
- The SMOAuthEditor.exe executable is located in the Service Manager executables folder on each application server of the platform.
Step 1: Configure the SmoAuthenticate service
1. Run the SMOAuthEditor.exe executable.
2. Define the configuration of the service.
- Click on the first empty line of the file.
- Enter the configuration information. See the description of fields
Note : You must check the SSL box to activate the SSL protocol.
- Click Save.
The service configuration du service will be saved.
3. Update the application server via Update configuration file.
4. Repeat these actions to configure the service on each application server.
Step 2: Check that the LDAP authentication works correctly
1. Restart the SmoAuthenticate service to take the new configuration into account on each application server.
2. Test the LDAP authentication on each Service Manager environment of the platform.
What to do in the event of a connection error via the SmoAuthenticate service
1. Check the SmoAuthenticate service logs and take note of the LDAP error codes.
2. Check that the SmoAuthenticate service is started on the application servers in all lines. Restart it if required.
3. Check the configuration of the smoServer.ini file.
- Open the smoServer.ini file.
- Check that the Log_Type row contains the | LtAuthentication value.
- If required, add the line.
- Restart Service Manager.
4. Check if there are errors in the SmoServerAppAuthentication.xml file.