Product Features
...
Access Control
LDAP/AD Auth

LDAP and AD User Interface Examples

5min

The following examples can be used to set up the LDAP Active Directory and LDAP rfc2307bis.

Form Example

The following form examples are Active Directory and LDAP rfc2307bis.

Active Directory

Text


LDAP rfc2307bis



Text


More examples for Active Directory filter can be found at Active Directory.

Field Definitions

Definition

Description

Name

Name of this connector.

Type

The connector type. Only the Generic type is currently supported.

Connection

These fields are attributes of the server connection.

Host

Domain name or IP address of the LDAP host.

Port

The LDAP port.

Use TLS

Enable or disable LAPS protocol for a secure connection. TLS settings should match the port. LDAP servers use port 389 for LDAP protocol and port 636 for LDAPS protocol. The connection fails if port 389 is specified and the Use TLS option is enabled.

Bind DN

Account used to connect to the LDAP server (only requires read and browse permissions). The distinguished name of the account used for accessing LDAP server. An anonymous connect is used of Bind DN is not specified.

CA Certificate Chain

Trusted root certificate chain (only required if private CA is used by the server).

  • The CA Certificate Chain file is only available if the Use TLS option is selected.
  • The CA Certificate Chain field can be left blank if the server certificate is issued by a public CA.
  • Private root certificates can be added to the trusted store using System > Certificates. In this case, the CA Certificate Chain field can be left blank.

Bind DN Password

Password for Bind DN

Users

These attributes are used to find user accounts in the LDAP server.

User Search Base DN

Distinguished name of the entity where search for users starts .

Search Scope

The Search Scope is an option. sub, one or base indicate the search scope (sub is the default).

  • sub is used to indicate searching of all entries at all levels under and including the specified base DN.
  • one is used to indicate searching all entries on level under the base DN. This does not include the base DN and any entries under that one level under the base DN.
  • base is used to indicate searching only the entry being returned. It must meet the search filter criteria.

User Search Filter

The LDAP filter used to identify user accounts.

Attribute for Unique User ID

LDAP attribute to uniquely identify a user. The typical value is uidNumber for rfc2307 and object GUID for AD .

Attribute for Username

An LDAP attribute containing the username for logging in. It is usually uid for sAMAccountName for AD .

Attribute for First Name

An LDAP attribute that contains the first name of the user. The default value is givenName.

Attribute for Last Name

An LDAP attribute contains the last name of the user. The default value is sn .

Groups

These attributes are used to find groups in the LDAP server. User roles are derived from group names. For example, administrator is matched against Manufacturing Connect Edge user roles.

Group Search Base DN

The distinguished name of the entity where search for group starts.

Group Search Filter

The LDAP filter used to identify user groups .

Group Name Attribute

The attribute name containing the group name (usually cn) .

Group Membership Attribute

The attribute name that contains the list of group members (usually member) .

  • The most common group membership scheme is when the group object contains multiple member attributes that contain the DN name of the member account.
  • However, there is an old rfc2703 standard that uses the reverse mechanism when the user object contains a list of group names.
  • The old rfc2703 standard is not supported by the Generic connector.

Member value type

The type of the member value (values are dnor uid). This attribute is case sensitive.

Test

These values are used for testing connectivity.

UserID

The userid.

Password

The password.

Test Failure

If the test fails, you should receive a detailed message about the reason for failure. Here is a list of a few possible failure reasons:

  • Unable to connect to the server: Wrong address/DNS name or port of the of the LDAP host.
  • Protocol mismatch: Connecting with TLS to the port that doesn't support authentication.
  • Certificate validation failure: Missing or invalid rootCA.
  • User not found: Indicates broad range of possible problems like invalid search path, invalid filter, or invalid attributes for username or userid.
  • User attribute not found: When one of the user attributes is either missing or empty.
  • Group not found: If search path, scope, or filter are invalid.
  • Group attribute not found: If any of the group attributes is empty or missing.
  • Authentication failure: If authentication fails, this usually means invalid username or password.
  • Authorization failure: Means that returned set of scopes does not match those of the requested role.

Note: The Save button is only available if the test successfully completes.