Version 9 Active Directory Integration in Progeny 9 1
Active Directory Integration in Progeny 9 Directory-based authentication via LDAP protocols Copyright Limit of Liability Trademarks Customer Support 2015. Progeny Genetics, LLC, All rights reserved. The information contained herein is proprietary and confidential and is the exclusive property of Progeny Genetics, LLC. It may not be copied, disclosed, used, distributed, modified, or reproduced, in whole or in part, without the express written permission of Progeny Genetics, LLC. Progeny Genetics, LLC has used their best effort in preparing this guide. Progeny Genetics, LLC makes no representations or warranties with respect to the accuracy or completeness of the contents of this guide and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. Information in this document is subject to change without notice and does not represent a commitment on the part of Progeny Genetics, LLC or any of its affiliates. The accuracy and completeness of the information contained herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice and strategies contained herein may not be suitable for every user. The software described herein is furnished under a license agreement or a non-disclosure agreement. The software may be copied or used only in accordance with the terms of the agreement. It is against the law to copy the software on any medium except as specifically allowed in the license or the non-disclosure agreement. The name Progeny Genetics, the Progeny Genetics logo, Progeny Clinical, Progeny Lab, and Progeny LIMS are trademarks or registered trademarks of Progeny Genetics, LLC. All other products and company names mentioned herein might be trademarks or registered trademarks of their respective owners. Support is available for Support Plan members who purchase Progeny Clinical, Progeny Lab, or Progeny LIMS and that have an annual support agreement and for trial users. Contact Progeny Genetics, LLC at: 800 Palm Trail Suite 200, Delray Beach, FL 33483 574-968-0822 International 800-776-4369 (US/CAN) support@progenygenetics.com http://www.progenygenetics.com 2
Getting Started The purpose of this document is to assist Progeny administrators in offloading the database authentication process to their organization s directory server using the LDAP protocol. Progeny currently supports both Microsoft Active Directory and Apache Directory systems. This process will replace the local user authentication process used by default within Progeny databases. Active Directory Integration in Progeny 9 To access the LDAP Settings menu within Progeny and configure the LDAP directory connection, log into the Progeny Desktop Client using the progeny Superuser account then while in the Pedigrees, Individuals or Samples modules right-click the folder root and choose the Edit LDAP Settings menu option as seen below: This will open the LDAP Settings menu where administrators can enter the configuration parameters required for Progeny to communicate with the directory server on the local network. If using the Progeny Web Server in conjunction with the Progeny Desktop Client, once the LDAP connection settings are validated and users are able to access the database from the Progeny Desktop Client the Progeny administrator will need to access the Web Configuration Menu of their local Progeny Web Server and change the following setting from 0 to 1 in order to enforce directory authentication instead of local authentication: 3
The following is an annotated screenshot of the LDAP Settings menu a description of each configuration option is listed below options 16-19 and 21 are only required if using the Progeny Web Server: 1. Domain a. This is the FQDN (Fully-Qualified Domain Name) of the domain against which Progeny will authenticate users. 2. Port a. The value of this option will be either 389 (LDAP) or 636 (LDAP/S or LDAP SSL) 3. Username a. This is the directory service attribute which stores the username value Microsoft Active Directory users should use the default AD attribute samaccountname 4. User Object Class a. This is the objectclass attribute value within Microsoft AD user can be entered for this option in nearly all circumstances 5. People Base a. This is the highest common OU (Organizational Unit) folder within the directory schema where the user accounts are located this needs to be entered using proper distinguished name directory notation i. Example: OU=SiteName,OU=Users,DC=Domain,DC=local 4
Options 6-8 are only required if directory groups will be used to assign User Classes within the Progeny database it is not recommended if the Progeny administrator will not have regular access to the domain controller or the ability to alter directory group memberships these options can be left blank if User Class assignments will be controlled from within the Progeny database 6. Group Base a. This is the highest common OU (Organizational Unit) folder within the directory schema where the user accounts are located this needs to be entered using proper distinguished name directory notation i. Example: OU=SiteName,OU=Users,DC=Domain,DC=local 7. Group Object Class a. This is the objectclass attribute value within Microsoft AD for groups group can be entered for this option in nearly all circumstances 8. Group Member Name a. This is the directory attribute where group membership is stored member can be entered for this option in nearly all circumstances 9. Use LDAP groups for Progeny user classes a. This is the active directory groups to be matched with the user classes from Progeny user maintenance 10. Security a. None LDAP communication does not have encryption b. SSL LDAP communication is secured using SSL c. Both Progeny will attempt to communicate using SSL-secured LDAP protocol then fall back to non-secure LDAP protocol if fails 11. Password a. This is an administrative password which prevents LDAP settings from being accidentally changed 12. Bind Type a. Anonymous Local directory server allows for unauthenticated directory searches (this is rarely allowed) b. Standard Local directory server requires directory searches to be performed by an authenticated user/service account with adequate permissions to see all directory tree folders 13. Confirm Password a. Confirmation entry of the password entered in option #11 14. Bind DN a. This is used only when the Standard option is chosen for option #12 b. The full distinguished name of the user account which will perform directory lookups during the authentication process i. Example: CN=username,OU=Users,DC=domain,DC=local 15. Bind Password a. This is used only when the Standard option is chosen for option #12 b. The password for the user account entered in option #14 5
16. Web Server Address a. IP address or FQDN of Progeny Web Server 17. Web Server Port a. Configured access port of Progeny Web Server this is generally either port 80, 443, 8080 or 8443 18. Web Security a. None Progeny Web Server does not utilize SSL encryption for incoming connections b. SSL Progeny Web Server utilizes SSL encryption for incoming connections 19. Application Context a. This is the Progeny Web Server application folder name unless the Progeny Web Server has multiple Web Client applications running / can be entered to represent the default ROOT folder. 20. Use LDAP Only a. Once the LDAP connection properties have been entered and tested, check this box to force all login attempts to use directory authentication (still requires the LDAP Login option to be chosen from the Progeny Desktop Client login screen) 21. Connection Name a. This is the Connection Name value of the Progeny Web Client connection string to the Progeny database (what shows up in the Connection dropdown on the Progeny Web Client login page) 6