LDAP User Service Guide 30 June 2006



Similar documents
Configuring and Using the TMM with LDAP / Active Directory

Using LDAP Authentication in a PowerCenter Domain

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Adeptia Suite LDAP Integration Guide

Content Filtering Client Policy & Reporting Administrator s Guide

Configuring Sponsor Authentication

Chapter 3 Authenticating Users

IPedge Feature Desc. 5/25/12

Integrating Webalo with LDAP or Active Directory

CA Performance Center

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

NSi Mobile Installation Guide. Version 6.2

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

1 Introduction. Windows Server & Client and Active Directory.

DC Agent Troubleshooting

LDAP Authentication and Authorization

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Configuring User Identification via Active Directory

LDAP and Active Directory Guide

Sample Configuration: Cisco UCS, LDAP and Active Directory

Avatier Identity Management Suite

NETASQ ACTIVE DIRECTORY INTEGRATION

Niagara AX Hardening Guide. Tips to Secure a Niagara AX System

Contents About the Contract Management Post Installation Administrator's Guide... 5 Viewing and Modifying Contract Management Settings...

QUANTIFY INSTALLATION GUIDE

Planning LDAP Integration with EMC Documentum Content Server and Frequently Asked Questions

Active Directory 2008 Implementation. Version 6.410

Application Note: Cisco Integration with Onsight Connect

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Microsoft Virtual Labs. Active Directory New User Interface

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

User Management Guide

VERALAB LDAP Configuration Guide

Use Enterprise SSO as the Credential Server for Protected Sites

Information. Questions will be answered at the end. Please submit questions to Erick Mendoza using the chat function.

Version 9. Active Directory Integration in Progeny 9

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Security Provider Integration LDAP Server

LDAP Directory Integration with Cisco Unity Connection

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Lightweight Directory Access Protocol. BladeCenter Management Module and IBM Remote Supervisor Adapters

Protected Trust Directory Sync Guide

Deploying RSA ClearTrust with the FirePass controller

Secure Messaging Server Console... 2

Delegated Administration Quick Start

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

LISTSERV LDAP Documentation

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Flexible Identity. LDAP Synchronization Agent guide. Bronze. version 1.2

How To Take Advantage Of Active Directory Support In Groupwise 2014

DB2 - LDAP. To start with configuration of transparent LDAP, you need to configure the LDAP server.

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Log Server Error Reference for Web Protection Solutions

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Configuring Microsoft Active Directory for Integration with NextPage NXT 3 Access Control

Active Directory LDAP Quota and Admin account authentication and management

Using LDAP for User Authentication

WirelessOffice Administrator LDAP/Active Directory Support

Quality Center LDAP Guide

CHAPTER THREE. Managing Groups

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Authenication

Active Directory Integration

Web Security Log Server Error Reference

Managing Identities and Admin Access

Configuring Controller 8.2 to use Active Directory authentication

Copyright 2012 Trend Micro Incorporated. All rights reserved.

LDAP and Integrated Technologies: A Simple Primer Brian Kowalczyk, Kowal Computer Solutions Inc., IL Richard Kerwin, R.K. Consulting Inc.

Chapter 7 Managing Users, Authentication, and Certificates

Remote Authentication and Single Sign-on Support in Tk20

Backing Up and Restoring Data

ECAT SWE Exchange Customer Administration Tool Web Interface User Guide Version 6.7

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Integrating a Hitachi IP5000 Wireless IP Phone

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Enabling SSL and Client Certificates on the SAP J2EE Engine

ProxySG TechBrief LDAP Authentication with the ProxySG

Installation & Configuration Guide

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Installation and Configuration Guide

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

PriveonLabs Research. Cisco Security Agent Protection Series:

PowerLink for Blackboard Vista and Campus Edition Install Guide

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

This means that any user from the testing domain can now logon to Cognos 8 (and therefore Controller 8 etc.).

Novi Survey Installation & Upgrade Guide

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

SSL VPN Portal Options

Configuring IBM Cognos Controller 8 to use Single Sign- On

Managing an Active Directory Infrastructure

Transcription:

LDAP User Service Guide 30 June 2006 This documents usage of the LDAP User Service for NiagaraAX version 3.1. INSTALLATION... 2 PALETTE... 3 LDAPUSERSERVICE... 3 ACTIVEDIRECTORYSERVICE... 3 KEY CONCEPTS... 3 ACTIVE DIRECTORY... 3 LDAP... 3 COMPONENT GUIDES... 4 LDAPUSERSERVICE... 4 USER PROTOTYPES... 4 LDAPCONFIG... 5 ACTIVEDIRECTORYUSERSERVICE... 6 ACTIVEDIRECTORYCONFIG... 6 June 30, 2006 2006 Tridium, Inc Page 1 of 7

Installation Installation Using Workbench log into the target station as an administrator. Go to the property sheet of the Niagara Network. Expand Fox Service and change authentication from digest to basic. Open the LDAP palette and you have two choices, the and the ActiveDirectoryUserService. The ActiveDirectoryUserService is a specialized version of the for Windows Active Directory. Copy one and paste under the Services node of your station database. Delete the default UserService object also found under Services. The LDAP user service just pasted allows the creation of local users just like the default user service. In fact, the users admin and guest are already built in so one can always login, even if LDAP isn t working. Configure the LDAP server information o Open the property sheet of the object under the LDAP user service whose name ends with Config. o For the ActiveDirectoryUserService: Replace domain and net in the Connection Url, Domain and User Base properties. Provide a valid user account for the Connection User property. It would be best if your Network Administrator created a user specifically for this function. o For the : Replace domain and net in the Connection Url and User Base properties. If the server support anonymous connections leave the Connection User property blank, otherwise provide a valid user account for Connection User and password for Connection Pwd. Create User Prototypes o Not all data about a Niagara user can easily be stored on the LDAP server, especially security permissions. A user prototype allows you to configure default settings for groups of users. o In the Config object discussed above is a property named Attr Prototype. This specifies the LDAP attribute whose value is used to map a user and a user prototype. o The ActiveDirectoryUserService uses the memberof attribute from Active Directory s schema for mapping. Suppose a user belongs to a group called Engineering in Active Directory. What you should do is create a user prototype named Engineering and configure the properties that won t be supplied by the LDAP server (especially security permissions). o To create a new prototype, right-click on the User Prototypes object below the user service. In Actions, select New Prototype. o Be sure to configure the default prototype for users who have no mapping. Save your database and restart your station. Log into the station using an LDAP user. The ActiveDirectoryUserService is pre-configured to use the user name without the domain. So for example, janedoe@tridium.com, would login at janedoe. June 30, 2006 2006 Tridium, Inc Page 2 of 7

Palette Palette This is a generic LDAP user service. ActiveDirectoryService This is an specialized for Windows Active Directory. It is still a valid LDAP client and could be used with any LDAP server. The primary advantage of the ActiveDirectoryUserService is that it uses the interactive user as the connection user. Key Concepts Active Directory The Windows directory service that stores information about all objects on the computer network and makes this information easy for administrators and users to find and use. With the Active Directory, users can access resources anywhere on the network with a single logon. Similarly, administrators have a single point of administration for all objects on the network, which can be viewed in a hierarchical structure. Active Directory supports and LDAP interface. LDAP Lightweight Directory Access Protocol. Typically an LDAP server is a networkaccessible database where an organization stores information about authorized users and their privileges. Rather than create a new user account on 50 different computers, the new user is entered into LDAP and granted rights to those 50 systems. If the user leaves the organization, revoking all privileges is as simple as removing one entry in the LDAP directory. LDAP is a bit confusing because original implementations were presented as alternatives to Web and the relational database management system. June 30, 2006 2006 Tridium, Inc Page 3 of 7

User Prototypes LdapConfig ActiveDirectoryUserService ActiveDirectoryConfig The is a service component in the NiagaraAX architecture. It looks and behaves nearly identically to the default user service. It can have both local and remote LDAP users. Here are the differences: 1. The LdapUserManager view has a column that identifies local versus LDAP users. 2. The has a child object named LdapConfig, which encapsulates the LDAP functionality. 3. The has a child called "User Prototypes." Descendants of this object are prototypical users that LDAP users should map to. User Prototypes Not all user properties can be retrieved from an LDAP server. Prototypical users provide default property values for LDAP users. They are contained in the "User Prototypes" child of the LDAP user service. Perhaps the single most important property provided by a prototype user is its permissions. If an LDAP user cannot be mapped to a prototype, the Default Prototype under User Prototypes is used. If a default prototype is not desired, disable it by setting it s Enabled property to false. To create a new user prototype: Invoke the "New Prototype" command on the User Prototypes container. o The name of the prototype user is what maps the prototype to LDAP users. Configure the property sheet of the newly created user. o Only those properties that will not be provided by the LDAP server need to be configured. o Prototypical users can be disabled here which will prevent them from logging in. o User expiration is the earliest of: the expiration on the prototype or the expiration of the cached user. This shouldn't matter since cached users are only used when the LDAP server is unreachable. Configure the "Attr Prototype" property of the LDAP configuration object. o This is the LDAP attribute whose value maps to a slot name of a prototype user. If unspecified or it doesn't map properly, the default prototype is the Guest user. June 30, 2006 2006 Tridium, Inc Page 4 of 7

LdapConfig o If the value of this attribute is a distinguished name, the value of the leaf component is extracted as the profile. For example, given the DN "OU=Engineering, DC=example, DC=com", the prototype user would be named "engineering". o If this attribute has multiple values (distinguished or not), the profile with the lowest index (highest on the property sheet) wins. LdapConfig LdapConfig is an LDAP Version 2 extension for the. It will be a child of the component. The following properties have special importance: Connection Url URL to the LDAP server. If the port is not the default LDAP port of 389, then it must be explicit (ie ldap://host.com:123). The scheme of the url must always be 'ldap', even if SSL is being used; 'ldaps' is not supported. Connection User This is the user name for the connection. If the LDAP server supports anonymous connections, this property should be empty. Otherwise, it is recommended a special user be created solely for the purpose of this connection. Connection Pwd Password for the user configured in Connection User. SSL The CryptoService must be installed to use LDAP over SSL. The Connection Url must point to a secure LDAP port: the common secure LDAP port is 636. Do not use the ldaps scheme. User Login Attr This is the LDAP property whose value would match a user's login name. Typically this will be "uid." User Base The sub-tree of the LDAP server where users who can login will be found. At the very least, the value of this property must contain the domain components of the server's domain. For example: "DC=example, DC=com" Attr Email This is the LDAP attribute whose value would be the user's email address. Attr Full Name This is the LDAP attribute whose value would be the user's full name. Attr Language This is the LDAP attribute whose value would be the user's ISO 639 two-letter language code. Attr Prototype This is the LDAP attribute whose value maps to a prototype user. If unspecified or it doesn't map properly, the Default Prototype is used. If the value of this attribute is a distinguished name, the value of the leaf component is extracted as the profile. For example, given the DN "OU=Engineering, DC=example, DC=com", the prototype user would be named "Engineering". If this attribute has multiple values (distinguished or not), the profile with the lowest index (highest on the property sheet) wins. Cache Expiration Users will be cached for this period of time. If configured for 0 time, there is no expiration. The cache is only used when the server cannot be reached. If a connection is established to the server, cached users are not used. June 30, 2006 2006 Tridium, Inc Page 5 of 7

ActiveDirectoryUserService ActiveDirectoryUserService The ActiveUserService is a service component in the NiagaraAX architecture. It looks and behaves nearly identically to the default user service. It can have both local and remote LDAP users. Here are the differences: 1. The LdapUserManager view has a column that identifies local versus LDAP users. 2. The ActiveDirectoryUserService has a child object named ActiveDirectoryConfig. 3. The has a child called "User Prototypes." Descendants of this object are prototypical users that LDAP users can map to. Although ActiveDirectoryUserService is specialized for Windows Active Directory, it is still a valid LDAP client and could be used with any LDAP server. The primary advantage of the ActiveDirectoryUserService is that it uses the interactive user as the connection user. ActiveDirectoryConfig ActiveDirectoryConfig is an LDAP Version 2 extension to the ActiveDirectoryUserService and is specialized for Windows Active Directory. It must be a child of the service, but its slot name does not matter. The following properties have special importance: Connection Url URL to the LDAP server. If the port is not the default LDAP port of 389, then it must be explicit (ie ldap://host.com:123). The scheme of the url must always be 'ldap', even if SSL is being used; 'ldaps' is not supported. Domain The value of this property is combined with the user s login name when authenticating against the server. For example, given a configuration where the domain is example.com and user login attr is samaccoutnname, the ActiveDirectoryUserService would attempt to authenticate janedoe as janedoe@example.com. SSL The CryptoService must be installed to use LDAP over SSL. The Connection Url must point to a secure LDAP port: the common secure LDAP port is 636. Do not use the ldaps scheme. User Login Attr This is the LDAP property whose value would match a user's login name. On Active Directory this would probably be "samaccountname. User Base The sub-tree of the LDAP server where users who can login will be found. At the very least, the value of this property must contain the domain components of the server's domain. For example: "DC=example, DC=com" Attr Email This is the LDAP attribute whose value would be the user's email address. Attr Full Name This is the LDAP attribute whose value would be the user's full name. Attr Language This is the LDAP attribute whose value would be the user's ISO 639 two-letter language code. June 30, 2006 2006 Tridium, Inc Page 6 of 7

ActiveDirectoryConfig Attr Prototype This is the LDAP attribute whose value maps to a prototype user. If unspecified or it doesn't map properly, the Default Prototype is used. If the value of this attribute is a distinguished name, the value of the leaf component is extracted as the profile. For example, given the DN "OU=Engineering, DC=example, DC=com", the prototype user would be named "Engineering". If this attribute has multiple values (distinguished or not), the profile with the lowest index (highest on the property sheet) wins. Cache Expiration Users will be cached for this period of time. If configured for 0 time, there is no expiration. The cache is only used when the server cannot be reached. If a connection is established to the server, cached users are not used. June 30, 2006 2006 Tridium, Inc Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information