How to setup an LDAP based authentication

In order to connect Platform to an LDAP server, 3 steps are needed:

  • gathering required connection settings from your client

  • validating the connection settings

  • setting up Platform with the connection settings, according to the needs

Gathering required connection settings from your client

First of all, you have to ask your client to provide the following information:

  • LDAP host name or IP; this host must be reachable from your Platform server, not only in terms of host but also of opened port

  • LDAP host post, typically it is the 389 for a standard LDAP connection, but it could be different if the protocol is not LDAP

  • LDAP protocol: in most of the cases it is LDAP, but it can be LDAPS (secured LDAP); in the latter case, it is likely that the port is not 386

  • Base DN, i.e. a filtering path to use when authenticating a user on LDAP; this information is mandatory and it cannot be empty: your client cannot say it is empty; there is always a base filtering condition, at least composed of the company domain (e.g. "ou=mydeprtment,dc=sinesy,dc=it")

  • the list of attributes to gather for each user; pay attention to the attribute names: they are case sensitive for the LDAP (e.g. ssAMAccountName, displayName, givenName, sn, userPrincipalName)

  • the attribute of a user which identifies univokely a user; there can be more than one attribute which can be used as a unique field, like ssAMAccountName or userPrincipalName; the right choice depends on the user format to digit in the username field on the login screen: if a user is identified in the LDAP with a domain also (e.g. "domain\username" or "username@domain") and you do not want to force the users to type the domain in the login field, you must choose an attribute including the domain as well

  • username+password credentials to synchronize one of all users from the LDAP server

Validating the connection settings

It is very likely that the information provided by your client is wrong somewhere, The best thing is always to check it out, using an LDAP client. You can download JXExplorer, a free LDAP client and use it to test the correct authentication, starting from the connection settings provided by your client. The best thing would be to install JXExplorer in the Platform server.

Typical errors here are:

  • the LDAP is not reachable from Platform: ask you client to open port/host to let Platform to reach it

  • the list of attribute names provided is wrong (e.g. SSAMAccountName instead of ssAMAccountName); use JXExplorer to check out the real names of the attributes: once authenticated in JXExplorer, navigate in the tree until you find a person, then select it and chose the "Tabular data" folder on the right: here you can check out the attribute names and compare them with the wrong ones provided by the client

  • the authentication failed with a 49 errore code; it means "invalid credentials" and it can be due to several reasons:

    • the username is not valid; for example, the right username could be domain\username

    • the password is not valid

    • the user is locked/not active in the LDAP

    • the Base DN is wrong

Once you verified the correct authentication in JXExplorer, you can continue with step 3.

Setting up Platform with the connection settings, according to the needs

The LDAP authentication requires that the user to authenticate has been already registered in Platform tables, in terms of user (PRM01, SUB02/SUB3, PMR08) and roles (PRM06).

Consequently, there are 2 alternative ways to configure Platform with an LDAP:

  • activate users synchronization, so that through a scheduled process (executed every night for example) all users are imported in Platform tables; once a user needs to authenticate to Platform, the authentication process is forwarded to the LDAP and after a successful authentication, the user profile is retrieved from Platform tables, where the user has been already configured.

    • Pros: a Platform administrator can see all users already imported from the sync process and assign the right roles to each user

    • Cons: it is not a suitable choice for LDAP servers containing a large amount of users (more than a few thousands); a Base DN filtering condition would be used in such a case, in order to significantly reduce the amount of users; if this is not possible, use the alternative configuration way reported below

  • execute authentication and create the user in Platform tables just after a successful authentication in the LDAP

Activate users synchronization

The following Global parameters must be defined:

LDAP section

  • port - LDAP port

  • server - LDAP host name

  • account auth format - e.g. {u}domain or {SUB01.EMail} or {PARAM.ALTERNATIVE_USERNAME} if you want use the username in PRM08_USER_PSSPORTS with PARAM_ID='ALTERNATIVE_USERNAME' (customization)

  • Sync: company, site to use when creating records from LDAP - youcompanyid,yoursiteid

  • LDAP synchronization - checked

  • Password to use when connecting to LDAP

  • Username to use when connecting to LDAP

  • Base LDAP path when searching for users - e.g. ou=mydeprtment,dc=sinesy,dc=it

  • (optional) Users LDAP filter - e.g. (objectClass=user)

  • (optional) fields to manage in LDAP users - e.g. sAMAccountName;displayName;;givenName;sn;userPrincipalName

  • (optional) field types to manage in LDAP users - e.g. UserFormatType;;;;;

  • (optional) LDAP attribute for user id - e.g. sAMAccountName

  • Base LDAP path when searching from groups - used only if you want to read roles as well

  • (optional) Groups LDAP filter - used only if you want to read roles as well

  • (optional) fields to manage in LDAP groups - used only if you want to read roles as well

  • (optional) field types to manage in LDAP groups - used only if you want to read roles as well

  • (optional) LDAP attribute for group id - used only if you want to read roles as well

SSO section

  • Authentication: sorted list of auth. systems - LDAP + Default Authentication

  • Fields for 4WS users table - e.g. pk.userCodeId;description;password;SUB01.firstName;SUB01.lastName;SUB01.EMail

SECURITY_SYNC section

  • Sources for sync process - LDAP

  • Destinations for sync process - 4WS

  • Sync users - checked

Execute authentication and auto create the user in Platform

First of all, you have to setup the settings reported in the previous section, but without creating any sync scheduled process: the sync process will be used only to get information about the current authenticated user and create it in Platform tables, if needed.

The following Global parameters must be defined:

  • Autocreate user from LDAP - checked

  • Autoupdate user from LDAP - checked

  • Autoassign current role to new LDAP user - role id to set

PreviousHow to display the data not found message in a gridNextHow to synchronize data from Datastore to BigQuery

Last updated