User Passwords

Authorization System

Configuration

---

LDAP Connection Setup

AE provides a client which authenticates login data using LDAP via the Microsoft Active Directory or, as of version 11 also on Oracle Directory Server. The client is part of the Automation Engine. When logging on, users are not authenticated in the Automation Engine but rather in Active Directory if the LDAP connection is activated in the User object.

The LDAP connection supports the Microsoft Active Directory and, as of version 11, the Oracle Directory Server.

As of version 11, you may synchronize LDAP data via SSL.

By default, the LDAP connection is not active.

An LDAP login via the AE is only possible, if the passwordA secret combination of characters for a Automation Engine user. includes characters of the code table you use in your respective databaseA database is an organized collection of data including relevant data structures..

A global setting activates the LDAP connection for an AE system. Whether a user is checked when logging on either locally in the AE system or via the Active Directory or Oracle Directory Server, depends on the settings made in the particular User object. Thus, AE distinguishes local and LDAP users.

Below you find the installation and configurationA set of constituent components that make up a system. This includes information on how the components are connected including the settings applied., differentiated by general setup and installation steps required either for Active Directory or Oracle Directory Server respectively.

General

Importing and Installing SSL Certificates

In order to be able to use an Active Directory or Oracle Directory Server with LDAP over SSL, you will have to be able to use a JWP (Java based Work Process). Details on the installation and import of the necessary certificates you find in the JWP Installation section.

1. Import the certificates, as described in the JWP Installation section.
2. Create an LDAP Connection Variable with the following settings:
   
   VERSION = 2
   TLS = Y
   USE_DISTINGUISHED_NAME = Y
   SERVER = <hostname>:<sslport>
   
   The default port for SSL is 636.
    
3. Open the User object, set the distinguished name for the user and activate the "LDAP connection" checkbox.

Activate the LDAP connection for your AE system.

• Open the variable UC_SYSTEM_SETTINGS and enter the value "Y" in the key "LDAP". This global setting can be used to switch the LDAP connection on and off from one central point.

LDAP Synchronization with Technical User Credentials

As of version 11 it is possible to have an additional LDAP technical user, who would be able to perform an LDAP synchronization, in case the current user has not the permissions to do so.

Automic recommends this method over the individual User objects solution, since in the latter case a user does not have the necessary credentials and therefore would be forced to log off the system and log in again to enable the data synchronization.
Log in and log off will not be required, if the technical user credentials solution is used.

Create a technical user by creating and using a Login object.
Follow these steps:

• Create a Login object with specific credentials as technical user credentials.
• Register this Login object in the already existing UC_LDAP_Domain variable (s.a.), using the key SYNC_LOGIN.

This Login object's credentials will be used instead of the current user's credentials for synchronizing the LDAP information.

If the key SYNC_LOGIN is not specified in the variable or the Login object does not exist, the credentials of the current user apply.

Procedure Active Directory

Specify the connection data:

1. Log on to system client 0000.
2. Switch to the folder "DIV_VARIABLES" and duplicate the variable UC_LDAP_EXAMPLE.  
3. Name the copy "UC_LDAP_Domain". If the domain name is "SMITH", the variable would be called "UC_LDAP_SMITH".
   
4. Open the variable and enter your connection data.
5. Store and close the variable.

Setting up the LDAP connection in User objects:

1. The User object must have the same name as the user in the Active Directory, in case the distinguished name (DN) is not used. The name is composed of the user nameName of the Automation Engine user. and the domain. For example, Mr. Smith uses the domain "AE". He requires the User object "SMITH/AE". Create a new User object for yourself or rename your existing one.
2. Open the User object and switch to theUser tab.
3. Activate the checkbox "LDAP connection". The input fields "First name", "Last name" and "Email1" are locked, as their contents should be filled by the LDAP data in the Active Directory or on the Oracle Directory Server. The locked fields are filled with data from the respective server, when the synchronization is started.
4. You can test this using the button Synchronize data with LDAP now, but the synchronization process only works if the operating user has already been synchronized via the LDAP connection. This requires closing the UserInterface and logging on again.
   
    Information stored in the User object is only updated while logging on or when using the button "Synchronize data with LDAP now". There is no automatic synchronization.
   
   Logging off and in again to synchronize data is not required, if the technical user credentials solution in the special Login object (register via SYNC_LOGIN in UC_LDAP_Domain variable) is used, as described above in the "General" section.
   
   The person who synchronizes the data of a User object with LDAP would also have to be an LDAP user, if the Login object solution and technical user described above is not used.
   
   The Active Directory does not use the second e-mail address. It can be used if required.
   
   
5. Store and close the User object.
6. Repeat all steps for additional users.

Procedure Oracle Directory Server

Specify the connection data:

1. Log on to system client 0000.
2. Switch to the folder "DIV_VARIABLES" and duplicate the variable UC_LDAP_EXAMPLE.
3. User object names are composed of name and departmentDepartment name to which the Automation Engine user belongs.. The copy of the variable can be renamed to "UC_LDAP_department". An extra variable is required for each department. Using this method requires the domain to be specified in the key DOMAIN_ALIAS.
4. Open the variable and enter your connection data.
5. Store and close the variable.

Setting up the LDAP connection in User objects:

1. The User object must have the same name as the user's distinguished name. Create a new User object for yourself or rename your existing one.
   The synchronization of data only works, if the "uid" and the User object's name are identical. Example: uid=nga, ou=people, dc=example,dc=com. Thus the User object would have to be named NGA/DEPARTMENT
2. Open the User object and switch to theUser tab.
3. Activate the checkbox "LDAP connection". The input fields "First name", "Last name", "Email1" and "Email2" are locked, as their contents should be filled by the LDAP data in the respective server directory. The locked fields are filled with data from the Oracle Directory Server, when the synchronization is started.
4. You can test this using the button Synchronize data with LDAP now, but the synchronization process only works, if the operating user has already been synchronized via the LDAP connection. This requires closing the UserInterface and logging on again.
   
    Information stored in the User object is only updated while logging on or when using the button "Synchronize data with LDAP now". There is no automatic synchronization.
   
   Logging off and in again to synchronize data is not required, if the technical user credentials solution in the special Login object (register via SYNC_LOGIN in UC_LDAP_Domain variable) is used, as described above in the "General" section.
   
   The person who synchronizes the data of a User object with LDAP would also have to be an LDAP user, if the Login object solution and technical user described above are not used.
   
   
5. Store and close the User object.
6. Repeat all steps for additional users.

Comments

The System Overview shows for each user whether or not the LDAP connection is active. You can activate or deactivate it for individual users via the corresponding context menu command.

The checkbox "LDAP connection" is automatically deactivated, if User objects are exported, transported or duplicated.

External password checks made via the AE Program Exit are called prior to the LDAP connection.

User data is stored in the object during the synchronization process with the LDAP server directory.

See also:

User
UC_LDAP_EXAMPLE