LDAP Connection Setup

The LDAP connection is not active by default. You can see this for each user in the Administration perspective. Activate or deactivate it for individual users via the corresponding context menu command. A global setting activates the LDAP connection for a complete AE system.

Note: An LDAP login via the AE is only possible if the password includes characters of the code table you use in your respective database.

This page includes the following:

Prerequisites

To use an Active Directory or Oracle Directory Server with LDAP over TLS/SSL, you have to us the Java work process (JWP). You also have to import the certificates that the JWP requires.

When you install your system manually, you have to make sure the JWP has been installed and the relevant certificates imported. For more information, see Installing the JWP.

In the Automic Automation Kubernetes Edition, the JWP is deployed as part of the offering and installed by the Install Operator. You can import the relevant certificates before the installation by creating a Kubernetes secret using a kubectl command. For more information, see Setting Up LDAP for Automic Automation Kubernetes Edition.

Configuring the LDAP Connection

Follow these instructions to configure the connection:

  1. Create an LDAP Connection Variable using the following settings:

    VERSION = 2
    TLS = Y 
    USE_DISTINGUISHED_NAME = Y
    SERVER = <hostname>:<tlsport> 

    The default port for TLS/SSL is 636.

    Note: Instead of using the standard user search with the USE_DISTINGUISHED_NAME key, you can define the SEARCH_FILTER key. For more information, see UC_LDAP_EXAMPLE - LDAP Connection Variable.

  2. Open the relevant User object:

    1. Set the distinguished name for the user.
    2. Activate the LDAP connection checkbox.

Activating the LDAP Connection for your AE System

Open the UC_SYSTEM_SETTINGS variable and set the LDAP key to Y. This global setting allows you to switch the LDAP connection on and off from one central point. For more information, see LDAP

Synchronizing LDAP using Technical User Credentials

You can have an additional LDAP technical user, which can perform an LDAP synchronization.

Tip: You must use an LDAP technical user to synchronize data from the User tab. Otherwise, the User has to log off the system and log in again to enable the data synchronization. This is not the case when using the credentials of a technical user.

If the SYNC_LOGIN key is not specified in the UC_LDAP_XXX variable (see UC_LDAP_EXAMPLE - LDAP Connection Variable), or the Login object does not exist, the user information is updated when they log out and back in.

Creating a Technical User Using a Login Object

To create a technical user using a Login object do the following:

  1. Create a Login object in Client 0 that includes the specific credentials for connecting to the LDAP server. It should have only one row that includes the following information:

    1. Set Agent/Name to *

    2. Set Type to LDAP

    3. In Username/ID, enter the name or distinguished name of the user to use when communicating with the LDAP server.

    4. Supply the user’s password in the Password field.

  2. Register this Login object in the already existing UC_LDAP_Domain variable by using the SYNC_LOGIN key, see UC_LDAP_EXAMPLE - LDAP Connection Variable.

  3. Test whether the SYNC_LOGIN setting and the specified Login object are configured correctly. To do so:

    1. Log into AWI using a non-LDAP user.

    2. Open or create a USER object that corresponds to an LDAP user.

    3. Make sure that the LDAP connection option is enabled.

    4. Click Synchronize data with LDAP now.

    5. If everything is set up correctly, the Distinguished name of the user will automatically be retrieved from the LDAP server.

If the SYNC_LOGIN key is not specified in the variable, or the Login object does not exist, the credentials of the current user apply.

Specifying the Connection Data

To specify the connection, do the following:

  1. Log on to system Client 0.

  2. Switch to the DIV_VARIABLES folder and duplicate the UC_LDAP_EXAMPLE variable.

  3. Rename the duplicate:

    • Active Directory:

      Rename the copy to UC_LDAP_Domain. For example, if the domain name is SMITH, the variable should be called UC_LDAP_SMITH.

    • Oracle Directory Server:

      User object names are composed of name and department. Rename the copy to UC_LDAP_department. An extra variable is required for each department. Using this method requires the domain to be specified in the DOMAIN_ALIAS key, see UC_LDAP_EXAMPLE - LDAP Connection Variable.

  4. Open the variable and enter your connection data.

  5. Save and close the variable.

Setting up the LDAP Connection in User Objects

To set up the LDAP connection in the User object, do the following:

  1. Create a User object or rename an existing one and define the name of the User object.

    • Active Directory: The User object must have the same name as the user in the Active Directory, in case the distinguished name (DN) is not used. The name is composed of the user name and the domain. For example, SMITH/AE.

    • Oracle Directory Server: The User object must have the same name as the user's distinguished name. The synchronization of data only works if the uid and the name of the User object are identical. For example, uid=nga, ou=people, dc=example, dc=com, thus the name of the User object must be NGA/DEPARTMENT.

  2. Open the User object, see Users (USER).

  3. Activate the LDAP connection checkbox. The input fields First name, Last name, Email1, and Email2 are locked. Their contents are filled with LDAP data from the respective server, when the synchronization is started.

    Note: The Active Directory does not use the second email address. It can be used if required.

  4. You can test if using the button Synchronize data with LDAP now. The synchronization process only works if the operating user has already been synchronized via the LDAP connection. This requires closing the Automic Web Interface and logging on again.

    Information stored in the User object is only updated while logging on or when using the button Synchronize data with LDAP now. There is no automatic synchronization.

    Important! You do not have to log off and on again to synchronize data if you use the credentials of a technical user, see Synchronizing LDAP using Technical User Credentials. If you do not use the credentials of a technical user, the user that synchronizes the data of a User object with LDAP must be an LDAP user.

  5. Save and close the User object.

  6. Repeat all steps for additional users.

Notes:

  • External password checks made via the AE Program Exit are called prior to the LDAP connection.

  • User data is stored in the object during the synchronization process with the LDAP server directory.

See also: