LDAP Connection Setup
AE provides a client which authenticates login data using LDAP via Microsoft Active Directory or Oracle Directory Server. The client is part of the AE. When logging on, users are not authenticated in AE but in Active Directory if the LDAP connection is active in the User object. You can synchronize LDAP data via SSL.
This page includes the following:
By default, the LDAP connection is not active. You can see this for each user in the Administration perspective. Activate or deactivate it for individual users via the corresponding context menu command. A global setting activates the LDAP connection for a complete AE system.
An LDAP login via the AE is only possible if the password includes characters of the code table you use in your respective database.
Import and Install SSL Certificates
To be able to use an Active Directory or Oracle Directory Server with LDAP over SSL, you will have to be able to use a Java-based work process (JWP). For details on the installation and import of the necessary certificates, see Installing the JWP.
-
Import the certificates, as described in the JWP Installation section.
-
Create an LDAP Connection Variable with the following settings:
VERSION = 2
TLS = Y
USE_DISTINGUISHED_NAME = Y
SERVER = <hostname>:<sslport>
The default port for SSL is 636.
For more information, see UC_LDAP_EXAMPLE - LDAP Connection Variable. - Open the User object, set the distinguished name for the user and activate the "LDAP connection" checkbox.
Activate the LDAP Connection for your AE System
Open the variable UC_SYSTEM_SETTINGS and enter the value "Y" in the key "LDAP". This global setting can be used to switch the LDAP connection on and off from one central point.
Synchronize LDAP with Technical User Credentials
You can have an additional LDAP technical user who would be able to perform an LDAP synchronization, in case the current user has not the permissions to do so.
Tip: We recommend this method over the individual User objects solution, since in the latter case a user does not have the necessary credentials and therefore would be forced to log off the system and log in again to enable the data synchronization.
Log in and log off will not be required, if the technical user credentials solution is used.
To Create a Technical User Using a Login Object
- Create a Login object in client 0 that includes the specific credentials for connecting to the LDAP server. It should have only one row that includes the following information:
- Set Name to *
- Set Type to LDAP
- In Login info, enter the name or distinguished name of the user to use when communicating with the LDAP server.
- Supply the user’s password in the Password field.
- Register this Login object in the already existing UC_LDAP_Domain variable by using the key SYNC_LOGIN, see UC_LDAP_EXAMPLE - LDAP Connection Variable.
- Test whether the SYNC_LOGIN setting and the specified LOGIN object are configured correctly, do the following:
- Log on to the AWI by using a non-LDAP user.
- Open or create a USER object that corresponds to an LDAP user.
- Make sure that the LDAP connection option is enabled.
- Click Synchronize data with LDAP now.
- If everything is set up correctly, the Distinguished name of the user will automatically be retrieved from the LDAP server.
If the key SYNC_LOGIN is not specified in the variable, or the Login object does not exist, the credentials of the current user apply.
Procedure Active Directory
To Specify the Connection Data
- Log on to system client 0000.
- Switch to the folder "DIV_VARIABLES" and duplicate the variable UC_LDAP_EXAMPLE.
- Name the copy "UC_LDAP_Domain". If the domain name is "SMITH", the variable would be called "UC_LDAP_SMITH".
- Open the variable and enter your connection data. For more information, see UC_LDAP_EXAMPLE - LDAP Connection Variable.
- Store and close the variable.
To Set up the LDAP Connection in User Objects
- The User object must have the same name as the user in the Active Directory, in case the distinguished name (DN) is not used. The name is composed of the user name and the domain. For example, Mr. Smith uses the domain "AE". He requires the User object "SMITH/AE". Create a new User object for yourself or rename your existing one.
- Open the User object. See Users (USER).
- Activate the checkbox "LDAP connection". The input fields "First name", "Last name" and "Email1" are locked, as their contents should be filled by the LDAP data in the Active Directory or on the Oracle Directory Server. The locked fields are filled with data from the respective server, when the synchronization is started.
- Test this by using the button Synchronize data with LDAP now. The synchronization process only works if the operating user has already been synchronized via the LDAP connection. This requires closing the Automic Web Interface and logging on again.
- Store and close the User object.
- Repeat all steps for additional users.
Information stored in the User object is only updated while logging on or when using the button Synchronize data with LDAP now. There is no automatic synchronization.
Logging off and on again to synchronize data is not required if the technical user credentials solution in the special Login object (register via SYNC_LOGIN in UC_LDAP_Domain variable) is used, as described above in the "General" section.
Important! The person who synchronizes the data of a User object with LDAP would also have to be an LDAP user, if the Login object solution and technical user described above is not used.
The Active Directory does not use the second email address. It can be used if required.
Procedure Oracle Directory Server
To Specify the Connection Data
- Log on to system client 0000.
- Switch to the folder "DIV_VARIABLES" and duplicate the variable UC_LDAP_EXAMPLE.
- User object names are composed of name and department. The copy of the variable can be renamed to "UC_LDAP_department". An extra variable is required for each department. Using this method requires the domain to be specified in the key DOMAIN_ALIAS.
- Open the variable and enter your connection data. For more information, see UC_LDAP_EXAMPLE - LDAP Connection Variable.
- Store and close the variable.
To Set up the LDAP Connection in User Objects
- The User object must have the same name as the user's distinguished name. Create a new User object for yourself or rename your existing one.
- Open the User object. See Users (USER).
- Activate the checkbox "LDAP connection". The input fields "First name", "Last name", "Email1" and "Email2" are locked, as their contents should be filled by the LDAP data in the respective server directory. The locked fields are filled with data from the Oracle Directory Server, when the synchronization is started.
- You can test this using the button Synchronize data with LDAP now. The synchronization process only works if the operating user has already been synchronized via the LDAP connection. This requires closing the Automic Web Interface and logging on again.
- Store and close the User object.
- Repeat all steps for additional users.
The synchronization of data only works if the "uid" and the User object's name are identical. Example: uid=nga, ou=people, dc=example,dc=com. Thus the User object would have to be named NGA/DEPARTMENT
Information stored in the User object is only updated while logging on or when using the button Synchronize data with LDAP now. There is no automatic synchronization.
Logging off and in again to synchronize data is not required if the technical user credentials solution in the special Login object (register via SYNC_LOGIN in UC_LDAP_Domain variable) is used, as described above in the "General" section.
Important! The person who synchronizes the data of a User object with LDAP would also have to be an LDAP user, if the Login object solution and technical user described above are not used.
Notes:
-
External password checks made via the AE Program Exit are called prior to the LDAP connection. For more information, see Password Exit.
-
User data is stored in the object during the synchronization process with the LDAP server directory.
See also: