UC_LDAP_EXAMPLE - LDAP Connection Variable

This variable contains the specifications for the LDAP connection. It is supplied in client 0000 and its settings apply globally for the whole AE system It contains all specifications for the connection to the Active Directory or Oracle Directory Server. You may synchronize LDAP data via SSL.

The folder DIV_VARIABLES contains the UC_LDAP_EXAMPLE variable which can be used as a template. Duplicate this variable. There are two methods for configuring the connection to your LDAP server (Active Directory or Oracle Directory Server):

• Method A, rather used for Active Directory: Name the copy "UC_LDAP_domain". If the domain name is "SMITH", the variable name must be "UC_LDAP_SMITH".
• Method B, rather used for Oracle Directory Server: User object names are composed of name and department. The copy of the variable can be renamed to "UC_LDAP_department". Each department requires a separate variable. Using this method requires the domain to be specified in the DOMAIN_ALIAS key.
  You would use Method B when the domain name (or fully qualified domain name) does not meet the object naming conventions.
  For domain alias, we recommend using the fully qualified domain name.

By default, the domain indicated in the name of the variable is used. You can also specify the alias in the DOMAIN_ALIAS key which is then used instead of the domain name.

German umlauts cannot be used in domain names.

• AUTHENTICATION_METHOD

  Depending on the LDAP Server configuration, authentication requires realm data or the domain name.

  Allowed values: 0, 1 (default) and 2

  • 0

    Authentication first uses the realm data of the LDAP Server. A second attempt to log on is made with the domain name if the first attempt fails. The LDAP connection remembers the successful login method and uses this one first for future logins. Each attempt to authenticate is regarded as a login attempt. Whether an attempt to log on failed because of incorrect user data or due to a wrong login type is irrelevant. Thus, entering an incorrect password several times has the effect that a user is locked earlier.

  • 1

    The response to the LDAP Server is sent with the realm data of the LDAP Server. This is the default method which should be accepted by every LDAP Server.

  • 2

    The domain name is used to respond to the LDAP Server.

  Restart required: No

• DOMAIN_ALIAS

  Domain alias or domain name if the department has been specified in the name of the variable.

  Restart required: No

• SERVER

  Name and port number of the LDAP Server

  Format:

  Server name:Port number

  Separate several LDAP Servers with a semicolon. The Automation Engine then attempts to establish a connection to the first LDAP Server. If it fails, a second attempt is made with the second LDAP Server.

  Restart required: No

• SYNC_LOGIN (Optional)

  This key specifies the name of a Login object that contains the user credentials the Automation Engine will use when communicating with the LDAP server. AE users who do not have the permission for LDAP synchronization can use a specially created Login object that contains the necessary credentials. For more information, see To Create a Technical User Using a Login Object

  Restart required: No

• USE_DISTINGUISHED_NAME

  Access via DN (distinguished name)

  Allowed values: Y and N (default)

  • Y - The connection to the LDAP system is established via DN.

  • N - DN is not used.

  Important! The password remains unencrypted when using DN.

  This function is dependent on the parameter VERSION (see below). If it is set to "1", the password remains unencrypted. For VERSION = "2", the connection as well as the password will be encrypted, since LDAP over SSL is used.

  The LDAP connection uses the domain name when a user logs on for the first time. By doing so, it retrieves the corresponding Distinguished Name (DN). For all subsequent login attempts it uses the DN because this method is the quicker one. If it fails, the LDAP connection automatically continues using the domain name.

  (Oracle Directory servers) The DN (distinguished name) is always used.

  Restart required: No

• USR_EMAIL1

  LDAP attribute from which the email address should be read. For example, "mail" in the Microsoft Active Directory.

  Restart required: No

• USR_FIRSTNAME

  LDAP attribute from which the first name should be read. For example, "givenName" in the Microsoft Active Directory.

  (Oracle Directory servers) This setting is irrelevant, as attributes there are always "givenName" and "sn".

  Restart required: No

• USR_LASTNAME

  LDAP attribute from which the last name should be read. For example, "sn" in the Microsoft Active Directory.

  (Oracle Directory servers) This setting is irrelevant, as attributes there are always "givenName" and "sn".

  Restart required: No

• VERSION

  Defines if an existing C-Modul or the Java-based work process (JWP) is used to enable LDAP over SSL.

  Allowed values: 1 (default) and 2

  • 1 - uses the C-based LDAP connection, SSL is not possible

  • 2 - uses JWP, LDAP over SSL is possible

  Restart required: No

• TLS

  This parameter is used only if the parameter VERSION is set to 2. If the parameter is set to N, the Java-based work process (JWP) creates a connection to the LDAP server without SSL.

  Allowed values: Y[es] and N[o]

  Restart required: No

* The keys that start with "USR" define the LDAP attributes from which the LDAP connection should read the email address, as well as the first and last name when synchronizing user data. All three information types are stored in the User object.