UVMS LDAP Node Settings

Univiewer Management Server Node settings relate to LDAP integration.

These parameters update is only taken into account when UVMS restarts.

The user must have UVMS administrator rights to update those parameters.

Advanced Settings category:

• User Authentication Type
• Automatic registration for new Users
• Upgrade Group membership at login
• LDAP Synchronization Strategy
• Retrieving groups only

These settings are available in a display mode only. They can only be updated by the running a unisetvar command (as described below). The last parameter can be modified directly from the Univiewer Console.

Logging category:

• LDAP Synchronization Log File, U_LDAP_SYNC_FILE variable: default value: !UNI_DIR_DATA!\log\uvldapsync.log.

This log is available in a read-only mode from the Univiewer Console Administration mode > Groups > LDAP Synchronization.

User Authentication Type

The AUTHENTICATION_MODE variable value can be set via the command:

unisetvar AUTHENTICATION_MODE <value>

• Setting the variable AUTHENTICATION_MODE value to “L” (LDAP Authentication) turns on the LDAP authentication: Users’ password check.
• Setting the variable AUTHENTICATION_MODE value to "S" (LDAP Synchronization) turns on the LDAP synchronization: LDAP groups and users check. The Synchronization mode includes the Authentication mode.
• Setting the variable AUTHENTICATION_MODE value to “I” (Internal) turns off the LDAP authentication or synchronization.

Automatic registration for new Users

Turn on automatic registration of users by settings the AUTO_REGISTRATION variable value to Y:

unisetvar AUTO_REGISTRATION Y

If this variable is set to N (No), a valid LDAP login that is not declared in the UVMS will be refused access.

If this variable is set to Y (Yes), the record of a LDAP login will be automatically created in the UVMS on the first connection attempt granted that the user account and the password are valid in LDAP.

If LDAP is activated in a synchronization mode, the matching group (and the associated roles) will be attributed to it. Else, it will be granted all default roles.

If the advanced architecture is implemented (master UVMS/subordinate UVMS) and if the automatic user registration is activated, a LDAP user that is attempting to connect to a subordinate UVMS for the first time will be refused. It must first connect on the master UVMS. It will be registered by the master UVMS and then distributed to the subordinate UVMS through synchronization. Once the synchronization is received by the subordinate UVMS, the user is able to connect to the subordinate UVMS.

Upgrade Group membership at login

When the LDAP synchronization is activated, it is possible to update the user groups during the user connection. The LDAP_MEMBERSHIP_AT_LOGIN variable value must then be set to Y (Yes)

unisetvar LDAP_MEMBERSHIP_AT_LOGIN Y

In that case, when a user connects to UVMS using the Univiewer Console, its associated groups are checked on LDAP.

If you set this variable to N (No), the group update is only processed during synchronization. If the user groups have been modified between the last synchronization and the user connection, this update will not be taken into account. It is therefore recommended to define this variable to Y (Yes).

LDAP Synchronization Strategy

The user can choose between two types of synchronization if the variable value is set to LDAP_SYNCHRONIZATION_MODE:

unisetvar LDAP_SYNCHRONIZATION_MODE <value>

If the value equals:

• M (Choose groups manually): the groups that need synchronization must be created manually in UVMS as LDAP groups (recommended). In UVC, these groups creation is assisted with a list displaying all groups matching the "groupsSearchBase" filter of the ldap.xml. file
• F (Synchronization using a filter): all groups are automatically retrieved from LDAP using the "groupsSearchBase" filter of the ldap.xml file and created in UVMS. The user does not need to create LDAP groups in UVMS. However, the administrator must manually assign roles.

The ldap.xml is described under "LDAP Configuration File" section.

Retrieving groups only

If LDAP synchronization uses the Filter mode (above), by default users AND groups are retrieved in UVMS. But the user can choose to retrieve only the groups using the LDAP_RETRIEVE_GROUPS_ONLY variable.

unisetvar LDAP_ RETRIEVE_GROUPS_ONLY Y

This setting must be used in conjunction with AUTO_REGISTRATION=Yes and UPDATE_MEMBERSHIP_AT_LOGIN=Yes.

If the variable is set to Y(es) users are not created automatically during synchronization with LDAP. In this case users will be created when they first authenticate to UVMS. The purpose of this option is to save in UVMS only users actually using the product.