LDAP Connection Setup

AE provides a clientEnvironnement indépendant pour la création et l'exécution d'objets dans un système AE. Le nom d'un client est un nombre de quatre chiffres à saisir lors de la connexion d'un utilisateur au système AE. Les utilisateurs et leurs droits y sont aussi définis.Egalement un type d'objet distinct dans l'Automation Engine. which authenticates login data using LDAP via the Microsoft Active DirectoryActive Directory (AD) est à la fois le service de répertoire Microsoft'+char(39)+'s et un terme générique pour les services d'identification des réseaux Windows. or, as of version 11, also on Oracle Directory ServerOracle Directory Server (ODS ; auparavant SUN Directory Server) est le service de répertoire Oracle pour les environnements hétérogènes.. The client is part of the Automation EngineCe composant commande un système Automation Engine. Il se compose de plusieurs processus serveur.. When logging on, users are not authenticated in the Automation Engine but rather in Active Directory if the LDAP connection is activated in the User object.

The LDAP connection supports the Microsoft Active Directory and, as of version 11, the Oracle Directory Server.

As of version 11, you may synchronize LDAP data via SSL.

By default, the LDAP connection is not active.

An LDAP login via the AE is only possible if the password includes characters of the code table you use in your respective database.

A global setting activates the LDAP connection for an AE system. Whether a user is checked when logging on either locally in the AE system or via the Active Directory or Oracle Directory Server, depends on the settings made in the particular User object. Thus, AE distinguishes local and LDAP users.

Below you find the installation and configurationUn ensemble de composants qui constituent un système. Ceci comprend des informations relatives à la manière dont les composants sont connectés, ainsi que les paramètres appliqués., differentiated by general setup and installation steps required either for Active Directory or Oracle Directory Server respectively.

General

To Import and Install SSL Certificates

In order to be able to use an Active Directory or Oracle Directory Server with LDAP over SSL, you will have to be able to use a JWP (Java based Work Process). Details on the installation and import of the necessary certificates you find in the JWP Installation section.

1. Import the certificates as described in the JWP Installation (JWP Installation) section.

2. Create an LDAP Connection Variable with the following settings:
   
   VERSION = 2
   TLS = Y
   USE_DISTINGUISHED_NAME = Y
   SERVER = <hostname>:<sslport>
   
   

   The default port for SSL is 636.

3. Open the User object, set the distinguished name for the user and activate the LDAP connection checkbox.

To Activate the LDAP Connection for your AE system

• Open the variable UC_SYSTEM_SETTINGS and enter the value "Y" in the key "LDAP". This global setting can be used to switch the LDAP connection on and off from one central point.

To Synchronize LDAP with Technical User Credentials

As of version 11 it is possible to have an additional LDAP technical user, who can perform an LDAP synchronization in case the current user has not the permissions to do so.

Automic recommends this method over the individual User objects solution, since in the latter case a user does not have the necessary credentials and therefore would be forced to log off the system and log in again to enable the data synchronization.
Log in and log off will not be required if the technical user credentials solution is used.

Create a technical user by creating and using a LoginDonnées de connexion pour les systèmes cible. Egalement un type d'objet distinct dans l'Automation Engine. object.
Follow these steps:

• Create a Login object with specific credentials as technical user credentials.
• Register this Login object in the already existing UC_LDAP_Domain variable (s.a.) using the key UC_LDAP_EXAMPLE - LDAP Connection Variable.

This Login object's credentials will be used instead of the current user's credentials for synchronizing the LDAP information.

If the key SYNC_LOGIN is not specified in the variable or the Login object does not exist, the credentials of the current user apply.

Procedure Active Directory

To Specify the Connection Data

1. Log on to system client 0000.
2. Switch to the DIV_VARIABLES folder and duplicate the UC_LDAP_EXAMPLE variable.
3. Name the copy "UC_LDAP_Domain". If the domain name is "SMITH", the variable would be called "UC_LDAP_SMITH".
4. Open the variable and enter your connection data.
5. Store and close the variable.

To Set up the LDAP Connection in User objects

1. The User object must have the same name as the user in the Active Directory, in case the distinguished name (DN) is not used. The name is composed of the user name and the domain. For example, Mr. Smith uses the domain "AE". He requires the User object "SMITH/AE". Create a new User object for yourself or rename your existing one.
2. Open the User object and switch to the User page.
3. Activate the checkbox "LDAP connection". The input fields "First name", "Last name" and "Email1" are locked, as their contents should be filled by the LDAP data in the Active Directory or on the Oracle Directory Server. The locked fields are filled with data from the respective server, when the synchronization is started.
4. You can test this using the button Synchronize data with LDAP now, but the synchronization process only works if the operating user has already been synchronized via the LDAP connection. This requires closing the UserInterface and logging on again.
   
    Information stored in the User object is only updated while logging on or when using the button "Synchronize data with LDAP now". There is no automatic synchronization.
   
   Logging off and in again to synchronize data is not required, if the technical user credentials solution in the special Login object (register via SYNC_LOGIN in UC_LDAP_Domain variable) is used, as described above in the "General" section.
   
   The person who synchronizes the data of a User object with LDAP would also have to be an LDAP user, if the Login object solution and technical user described above is not used.
   
   The Active Directory does not use the second e-mail address. It can be used if required.
5. Store and close the User object.
6. Repeat all steps for additional users.

Procedure Oracle Directory Server

To Specify the Connection Data

1. Log on to system client 0000.
2. Switch to the folder "DIV_VARIABLES" and duplicate the variable UC_LDAP_EXAMPLE.
3. User object names are composed of name and department. The copy of the variable can be renamed to "UC_LDAP_department". An extra variable is required for each department. Using this method requires the domain to be specified in the key DOMAIN_ALIAS.
4. Open the variable and enter your connection data.
5. Store and close the variable.

To Set up the LDAP connection in User objects

1. The User object must have the same name as the user's distinguished name.  Create a new User object for yourself or rename your existing one.
   The synchronization of data only works, if the "uid" and the User object's name are identical. Example: uid=nga, ou=people, dc=example,dc=com. Thus the User object would have to be named NGA/DEPARTMENT
2. Open the User object and switch to the User page.
3. Activate the checkbox "LDAP connection". The input fields "First name", "Last name", "Email1" and "Email2" are locked, as their contents should be filled by the LDAP data in the respective server directory. The locked fields are filled with data from the Oracle Directory Server, when the synchronization is started.
4. You can test this using the button Synchronize data with LDAP now, but the synchronization process only works, if the operating user has already been synchronized via the LDAP connection. This requires closing the UserInterface and logging on again.
   
    Information stored in the User object is only updated while logging on or when using the button "Synchronize data with LDAP now". There is no automatic synchronization.
   
   Logging off and in again to synchronize data is not required, if the technical user credentials solution in the special Login object (register via SYNC_LOGIN in UC_LDAP_Domain variable) is used, as described above in the "General" section.
   
   The person who synchronizes the data of a User object with LDAP would also have to be an LDAP user, if the Login object solution and technical user described above are not used.
5. Store and close the User object.
6. Repeat all steps for additional users.

Comments

The System Overview shows whether or not the LDAP connection is active for each user. You can activate or deactivate it for individual users via the corresponding context menu command.

The "LDAP connection" checkbox is automatically deactivated if User objects are exported, transported or duplicated.

External password checks made via the AE Program Exit are called prior to the LDAP connection.

User data is stored in the object during the synchronization process with the LDAP server directory.

See also:

User
UC_LDAP_EXAMPLE