User Interface: LDAP Authentication
The following are the options for an LDAP authentication configuration.
Note: If you are configuring a multi-site deployment
A configuration of a Loftware environment that includes Loftware instances located at different sites within the same WAN. In a multi-site deployment, each Loftware instance acts as either a headquarters or a facility. of Loftware Enterprise SP, you must sign in to each facility site to configure LDAP or Azure authentication. LDAP or Azure authentication information is not synced from headquarters to facilities.
Tip: By default, LDAP communication between a client application and a server application is not encrypted. However, you can secure LDAP communication by using LDAP over SSL (LDAPS). To use LDAPS with Loftware Enterprise SP, obtain a copy of your SSL certificate from your LDAP server and import the certificate into the Java certificate keystore on the Loftware Application Server (the certificate must be configured for your environment — LDAPS does not function with the Loftware Enterprise SP self-signed certificate). To locate the Java certificate keystore, open the server.xml file in <LOFTWARE_HOME>/product/conf and find the "keystoreFile" keyword. The java "keytool" utility is used to add the certificate to this file. For more information, see Importing the LDAP Server's Certificate. StartTLS and Simple Authentication and Security Layer (SASL) are not supported.
LDAP Authentication
| Option | Description | Notes | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Domain Name | A unique name for the LDAP server configuration that identifies the domain represented. |
Required. This value is not required to be a real domain. |
||||||||||||
| Provider URL |
The LDAP URL to be used by Loftware Enterprise SP when establishing a connection to the LDAP server to authenticate. |
Required. Either LDAP or LDAP over SSL (LDAPS) may be used. The URL can include lowercase alphanumeric characters only. Note: If including a base distinguished name (DN Example: LDAP over SSL (LDAPS) The format is ldaps://host:port/base_dn. The default port is 636. ldaps://corpldap.example.com:636/dc=company,dc=com Example: LDAP The format is ldap://host:port/base_dn. The default port is 389. ldap://corpldap.example.com:389/dc=company,dc=com |
||||||||||||
|
Synchronize |
Turn synchronization on or off. |
For more information, see Select Objects to Sync. |
||||||||||||
| Admin DN | The fully-qualified distinguished name of an administrator account with the authority to search for a user distinguished name. |
May be required depending on your configuration. Consult your LDAP system administrator. Example cn=directory manager,dc=example,dc=com |
||||||||||||
| Admin Password |
The password associated with the account provided in the Admin DN field.
|
May be required depending on your configuration. Consult your LDAP system administrator. Example userPassword |
||||||||||||
| Authentication Type | The approach used when authenticating with an LDAP server. |
You must select one of the following values:
|
||||||||||||
| Search Base |
The portion of the LDAP hierarchy to be searched. |
Used if the Authentication Type is Search and Bind or Search and Compare. Note: You can specify a Search Base, a base DN that is part of the Provider URL, or both. If both, the base DN is appended to the Search Base when the Search Base is evaluated. Example ou=shipping,ou=users |
||||||||||||
| Search Filter |
An LDAP filter string used in conjunction with the Search Base to perform a search for the user distinguished name before authentication is attempted. |
Required if the Authentication Type is Search and Bind or Search and Compare. The following placeholders can be incorporated. Each placeholder corresponds to a field on the User Info tab for a user as shown in Access Control
Important! The search filter must be configured to return only one user DN. If the search returns multiple users, authentication fails. Example: OpenLDAP The following search filter is for the specified user name. (uid={0}) Example: Active Directory The following search filter is for the specified user name. (sAMAccountName={0}) Example: Name The following search filter is for the first name and last name of the user as specified in Loftware Enterprise SP. (cn={1} {2}) Example: Email Address The following search filter is for the email address of the user as specified in Loftware Enterprise SP. userPrincipalName={4} Example: User Name and Domain The following search filter is for the user name and domain as specified for the user in Loftware Enterprise SP. (userPrincipalName={0}@{3}) |
||||||||||||
| Password Attribute | The name of the attribute in the user object in the LDAP server that contains the user password. The password must be SHA encrypted. |
Used if the Authentication Type is Search and Compare or Compare Only. Example userPassword |
||||||||||||
| User DN Patterns |
User distinguished name patterns to be used.
Search and bind - used not req Search and compare - used not req bind only - req compare only - req
|
Required if the Authentication Type is Bind Only or Compare Only. If you enter multiple patterns, they are searched in the order that they appear in this field. Editing a User DN Pattern moves it to the end of the list. Note: If a base DN is specified in the Provider URL, it is appended to each User DN Pattern when the pattern is evaluated. Example {0} is a placeholder for the specified user name. uid={0},ou=users |
Auto Provisioning
| Option | Description | Notes |
|---|---|---|
| Enable Auto Provisioning |
|
When enabled, validation of auto-provisioning fields is required to save any LDAP data. |
: When disabled, 
: When enabled, users in your LDAP service who belong to an LDAP group that is mapped to a LDAP Vendor Configuration
| Option | Description | Notes |
|---|---|---|
| LDAP Vendor |
Select Active Directory, ApacheDS, OpenLDAP, or Other Vendor. When selected, the fields are pre-filled with the default settings for the selected LDAP vendor. |
Attributes to define settings related to users and groups vary by LDAP vendor. The LDAP Vendor option makes it easier to configure auto-provisioning as the default settings are auto-filled, but you must modify the settings to match your LDAP configuration. |
| Username Attribute | The correct attribute for username in your LDAP server. |
Required. |
| DN Attribute | The correct attribute for distinguished name (DN) in your LDAP server. | Required. |
| UUID Attribute | The correct attribute for the UUID in your LDAP server. | Required. |
| UUID Binary? | Whether the UUID attribute in your LDAP server stores UUIDs as a string or as a binary value. | By default, Loftware Enterprise SP expects the UUID to be a string. Select this check box if your LDAP setup stores UUIDs as a binary value. |
| Group Object Type | The object class used for groups in your LDAP implementation. | Required. |
| Member Attribute | The attribute used to indicate group membership. |
Required. Example In Active Directory, group membership is indicated in the user object. The user's memberOf property contains the groups that the user is a memberOf. In this case, the memberAttribute would be memberOf. In OpenLdap, group membership is indicated in the group object. The group's member property contains the users that are a member of that group. In this case, the memberAttribute would be member. |
User Provisioning
| Option | Description | Notes |
|---|---|---|
| User Search Base | Where in the LDAP hierarchy to start the search for a matching LDAP user. | Required. |
| User Search Filter |
Which user in LDAP to use to create a new Loftware Enterprise SP user. When an LDAP user signs in to Loftware Enterprise SP, they will sign in with a username formatted as username@domainName. The username and the domain name values are used to search for a matching user in LDAP. Example If the username used to sign in is msmith@example.com, the search filter may search for matches on just the username or a combination of the username and domainName. |
Required. The following placeholders can be used: !USERNAME! !DOMAIN! Active Directory Example (sAMAccountName=!USERNAME!) (userPrincipalName=!USERNAME!@!DOMAIN!) (email=!USERNAME!@!DOMAIN!) |
|
Create User Folder |
The Loftware Enterprise SP folder where auto-provisioned users will be created. This folder must already exist in Loftware Enterprise SP and should not be the root folder. |
Required. Auto-provisioned users do not have to remain in this folder after they are created. Example /Loftware/LDAP Users |
|
First Name Attribute |
The LDAP user property that should be used to populate the auto provisioned Loftware Enterprise SP user's first name field. If no value is entered, all auto-provisioned users will be missing a value for first name. |
Active Directory Example givenName |
|
Last Name Attribute |
The LDAP user property which should be used to populate the provisioned Loftware Enterprise SP user's last name field. If no value is entered, all auto-provisioned users in Loftware Enterprise SP will be missing a value for last name. |
Active Directory Example sn |
|
Attribute |
The LDAP user property that should be used to populate the auto provisioned Loftware Enterprise SP user's email field. If no value is entered, all auto-provisioned users in Loftware Enterprise SP will be missing a value for email address. |
|
|
Description Attribute |
The LDAP user property that should be used to populate the auto provisioned Loftware Enterprise SP user's description field. If no value is entered, all auto-provisioned users in Loftware Enterprise SP will be missing a value for description. |
|
Group Membership Provisioning
| Option | Description | Notes |
|---|---|---|
|
Group Membership Search Base |
Specify where in your LDAP hierarchy the search for user group memberships should begin. |
Required. |
|
Group Membership Search Filter |
Specify the search filter for groups. |
Required. Open LDAP Example (&(memberUid=!USERNAME!) (objectClass=posixGroup)) |