If the user authentication method is set to a Windows or LDAP external authority, the
authentication settings must be configured in Web System Manager.
To configure the external
authority for user authentication, do the following:
-
In System Configuration select Global Configuration Settings >
Security and Authentication > External Authentication
Note: One or more external authority can be used for user
authentication.
-
Select Windows to validate user accounts against a Windows domain. If
using Windows authentication, do the following:
-
Enable Windows Authentication, and enter the Domain name.
-
Click +Add and Apply to add all available Windows
domains.
-
Select LDAP to validate user accounts against an LDAP
server. If using LDAP authentication, do the following:
-
Select the Synchronize user attributes on login check box to
enable LDAP synchronization of user attributes on LDAP authentication.
This feature allows user account details to be imported into the
Equitrac software when the user logs into an endpoint. A traditional
LDAP import/synchronization using persistent search, imports all users
initially and then updates account details in the LDAP database as
changes occur (see Configuring LDAP Synchronization). If you do not want to
keep a persistent connection open to a database server, the Synchronize
user attributes on login feature imports user account details as needed.
The new synchronization can be configured to import the same user
account details as the standard LDAP sync (e.g. Primary PIN, department
and email address).
-
In the LDAP Server Configuration section click Add.
-
Enter the host LDAP Server name. The fully
qualified domain name of the LDAP server may be required for
certificates imported for SSL. Ensure that the LDAP server’s fully
qualified domain name is resolvable.
The maximum length of the host name and of the fully qualified domain
name (FQDN) is 63 bytes per label and 255 bytes per FQDN. Microsoft
Windows does not permit computer names that exceed 15 characters, and
you cannot specify a DNS host name that differs from the NETBIOS host
name.
-
Enter the Port used by the LDAP server.
-
Select an LDAP lookup Type from the drop-down list. Use AD-style when
connecting to a Windows domain controller, and use Simple bind when
connecting to a Linux/Unix server.
- First try AD-style, then try simple -
If selected, only Direct bind is used
as the Authentication method.
- Try AD-style - If selected, either
Direct bind or Lookup
then bind can be used as the Authentication
method. SSL is not available with the Try AD-style lookup
option.
- Try simple - If selected, either Direct bind
or Lookup then bind can be used as the Authentication
method.
-
Select Force SSL to use SSL (Secure Socket
Layer) encryption.
-
Select Use LDAP version 3 check box to use LDAP
3.
-
In the Authentication Method section, select either Direct
bind or Lookup then bind.
If
Direct bind is selected, do the following:
- Enter the LDAP DN Prefix (e.g. CN=admin) and DN
Suffix (e.g. ,O=equitrac) to be placed,
respectively,before and after the supplied user ID for
simple authentication against LDAP.
- Select your User ID modification method. If the user
ID has the format of an email address, this setting allows
the email domain to be removed.
If
Lookup then bind is selected, do the following:
- In the Search filter field, enter the import search
criteria using standard LDAP filter syntax. For example, the
search filter (&(objectClass=person)(uid=%value%)) would
search for the person entry AND the specific user ID. Or,
the search filter (|(uid=%value%)(mail=%value%)) would
authenticate a user by email address. The %value% is
replaced with the value entered by the user at login.
Note:
'uid’ can be used to connect to a Linux server, whereas
'sAMAccountName' should be used to connect to a Windows
domain controller.
- Select the search Scope from the pull-down
menu.
Base – searches the base
entry.
One level – searches all entries
in the first level below the base
entry.
Subtree – searches the base
entry and all entries in the tree below the base entry.
This is the default setting.
- In the Base DN field, enter the location within the
directory to start the search. For example, if the entire
directory is to be searched under an organization of
"Equitrac" this would be "O=equitrac". Ensure the BaseDN
name does not contain spaces, or the import will fail.
- In the User ID field for match text field, enter the
LDAP attribute used to match the Equitrac user ID field in
CAS (e.g. uid, sAMAccountName, cn).
- Select the Anonymous login/As service login checkbox
to allow the administrator to specify that the LDAP server
supports anonymous login (for simple LDAP type), or to login
as the user the service is running as(for AD type).
- If the Anonymous login/As service login option is not
selected, enter the LDAP server Login ID and Login
Password.
Note:
For AD, the supplied Login ID would be either in NT4 format
(domain\user) or UPN format (user@domain). For simple bind, the
options are to bind anonymously or with the supplied
credentials. The Login ID has to be in distinguished name format
(e.g. uid=admin,dc=example,dc=com).
Note:
Ensure that Lookup then bind is selected when using the
synchronize user attributes feature. Direct bind does not
enable this feature.
-
Click Test to open an LDAP lookup
dialog box. Enter an account User name and
Password, and then click
Lookup. If Persistent Search is enabled, the dialog
box shows the LDAP properties for that account.
-
Click Save to save the settings.
Note: The LDAP lookup must resolve to a unique
user identifier.