External user authentication

If the user authentication method is set to a Windows or LDAP external authority, the authentication settings must be configured in Web System Manager.

To configure the external authority for user authentication, do the following:

  1. In System Configuration select Global Configuration Settings > Security and Authentication > External Authentication
  2. One or more external authority can be used for user authentication.

  3. Select Windows to validate user accounts against a Windows domain. If using Windows authentication, do the following:
    1. Enable Windows Authentication, and enter the Domain name.
    2. Click +Add and Apply to add all available Windows domains.
  4. Select LDAP to validate user accounts against an LDAP server. If using LDAP authentication, do the following:
    1. Select the Synchronize user attributes on login check box to enable LDAP synchronization of user attributes on LDAP authentication. This feature allows user account details to be imported into the Equitrac software when the user logs into an endpoint. A traditional LDAP import/synchronization using persistent search, imports all users initially and then updates account details in the LDAP database as changes occur (see Configuring LDAP Synchronization). If you do not want to keep a persistent connection open to a database server, the Synchronize user attributes on login feature imports user account details as needed. The new synchronization can be configured to import the same user account details as the standard LDAP sync (e.g. Primary PIN, department and email address).
    2. In the LDAP Server Configuration section click Add.
    3. Enter the host LDAP Server name. The fully qualified domain name of the LDAP server may be required for certificates imported for SSL. Ensure that the LDAP server’s fully qualified domain name is resolvable.
      The maximum length of the host name and of the fully qualified domain name (FQDN) is 63 bytes per label and 255 bytes per FQDN. Microsoft Windows does not permit computer names that exceed 15 characters, and you cannot specify a DNS host name that differs from the NETBIOS host name.
    4. Enter the Port used by the LDAP server.
    5. Select an LDAP lookup Type from the drop-down list. Use AD-style when connecting to a Windows domain controller, and use Simple bind when connecting to a Linux/Unix server.

      • First try AD-style, then try simple - If selected, only Direct bind is used as the Authentication method.
      • Try AD-style - If selected, either Direct bind or Lookup then bind can be used as the Authentication method. SSL is not available with the Try AD-style lookup option.
      • Try simple - If selected, either Direct bind or Lookup then bind can be used as the Authentication method.

    6. Select Force SSL to use SSL (Secure Socket Layer) encryption.
    7. Select Use LDAP version 3 check box to use LDAP 3.
    8. In the Authentication Method section, select either Direct bind or Lookup then bind.

      If Direct bind is selected, do the following:

      • Enter the LDAP DN Prefix (e.g. CN=admin) and DN Suffix (e.g. ,O=equitrac) to be placed, respectively,before and after the supplied user ID for simple authentication against LDAP.
      • Select your User ID modification method. If the user ID has the format of an email address, this setting allows the email domain to be removed.

      If Lookup then bind is selected, do the following:

      • In the Search filter field, enter the import search criteria using standard LDAP filter syntax. For example, the search filter (&(objectClass=person)(uid=%value%)) would search for the person entry AND the specific user ID. Or, the search filter (|(uid=%value%)(mail=%value%)) would authenticate a user by email address. The %value% is replaced with the value entered by the user at login.

      'uid’ can be used to connect to a Linux server, whereas 'sAMAccountName' should be used to connect to a Windows domain controller.

      • Select the search Scope from the pull-down menu.

        Base – searches the base entry.

        One level – searches all entries in the first level below the base entry.

        Subtree – searches the base entry and all entries in the tree below the base entry. This is the default setting.

      • In the Base DN field, enter the location within the directory to start the search. For example, if the entire directory is to be searched under an organization of "Equitrac" this would be "O=equitrac". Ensure the BaseDN name does not contain spaces, or the import will fail.
      • In the User ID field for match text field, enter the LDAP attribute used to match the Equitrac user ID field in CAS (e.g. uid, sAMAccountName, cn).
      • Select the Anonymous login/As service login checkbox to allow the administrator to specify that the LDAP server supports anonymous login (for simple LDAP type), or to login as the user the service is running as(for AD type).
      • If the Anonymous login/As service login option is not selected, enter the LDAP server Login ID and Login Password.

      For AD, the supplied Login ID would be either in NT4 format (domain\user) or UPN format (user@domain). For simple bind, the options are to bind anonymously or with the supplied credentials. The Login ID has to be in distinguished name format (e.g. uid=admin,dc=example,dc=com).

      Ensure that Lookup then bind is selected when using the synchronize user attributes feature. Direct bind does not enable this feature.

  5. Click Test to open an LDAP lookup dialog box. Enter an account User name and Password, and then click Lookup. If Persistent Search is enabled, the dialog box shows the LDAP properties for that account.
  6. Click Save to save the settings.
The LDAP lookup must resolve to a unique user identifier.