Activating and configuring LDAP authentication

The interface information for the LDAP authentication is included in the Infor BI Repository Administration. However, the LDAP authentication is registered by default only if it has been selected when creating the database.

To activate and configure LDAP authentication:

  1. To register the authentication system, right-click the User Management node in the tree and select the Authentication Systems command. The Authentication Systems dialog opens.
  2. Click Register. The Register Authentication System dialog opens.
  3. Select the LDAP check box.
  4. Click OK. This activates all versions of the DLL files for the LDAP authentication. The LDAP authentication system is now shown in the Authentication Systems dialog.
  5. To configure the LDAP authentication provider settings, select the LDAP authentication system in the Authentication Systems dialog and click Properties. The LDAP Authentication System Properties dialog opens.
  6. To enable the connection to the LDAP server, specify this information on the General tab:
    LDAP server name
    Specify the unique server name or the IP address of the server where the LDAP directory is located, for example, myldapserver.
    LDAP port number
    Specify the port number of the LDAP server.
    Unique name of the root directory
    Specify the unique name of the root directory, for example, dc=mysubdomain,dc=mydomain.
  7. To identify the users in the LDAP directory, specify this information on the User tab:
    Filter to get LDAP users
    Specify the information by which users are distinguished from other objects in the LDAP directory, for example, (&(objectcategory=person)(objectclass=user)).
    Membership from Groups
    To activate the membership from groups, select this check box.
    Attribute type of the group membership
    Specify the name of the attribute type, in which the group membership of users is stored, for example, memberof.
    Attribute type of the user name
    Specify the name of the attribute type, in which the user name is stored, for example, samaccountname.
    Attribute type of the unique user ID
    Specify the name of the attribute type, in which the unique ID of users is stored, for example, objectsid.
    Attribute type of the user description
    Specify the name of the attribute type, in which the description of users is stored, for example, description.
  8. To identify the groups in the LDAP directory, specify this information on the Group tab:
    Filter to get LDAP groups
    Specify the information by which groups are distinguished from other objects in the LDAP directory, for example, objectclass=group.
    Attribute type of the user membership
    Specify the name of the attribute type, in which users are stored that belong to a group, for example, member.
    Attribute type of the group name
    Specify the name of the attribute type, in which group names are stored, for example, samaccountname.
    Attribute type of the unique group ID
    Specify the name of the attribute type, in which the unique ID of groups is stored, for example, objectsid.
    Attribute type of the group description
    Specify the name of the attribute type, in which the description of groups is stored, for example, description.
  9. Specify the authentication methods that are used to access the LDAP authentication system on the Authentication System tab:
    Basic authentication (simple bind)
    Select this check box to use Basic authentication (simple bind) in the LDAP authentication provider.
    Secure

    Requests secure authentication. When this check box is selected, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread. In this connection it is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating.

    • Sealing: Encrypts data using Kerberos.
    • Signing: Verifies data integrity to ensure that the data received is the same as the data sent.
    Anonymous
    No authentication is performed.
    Use SSL
    Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit.
    Fast bind
    Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server.
    Server bind
    If your ADsPath includes a server name, select this check box when using the LDAP provider. Do not select this check box for paths that include a domain name or for serverless paths. Specifying a server name without also selecting this check box results in unnecessary network traffic.
    Delegation
    Enables Active Directory Services Interface (ADSI) to delegate the user's security context. This is required for moving objects across domains.
    Read-only server
    For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, a selected check box indicates that a writable server is not required for a serverless binding.
  10. On the Administration tab, specify the name and password of the administrator to log on to the LDAP server.
  11. Specify the parameters for the paging of the user and group account data that is accessed on the Paging tab:
    Enable paging to display results
    Select this check box to activate paging of the user and group account data.
    Page size
    Specify the page size for the paging.
    Page limit
    Specify the page limit of the paging.
  12. Select the check box Show users of registered groups to display the LDAP users who are registered by their group membership in the User Management of the repository database.
  13. To check the configured LDAP authentication, click Test. The specified user name and password are checked to determine whether these are valid credentials. The user name and password in the LDAP Authentication System Properties must be specified when you perform the test. Otherwise an error message is displayed.
  14. To save the LDAP Authentication System Properties, click OK.

    When you have activated and configured the LDAP authentication system, you may add users and groups in the User Management.

    See Registering users and groups.

Parent topic: Administering authentication systems