Configuring LDAP authentication
If you access Dashboards in Infor Ming.le, IFS authentication is used and you cannot use LDAP authentication.
To use LDAP in a non Infor Ming.le environment,
you must set the authentication to LDAP in Service Expert. To configure LDAP, use the Repository dashboard to provide all required LDAP
authentication provider settings. After configuring the LDAP authentication, you can
register LDAP users and groups.
Note: After you register LDAP authentication in the repository, you
can still sign in using a basic user. To sign in with basic user authentication,
you must prefix the username with
basic:
.- Select Dashboards > Farm Administration > Repository.
- In the Authentication Provider Settings widget, select LDAP.
- Click the Settings icon for LDAP.
-
Click the General tab and specify this information:
- Server Name
- Specify the unique server name or the IP address of the server where the LDAP directory is located, for example, myldapserver.
- Port
- Specify the port number of the LDAP server.
- Root Directory
- Specify the unique name of the root directory, for example, dc=mysubdomain,dc=mydomain. You can specify multiple roots of the LDAP structure that you separate by a semicolon.
- User name and password
- Specify the user name and password to access the directory.
-
Click the Users tab and specify this information:
- Filter
- Specify the information by which users are distinguished from other objects in the LDAP directory. For example, (&(objectCategory=person)(objectClass=user)).
- Membership from Groups
- To activate the membership from groups, select this check box.
- Group Membership
- If Membership from Groups is not selected, specify the name of the attribute type, in which the group membership of users is stored. For example, memberof.
- User Name
- Specify the name of the attribute type in which the user name is stored. For example, account_name.
- User ID
- Specify the name of the attribute type in which the unique ID of users is stored. For example, objectsid.
- User Description
- Optionally, specify the name of the attribute type, in which the description of users is stored.
-
Click the Groups tab and specify this information:
- Filter
- Specify the information by which groups are distinguished from other objects in the LDAP directory. For example, objectclass=group.
- User Membership
- Specify the name of the attribute type, in which users who belong to a group are stored. For example, member.
- Group Name
- Specify the name of the attribute type, in which group names are stored. For example, group_name.
- Group ID
- Specify the name of the attribute type, in which the unique ID of groups is stored. For example, group_id.
- Group Description
- Optionally, specify the name of the attribute type, in which the description of groups is stored.
-
Click the Authentication tab and select one or more of these
authentication options:
- Basic Authentication (Simple Bind)
- Select this check box to use Basic authentication in the LDAP authentication provider. Other authentication options are disabled if Basic Authentication is selected.
- Secure
-
Requests secure authentication. When this check box is selected, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread. In this connection it is either:
- The security context of the user account under which the application is running,
- The client user account that the calling thread is impersonating.
- Sealing: Encrypts data using Kerberos.
- Signing: Verifies data integrity to ensure that the data received is the same as the data sent.
- Anonymous
- No authentication is performed.
- Use SSL
- Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit.
- Fast Bind
- Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. ADSI does not verify if any of the request objects exist on the server.
- Server Bind
- If your ADsPath includes a server name, select this check box when using the LDAP provider. Do not select this check box for paths that include a domain name or for serverless paths. Specifying a server name without also selecting this check box results in unnecessary network traffic.
- Delegation
- Enables Active Directory Services Interface (ADSI) to delegate the user's security context. This is required for moving objects across domains.
- Read-only server
- For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, a selected check box indicates that a writable server is not required for a serverless binding.
- Click OK.