How to configure Application Server to use LDAP Authentication

Owned by Former user (Deleted)
Last updated: Mar 16, 2012
5 min read

LDAP Authentication

MCS Application Server is capable of authenticating users using a simple authentication database or by authenticating against a 3rd party LDAP (lightweight directory access protocol) server, such as Microsoft Active Directory, Novell eDirectory, OpenLDAP, and many others. To configure using LDAP for authentication, you must have access to information about your directory server that is probably only known to your server administrators. It is recommended that you provide this document to your directory server administrator and ask him or her to provide the appropriate settings or directly configure MCS Application Server via AdminConsole.

From AdminConsole, Go to Security | LDAP Configuration, and select 'Use LDAP for User Authentication'. If you are using Active Directory, you can use the 'Active Directory Settings' button to automatically guess the appropriate LDAP settings based on your fully qualified domain name (FQDN) and then change any settings manually, as needed. In the example below, mydomain.net was entered as the FQDN:

These settings would allow any user in the Active Directory that is a member of the MCSSoftwareUser group to use the system. Any user in the Active Directory that is a member of the MCSSoftwareAdmin group will be granted administrative permissions.

Detailed Settings Explanation

An explanation of each of these settings follows:

Hostname

This is the TCP/IP hostname or IP address that Application Server will use to connect to the LDAP server.

Use SSL


Enable Secure Sockets Layer when communicating with the LDAP server. This setting encrypts traffic between Application Server and the LDAP server if the LDAP server is configured to allow SSL connections. This is generally not needed since the Application Server is usually located on the same trusted network as the LDAP server.

Use TLS


Enable Transport Layer Security when communicating with the LDAP server. This setting encrypts traffic between Application Server and the LDAP server if the LDAP server is configured to allow TLS connections. This is generally not needed since the Application Server is usually located on the same trusted network as the LDAP server.

Enable Referral Chasing

Allows Application Server to redirect to another LDAP server if referred by the initial LDAP server. Disabling this option can help prevent long timeouts from occuring if DNS is not properly or fully configured on your network.

Auth Type

This is the authentication method to use when binding to the LDAP server.

Login Template

This is the username that Application Server will use when binding to the LDAP server. You can use the %username% macro to substitute for the username supplied by the end-user when they attempt to connect. In the above example, if the user enters 'jdoe' as the username, the LDAP bind will be attempted with username 'jdoe@mydomain.net'.

Password Template

This is the password that Application Server will use when binding to the LDAP server. You can use the %password% macro to substitute for the password supplied by the end-user when they attempt to connect. Typically this field will either be %password% or it will be a hardcode password that matches a hardcoded username provided in the Login Template. In the above example, the actual password entered by the user would be used to attempt to bind to the LDAP server.

Base DN

After a successful bind, Application Server will attempt to lookup the user that is attempting to login. The search will be performed starting with the object specified by the distinguished name (DN) specified here. In the above example, the user search would occur starting at the object identified by the distinguised name "DC=mydomain,DC=net"

User Search Filter

This is the LDAP query string to use when searching for the user that is attempting to login. You can use the %username% and %password% macros to substitute for either the username and password provided by the user when attempting to login. This query should be designed to return at most one result-- the object representing the user who is attempting to log in. In the above example, the user "jdoe" would be searched using the LDAP query "(&(objectCategory=person)(objectClass=user) (sAMAccountName=jdoe))".

User Search Scope

This is the scope of the search starting at the Base DN when looking for the user that is attempting to login. In the above example, the user search would search the "DC=mydomain,DC=net" and in all of it's child objects

Normal User Attribute Name

If an LDAP attribute is provided by this property, then the results of the user search will be checked against this attribute to determine if the user is allowed to use the system. In the above example, the "memberOf" LDAP attribute would be checked.

Normal User Attribute Value

If an LDAP attribute is provided by Normal User Attribute Name, then this property provides the value of that attribute to check for to determine if the user is allowed to use the system. In the above example, the "memberOf" LDAP attribute would be checked to make sure the user is a member of the group identified by the distinguished name "CN=MCSSoftwareUser,CN=Users,DC=mydomain,DC=net"

Admin User Attribute Name

If an LDAP attribute is provided by this property, then the results of the user search will be checked against this attribute to determine if the user is allowed to act as an administrator in the any of the MCS applications. In the above example, the "memberOf" LDAP attribute would be checked.

Admin User Attribute Value

If an LDAP attribute is provided by Admin User Attribute Name, then this property provides the value of that attribute to check for to determine if the user is allowed to act as an administrator in the any of the MCS applications. In the above example, the "memberOf" LDAP attribute would be checked to make sure the user is a member of the group identified by the distinguished name "CN=MCSSoftwareAdmin,CN=Users,DC=mydomain,DC=net"

Username Attribute

This is the LDAP attribute that contains the username of a given user as represented by an object in the directory server. This is used for returning list results of available users to attach to the respective systems.

Password Attribute

This is the LDAP attribute that should be set to the new password when a user chooses to change his or her password from within the MCS Software system. It can be left blank to prevent users from changing their own passwords from the MCS applications.

Authentication Logic Flow

The overall flow used to determine whether or not to allow a user to login to the system follows:

  1. The end-user provides a username and password when attempting to login to any of the MCS applications.
  2. The application passes this information (using a secured TCP/IP connection) from the end-users workstation to the application server.
  3. The application server will connect to the LDAP server specified by Host Name, using SSL or TLS if enabled
  4. The application server will attempt a bind operation against the LDAP server using the Login Template and Password Template
  5. If the bind operation fails
    • Authentication fails.

      6.  Otherwise (the bind operation succeeds)

    1. A query is executed against the LDAP server, starting at the Base DN, using the User Search Scope to look for objects matching the query provided by User Search Filter.
    2. If no results are returned
    • Authentication fails.

 a. Otherwise, if one or more result is returned

    1.    If Admin User Attribute Name is set and any of the results match the Admin User Attribute Value
      • Authentication succeeds and the user is assumed to be an administrative user.
    1.  Otherwise (either Admin User Attribute Name is blank or none of the search results match Admin User Attribute Value)
      1. If Normal User Attribute Name is blank
        • Authentication succeeds and the user is assumed to be a normal (non-adminsitrative) user
    1. Otherwise (Normal User Attribute Name is not-blank)
      1. If any of the search results match Normal User Attribute Value
        • Authentication succeeds and the user is assumed to be a normal (non-adminsitrative) user
      1. Otherwise (none of the search results match Normal User Attribute Value)
        • Authentication fails.