Configuring LDAP Authentication Type
CentraSite supports various LDAP configurations and provides standard settings that allow you to set up your authentication quickly against these standard systems.
There are many questions that are involved when you configure against an LDAP system:
What is the hierarchical node structure of the LDAP server?
In which kinds of objects are the user and group definitions contained?
Which node properties contain the user names or group IDs?
What other property mappings are required?
In general, before you begin to specify the configuration, Software AG recommends you to study the LDAP structure and contents using an LDAP browser. There are various freeware tools that allow you to do this. Using the LDAP browser, you can bind to an LDAP server, then navigate through the hierarchy to see the structures that contains the users and groups. Also, you can open the nodes that contain the definitions of individual users or groups and view the properties that are stored for each user or group. An example of a node for a user testuser01 might show the following properties:
Property name | Value |
cn | testuser01 |
objectClass | OpenLDAPperson |
Mail | JohnSmith@MyCompany.com |
Phone | +1 234 555 678 |
The path to the node for this user might be com/People/Location3/testuser01, where com is the root node. The setup on this LDAP server might be that all users are stored under the People node (com/People/…) and all groups are stored under the Groups node (com/Groups/…). Since every CentraSite customer can define their LDAP user and group structures differently, the details of the LDAP configuration that you will perform in CentraSite vary accordingly, since you must map explicitly to the customer LDAP structures.
Technical Principal for LDAP
CentraSite can only find and authenticate a user name through the LDAP mechanism if either:
the user name is located directly beneath the LDAP node that represents all users (specified through the User DN configuration value – for example, if user names are in the form
uid=Username,ou=people,dc=mydomain,dc=com then the user name must be beneath the node
ou=people,dc=mydomain,dc=com), or:
the LDAP server allows anonymous bind.
The technical principal is a user name or user account that preferably should not belong to a real user, in other words, the technical principal is normally the ID of a fictitious user. It is intended for organizations that store their user entries in branched LDAP directory structures, for example uid=Username,loc=Germany,ou=people,dc=mydomain,dc=com but do not allow anonymous bind. The technical principal must be defined in LDAP as having (at least) read access to all users and groups that are to be used by CentraSite.
When CentraSite is configured to use this feature, all LDAP accesses take place using the technical principal. For example, if a user with user name user1 and password pwd1 wants to log in to CentraSite Business UI, LDAP is accessed using the technical principal and the record for the user user1 is checked.