LDAP Authentication Profile

Please perform the following prerequisites before you create an LDAP authentication profile.

Prerequisites
Install the Auth Agent service on a server where an on-site LDAP is configured. An Auth Agent service is also required to be configured if you are planning to add LDAP Secure users as administrators.

For installation steps, please go to Auth Agent Installation.

If you are using LDAP Secure, please install the LDAPS server certificate to the trusted root certification authorities certificate store where the Auth Agent is configured.

Follow the steps below to create the LDAP authentication profile.

  1. Login as an administrator.

  2. Go to the System section.

  3. Expand Security and click on Authentication Profiles.

  4. Click [Add].

  5. Choose LDAP as type.

  6. Enter the name of the authentication profile.

  7. Click [Save].

    Clicking [Save] will create the auth profile item in the list.

  8. Click on the profile and expand the LDAP node.

  9. Provide the following information:

    Item

    Description

    Server Name

    Enter the server name. This is a required field.

    Port

    Enter the port number. The default is 389, and port is a required field.

    If SSL is On, the port number 389 will be automatically changed to 636.

    SSL

    Enable SSL if required. By default, SSL is off.

    Active Directory

    Enable Active Directory if required. By default, this item is unchecked.

    The following are displayed when Active Directory is enabled, please provide value to the required setting:

    • Domain

    • Alt UPN Suffix

    Domain

    Enter the domain name of the Active Directory. This setting is required when Active Directory is enabled.

    Alt UPN suffix

    Enter the UPN suffix of Active Directory users. Add UPN suffixes to user logon processes by providing a single UPN suffix for all users.

    Base DN

    Enter the start point for searching for an account name. Starting from the base DN, the search is performed toward the end of the branches.

    Example: ou=member,dc=mycompany,dc=com

    This item is required.

    Search Scope

    Specify the range of the search from the base DN.

    • Single level: The search is performed in the hierarchy that is a level below the base DN.

    • Subtree: The search is performed in the base DN and all levels in the hierarchy under the Base DN. This is the default option.

    This item is required.

    Search Condition

    Enter the search condition. This item is required. The following string is set as the default value:

    (&(objectClass=organizationalPerson) (sAMAccountName=^))

    The following characters should be escaped with a backslash (\): "(", ")", "*", "\", "/"

    PIN Code Search Condition

    Enter the search condition to be used for a user PIN code search. This item is required. The following string is set as the default value: (&(objectClass=organizationalPerson)(PINCode=^))

    The following characters should be escaped with a backslash (\): "(", ")", "*", "\", "/"

    Card Search Condition

    Enter the search condition to be used for a user's Card ID search. This item is required. The following string is set as the default value: (&(objectClass=organizationalPerson)(cardID=^))

    The following characters should be escaped with a backslash (\): "(", ")", "*", "\", "/"

    Prefix

    Enter the prefix of the LDAP search filter. This setting will become hidden when Active Directory is used.

    Suffix

    Enter the suffix of the LDAP search filter. This setting will become hidden when Active Directory is used.

    Anonymous Bind

    Check to enable anonymous binding. This setting is unchecked by default.

    Proxy User Name

    Enter the name of the proxy user if you want to use a proxy user. This item is not required.

    Proxy User Password

    Click [Change Password], and then enter the password of the proxy user.

    Enable DNS Round Robin

    Specify whether or not to enable the DNS round robin function. By default, this setting is enabled.

    The DNS round robin function looks up multiple domain controllers and iterates the list to authenticate the user.

    Timeout

    Specify the LDAP operation timeout. The default is 5 seconds.

    [Test Connection] button

    Check whether or not a connection can be established to the LDAP server.

    A dialog will display to enter your credentials. Enter a working User Name and Password, then click [Start]. This action will try to connect to the LDAP server and attempt to log in.

    If Use Proxy user is checked, the Password text box will become disabled. This test will bind the Proxy User and retrieve the information of the account entered in the User Name field.

    Login User Name

    Enter the attribute to identify the login user name.

    The default value is "sAMAccountName".

    Display Name

    Enter the display name.

    The default value is "displayName".

    Email Address

    Enter the attribute of the e-mail address of the user.

    The default value is "mail".

    Group

    Enter the attribute of the group name.

    The default value is "memberOf ".

    Home Folder

    Enter the user home folder attribute.

    The default value is "homeDirectory".

    Card ID

    Enter the attribute of the card ID.

    User PIN

    Enter the PIN code attribute. Only single-byte alphanumeric characters can be used.

    Department

    Enter the department attribute.

    Group Search Mode

    Select the method to identify group membership.

    • Simple Search: Search is performed based on the identifier (DN).

    • Full Search: Search is performed based on the user login group attribute.

    The default is Full Search.

    Group Name Attribute

    Enter the attribute to obtain the group name. Specify this setting when Full Search is selected in Group Search Mode.

    The default value is "sAMAccountName".

    Group Search Condition

    Enter the attribute to search for a group. Specify this setting when Full Search is selected in Group Search Mode.

    The default value is "(&(objectClass=group))".

    Click the [Test Connection] button, to check the connection to the LDAP server.

  10. Click [Save].

  11. Expand the Auth Agent section. Add an authentication agent by moving an auth agent from Not Assigned Agent pane to Assigned Agent pane. Use the arrow up button to move the item.

    If an auth agent is not displayed in the list, configure the auth agent as described in Auth Agent Installation.

    An auth agent can be assigned to multiple LDAP Authentication Profiles. If multiple certificates exist, the Auth Agent shown is the one that uses the latest certificate generated.

  12. Click [Save].

  13. (Optional) Click [Connection Check] to test the connection to the LDAP server.

    Enter a working User Name and Password, then click [Start]. This action will try to connect to the LDAP server and attempt to log in.

    If Use Proxy user is checked, the Password text box will become disabled. This test will bind with the Proxy User and retrieve the information of the account entered in the User Name field.

You can create more than one LDAP type of authentication profile.