Estimated reading time: 7 minutes Show
This page provides an overview of LDAP and AD Authentication configuration in OT Link Platform. OverviewEach OT Link Platform instance contains a default user registry for authentication and authorization. OT Link Platform LDAP and AD settings allow you to integrate the OT Link Platform login system with an external authentication registry. For example, this external registry might be the username and password combinations for your company network. OT Link Platform Supports:
What is LDAP? Lightweight Directory Access Protocol (LDAP) provides centralized services for login authentication and storage / access of usernames and passwords within a network directory. LDAP uses group mechanisms to facilitate user authentication management. The Active Directory (AD) service authenticates users and devices in a Windows or UNIX-based domain network, and verifies permissions to determine the user access level at log in. Add an LDAP/AD ProviderYou must configure providers in OT Link Platform to activate this type of authentication. The OT Link Platform device contains a client that communicates with the LDAP server and receives information based on the client access level.
To add an LDAP/AD provider:
LDAP Provider DetailsFor more information on LDAP / AD providers, see the following section. Use this guide to configure LDAP / AD with OT Link Platform. General SettingsName: Enter a user-defined name. Type: Currently only generic is valid. Find LDAP Distinguished Names (DN)To configure LDAP for OT Link Platform, you must have the DN information from the LDAP server. Bind DNAn LDAP Bind DN supplies the user and the user location in the LDAP directory tree. The LDAP client configuration file contains this information. You can access it in the following directory:
To find the Bind DN:
Connection SettingsHost: Enter the hostname, the fully qualified domain name or IP address, of your LDAP server. Port: Enter the LDAP host port number. The default LDAPS (Secure LDAP) port is 636; the default LDAP port is 389. TLS: Check this box to indicate that you want to use LDAP over Transport Layer Security (TLS) to authenticate Active Directory sessions. The TLS protocol provides authentication and data encryption between servers and applications on a network. Note: When this box is not checked, OT Link Platform expects to find a configured Custom Certificate. TLSRootCA: Enter the root SSL/TLS certificate. Sample Certificate: Make sure to include —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– when entering the certificate. See the following example for a sample certificate: —–BEGIN CERTIFICATE—– MIIFOjCCAyKgAwIBAgIBATANBgkqhkiG9w0BAQsFADBAMRowGAYDVQQKExFMaXRt —–END CERTIFICATE—– Bind DN: The bind DN identifies the user and the location of the user in the LDAP directory tree. In the following example: CN=common name, OU=organizational unit, and DC=domain component.
See Find the LDAP Bind DN. Bind DN Password: Enter the DN (distinguished name) password. LDAP User SettingsUser Search Base DN: This Base DN (Distinguished Name) is the point in the LDAP directory tree that the LDAP service uses to initiate a user search. The Base DN is the latter part of the Bind DN. See Find the LDAP Bind DN. Search Scope: Select one of the following: base, one, sub. Base limits the search to the base object. One restricts the search to “one level” or in other words, the immediate children of the base object. Sub enables a full LDAP tree search, including all children of the base object. User Search Filter: Enter a filter to search LDAP users. Attribute for Unique UserID: Enter the unique user ID number (uidNumber). Attribute for Username: Enter the unique user ID (uid). First Name: Enter the given name of the user. Last Name: Enter the surname of the user. Group SettingsUser GroupsYou must define the following groups on the LDAP / AD server to have users with different permissions in OT Link Platform:
LDIF Info: The LDAP LDIF (LDAP Interchange Format) file can define attributes, such as user access control permissions. The following example shows the LDIF format for the mydom organization.
Group Search Base DN: This Base DN (Distinguished Name) is the starting point that the LDAP service uses to find a group in the LDAP directory tree. Example of a Group Base DN:
Search Scope: Select one of the following: base, one, sub. Base limits the search to the base object. One restricts the search to “one level”, as in the immediate children of the base object. Sub enables a full LDAP tree search, including all children of the base object Group Search Filter: Enter a filter to query the Active Directory. Click here for a reference to help guide you in creating search filters. Example of a filter to query group objects with a common name (CN) starting with Admin:
Group Name Attribute: Enter the common name (CN) for the group to search. Group Membership Attribute: Enter the distinguished name (DN) for the group to search. Member Value Type: Enter the value type for members in the group, DN or CN Log In with AuthenticationAfter configuring LDAP, users must select a Provider ID when they log in to OT Link Platform. The Username is from the LDAP server. The Password must match the Bind DN Password from the configuration. The What is CN in distinguished name?The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN), is the characteristic value within a Distinguished Name (DN). Typically, it is composed of Host Domain Name and looks like, "www.digicert.com" or "digicert.com". The Common Name field is often misinterpreted and is filled out incorrectly.
What is my domain distinguished name?Steps to check the DN for user object.
Click on view and select advanced features. Search the user, for that we need to check the DN. Open the property of user and click on attribute editor. Check the Distinguished name (DN) as per below image.
What is DN and RDN?A DN is a sequence of relative distinguished names (RDN) connected by commas. An RDN is an attribute with an associated value in the form attribute=value; normally expressed in a UTF-8 string format. The following table lists typical RDN attribute types.
What is DN and CN in AD?An entry is made up of a collection of attributes that have a unique identifier called a Distinguished Name (DN). A DN has a unique name that identifies the entry at the respective hierarchy. In the example above, John Doe and Jane Doe are different common names (cn) that identify different entries at that same level.
|