Configuring LDAP authentication
To configure LDAP authentication, open the Server Administration > Host Server > LDAP tab.
-
Select Enable
LDAP Authentication to enable the fields.
This enables/disables LDAP integration. When selected, all GUI components are enabled. This option is cleared by default.
When this is selected and a user logs on, their user name and password credentials are authenticated against the LDAP server.
If the LDAP server cannot be contacted, then the user is not authenticated and an error message is returned to the user, stating Unable to contact LDAP server.
If the LDAP server authenticates their credentials, then their group is then checked against the LDAP server.
If the group that is returned by the LDAP server matches one of the configured groups, then the user is granted access. The user’s access then follows the parameters configured in the user’s profile.
If the user credentials do not authenticate or the group does not match, then the user does not have access. An error message is returned to the user.
-
Specify a host name in the Host Name field.
Specify the LDAP server’s host name or IP address. You also have the option of specifying a backup LDAP server in cases where the primary server is down or cannot be reached. To use a backup server, specify the original and backup servers, separated by a comma.
-
Optionally, you can specify a port in the Port field.
If unspecified, then use 389 for the No Encryption and StartTLS Extension encryption methods, and 636 for the SSL Encryption method.
- For Encryption Method, select an encryption method from the menu. The default is SSL Encryption.
-
For Authentication Method, select an authentication method from the
menu.
Select from Simple Authentication or GSSAPI (Kerberos).
The Kerberos service is a client-server architecture that provides secure transactions over networks. This service offers strong user authentication, integrity, and privacy.
A user begins a Kerberos session by requesting a ticket-granting ticket (TGT) using the username/password from the Key Distribution Center (KDC). The TGT is similar to a passport, where, the ticket-granting ticket identifies you. Then, you can obtain numerous “visas.” The “visas” (tickets) are not for foreign countries but for remote machines or network services. The KDC accesses a database to authenticate your identity. It then returns a ticket that grants you permission to access the other machine or services such as the IDE.
When GSSAPI (Kerberos) is selected, additional fields open for configuration.- For Kerberos Realm specify the logical network, similar to a domain, that defines a group of systems that are under the same main KDC. Usually, the realm name is the same as your DNS domain name, except that the realm name is in uppercase.
- For KDC Host, specify the host name of the KDC (Kerberos Distribution Center) server.
- For KDC Port, specify the port number of the KDC server.
This information is located in the krb5 file, which is the Kerberos configuration file, and is found in one of these locations:
- /etc/krb5/krb5.conf (Solaris)
- C:\winnt\krb5.ini (Windows)
- /etc/krb5.conf (Linux)
Note: Manager Distinguished Name in advanced settings is not supported when GSSAPI (Kerberos) is selected. -
For Default
Domain Name, specify the default domain name for the user
account name. The default domain name is appended to the user name if it does
not already use it. This is not required.
For example, a full account name would be harry@infor.com. If the user only specifies "harry," then it appends "@infor.com" to make the full account name to log in to the LDAP server.
-
Click Test to open the Authentication
Testing dialog box. This tests if the host server can connect to
the configured LDAP server.
OK is enabled when User Name and Password are specified, and is disabled when one is empty. Click OK to start the connecting process to the LDAP Server.
- Click Advanced to open the LDAP Advanced Configuration dialog box.