LDAP
Deployment Feature Availability
Available in on-premise and private instance cloud deployments only.
Configuring LDAP Authentication
The LDAP Membership extension provides connectivity/subscription to an existing LDAP implementation for authentication, user profiles and group memberships. To authenticate and authorize a user SmartIQ LDAP will request the following of the LDAP server:
- Authentication - Confirmation that a username and password credentials are correct. Depending on the LDAP implementation the username may require a domain.
- User Profile Query - User profile attributes such as names, emails etc.
- User Group Memberships Query - A list of groups that the user is a member of.
- Parent Group Memberships Query (recursive) - list of groups that a particular group is a member of (recursive).
As LDAP implementations are not standard the query filters can be configured to suit the environment.
How to Install LDAP
By default SmartIQ Installations use Forms Authentication as the licensing and an administrator group must be set before LDAP can be configured.
Step 1 - Identify and configure and LDAP SmartIQ administrator group.
When the first user (usually a server administrator) is authenticated, SmartIQ needs to assign them permissions so they can access appropriate functionality. If this step is not completed users will not be able to actually do anything post authentication. Refer to External Authentication User Groups for more information on how to configure an external group.
Step 2 Modify the Produce and Manage Appsettings.Json files
From the SmartIQ Web server open the Produce appsetings.json. file (usually similar to c:\inetpub\wwwroot<>\Produce\appsetings.json)
Firstly, Locate the Extensions Array, and add the following, line,
("Intelledox.Extension.IdentityBuiltin.LDAPIdentity, Intelledox.Extension.IdentityBuiltin")
Now Locate or create an Authentication/LDAP object, this is where the environment specific properties will be set. At a minimum add an "LdapPath" property, additonal properties are describe in the tables below.
Your AppSettings file should look similar to the below.
{
"ConnectionStrings": {
"DefaultConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=Infiniti;Data Source=server1234"
},
"Extensions": [
"Intelledox.Extension.DatasourceBuiltin.OleDbDatasource, Intelledox.Extension.DatasourceBuiltin",
...
...
"Intelledox.Extension.IdentityBuiltin.LDAPIdentity, Intelledox.Extension.IdentityBuiltin"
],
"Authentication": {
"LDAP": {
"LdapPath": "LDAP://ldapServer",
"Username": "myServiceAccount",
"Password": "qwerty78",
"Logging":"True",
"UpdateExternalGroupMembership": "True"
}
}
}
General Properties
Provide at least an LdapPath for the connection to LDAP.
| Title | Example | Notes |
|---|---|---|
| LdapPath | LDAP://ldapServer | Mandatory |
| logging | true/false | See the logging section below for more information Default = false |
| UpdateExternalGroupMembership | Adds users to their respective external groups in SmartIQ when Syncing. During Scheduled Syncing and manually pressing the button in Manage under the Users page, the users will not only be created if they belong to any of the AD groups corresponding to External groups setup in SmartIQ but they will also be added to those groups. Equally, if their membership in the AD changes, this will update their membership in SmartIQ. Running this Sync with this option enabled can take a while (minutes) to finish, and is highly dependent on the number of users in the AD. | True/False |
User Authentication Properties
The Authentication properties allow the specification of the auth type and also the format of the username.
| Title | Example | Notes |
|---|---|---|
| authenticationtype | Secure,none | Default = secure |
| userauthusername | uid={{username}},dc={{domain}},dc=acme,dc=com {{username}} {{domain}}{{username}} | Syntax for how the username should be passed to the LDAP server for authentication. For example a user might enter their username as domain\username however it might be passed to the server as uid=username,dc=domain,dc=acme,dc=com |
LDAP Query Properties
Settings for validating the user’s supplied credentials.
| Title | Example | Notes |
|---|---|---|
| queryauthenticationtype | Secure,None,Anon | An authentication type to use when making LDAP queries to retureve user information such as profile and group membeships. Default = secure |
| username | admin domain/admin | Credentials will be used to query the LDAP server for the user’s profile and group membership information. Not required if read only access is permitted by your LDAP sever. |
| password | secret#1234 | Credentials will be used to query the LDAP server for the user’s profile and group membership information. Not required if read only access is permitted by your LDAP sever. |
User Profile Query
Query to retrieve user data such as name, email, address etc.
| Title | Example | Notes |
|---|---|---|
| userldappath | LDAP://smartcommunications/OU=Users,OU=Org,DC={{domain}},DC=local | A specific path to provide when making the user profile query, limiting the query’s scope to save time. |
| userfilter | (& (ObjectClass=person)(sAMAccountName={{username}})) | The LDAP filter passed used to find exactly one user Default = (& (ObjectClass=person)(sAMAccountName={{username}})) |
Group Membership Attribute
Use when groups memberships are sourced from the above user profile. (DEFAULT)
| Title | Example | Notes |
|---|---|---|
| usergroupmembershipattribute | MemberOf Member | An attribute name that represents a group membership sourced from the user’s profile. Default = MemberOf |
Group Membership Entities Query
Use when group memberships are sourced from a separated query
| Title | Example | Notes |
|---|---|---|
| usergroupldappath | LDAP://SERVER/dc={{domain}},dc=acme,dc=com | A specific path to provide when making the group membership entity query, limiting the query’s scope to save time. |
| usergroupentitiesfilter | (& &(objectclass=groupOfNames)(member{{username}})) | A filter that must return one or more results. I.e. one or more groups that the user is a member of. |
| the user is a member of. usergroupnameproperty | Cn | When the groups are returned the usergroupnameattribute represents the attribute to source the name from. Default = cn |
Parent Groups
Recursive query to search for parent groups
| Title | Example | Notes |
|---|---|---|
| parentgroupldappath | LDAP://SERVER/dc={{domain}},dc=simo,dc=com | A specific path to provide when making the user profile query, limiting the query’s scope to save time. |
| parentgroupentityfilter | (&(ObjectClass=group)(sAMAccountName={{groupname}})) | The LDAP filter passed used to find exactly one group Default = (&(ObjectClass=group)(sAMAccountName={{groupname}})) |
| parentGroupMembershipAttribute | MemberOf Member | Default =MemberOf |
LDAP SYNC
| Title | Example | Notes |
|---|---|---|
| syncldappath | LDAP://server | |
| syncgroupfilter | (&(objectCategory=group)(cn={{groupname}})) | Default (&(objectCategory=group)(cn={{groupname}})) |
| syncgroupdistinguishednameattribute | distinguishedName | Default distinguishedName |
| syncparentgroupfilter | (&(ObjectCategory=group)(memberof={{groupdistinguishedname}})) | Default (&(ObjectCategory=group)(memberof={0})) |
| syncmemberfilter | (&(ObjectCategory=person)(memberof={{groupdistinguishedname}})) | Default (&(ObjectCategory=person)(memberof={0})) |
| syncmemberusernameattribute | samAccountName | Default samAccountName |
| syncmemberdistinguishednameattribute | distinguishedName | Required if domain required. |
Logging
Where logging is configured, results are stored in the SmartIQ database. Can be retrieved using the following SQL statement.
SELECT TOP(10)*
FROM EventLog
ORDERBY [DateTime] DESC
Updated over 2 years ago