HomeGuidesRecipesAPI
HomeGuidesAPILog In

📘

Deployment Feature Availability

Available in on-premise and private instance cloud deployments only.

Configuring LDAP Authentication

The LDAP Membership extension provides connectivity/subscription to an existing LDAP implementation for authentication, user profiles and group memberships. To authenticate and authorize a user SmartIQ LDAP will request the following of the LDAP server:

  • Authentication - Confirmation that a username and password credentials are correct. Depending on the LDAP implementation the username may require a domain.
  • User Profile Query - User profile attributes such as names, emails etc.
  • User Group Memberships Query - A list of groups that the user is a member of.
  • Parent Group Memberships Query (recursive) - list of groups that a particular group is a member of (recursive).

As LDAP implementations are not standard the query filters can be configured to suit the environment.

How to Install LDAP

By default SmartIQ Installations use Forms Authentication as the licensing and an administrator group must be set before LDAP can be configured.

Step 1 - Identify and configure and LDAP SmartIQ administrator group.
When the first user (usually a server administrator) is authenticated, SmartIQ needs to assign them permissions so they can access appropriate functionality. If this step is not completed users will not be able to actually do anything post authentication. Refer to External Authentication User Groups for more information on how to configure an external group.

Step 2 Modify the Produce and Manage Appsettings.Json files
From the SmartIQ Web server open the Produce appsetings.json. file (usually similar to c:\inetpub\wwwroot<>\Produce\appsetings.json)
Firstly, Locate the Extensions Array, and add the following, line,
("Intelledox.Extension.IdentityBuiltin.LDAPIdentity, Intelledox.Extension.IdentityBuiltin")

Now Locate or create an Authentication/LDAP object, this is where the environment specific properties will be set. At a minimum add an "LdapPath" property, additonal properties are describe in the tables below.

Your AppSettings file should look similar to the below.

{
  "ConnectionStrings": {
    "DefaultConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=Infiniti;Data Source=server1234"
  },
  "Extensions": [
    "Intelledox.Extension.DatasourceBuiltin.OleDbDatasource, Intelledox.Extension.DatasourceBuiltin",
		...
    ...
      "Intelledox.Extension.IdentityBuiltin.LDAPIdentity, Intelledox.Extension.IdentityBuiltin"
  ],
  "Authentication": {
    "LDAP": {
      "LdapPath": "LDAP://ldapServer",
      "Username": "myServiceAccount",
      "Password": "qwerty78",
      "Logging":"True",
      "UpdateExternalGroupMembership": "True"
    }
  }
}

General Properties

Provide at least an LdapPath for the connection to LDAP.

TitleExampleNotes
LdapPathLDAP://ldapServerMandatory
loggingtrue/falseSee the logging section below for more information
Default = false
UpdateExternalGroupMembershipAdds users to their respective external groups in SmartIQ when Syncing.
During Scheduled Syncing and manually pressing the button in Manage under the Users page, the users will not only be created if they belong to any of the AD groups corresponding to External groups setup in SmartIQ but they will also be added to those groups. Equally, if their membership in the AD changes, this will update their membership in SmartIQ.
Running this Sync with this option enabled can take a while (minutes) to finish, and is highly dependent on the number of users in the AD.
True/False

User Authentication Properties

The Authentication properties allow the specification of the auth type and also the format of the username.

TitleExampleNotes
authenticationtypeSecure,noneDefault = secure
userauthusernameuid={{username}},dc={{domain}},dc=acme,dc=com
{{username}}
{{domain}}{{username}}
Syntax for how the username should be passed to the LDAP server for authentication. For example a user might enter their username as domain\username however it might be passed to the server as uid=username,dc=domain,dc=acme,dc=com

LDAP Query Properties

Settings for validating the user’s supplied credentials.

TitleExampleNotes
queryauthenticationtypeSecure,None,AnonAn authentication type to use when making LDAP queries to retureve user information such as profile and group membeships. Default = secure
usernameadmin
domain/admin
Credentials will be used to query the LDAP server for the user’s profile and group membership information. Not required if read only access is permitted by your LDAP sever.
passwordsecret#1234Credentials will be used to query the LDAP server for the user’s profile and group membership information. Not required if read only access is permitted by your LDAP sever.

User Profile Query

Query to retrieve user data such as name, email, address etc.

TitleExampleNotes
userldappathLDAP://smartcommunications/OU=Users,OU=Org,DC={{domain}},DC=localA specific path to provide when making the user profile query, limiting the query’s scope to save time.
userfilter(& (ObjectClass=person)(sAMAccountName={{username}}))The LDAP filter passed used to find exactly one user
Default = (& (ObjectClass=person)(sAMAccountName={{username}}))

Group Membership Attribute

Use when groups memberships are sourced from the above user profile. (DEFAULT)

TitleExampleNotes
usergroupmembershipattributeMemberOf
Member
An attribute name that represents a group membership sourced from the user’s profile.
Default = MemberOf

Group Membership Entities Query

Use when group memberships are sourced from a separated query

TitleExampleNotes
usergroupldappathLDAP://SERVER/dc={{domain}},dc=acme,dc=comA specific path to provide when making the group membership entity query, limiting the query’s scope to save time.
usergroupentitiesfilter(& &(objectclass=groupOfNames)(member{{username}}))A filter that must return one or more results. I.e. one or more groups that the user is a member of.
the user is a member of.
usergroupnameproperty
CnWhen the groups are returned the usergroupnameattribute represents the attribute to source the name from. Default = cn

Parent Groups

Recursive query to search for parent groups

TitleExampleNotes
parentgroupldappathLDAP://SERVER/dc={{domain}},dc=simo,dc=comA specific path to provide when making the user profile query, limiting the query’s scope to save time.
parentgroupentityfilter(&(ObjectClass=group)(sAMAccountName={{groupname}}))The LDAP filter passed used to find exactly one group
Default = (&(ObjectClass=group)(sAMAccountName={{groupname}}))
parentGroupMembershipAttributeMemberOf
Member
Default =MemberOf

LDAP SYNC

TitleExampleNotes
syncldappathLDAP://server
syncgroupfilter(&(objectCategory=group)(cn={{groupname}}))Default (&(objectCategory=group)(cn={{groupname}}))
syncgroupdistinguishednameattributedistinguishedNameDefault
distinguishedName
syncparentgroupfilter(&(ObjectCategory=group)(memberof={{groupdistinguishedname}}))Default
(&(ObjectCategory=group)(memberof={0}))
syncmemberfilter(&(ObjectCategory=person)(memberof={{groupdistinguishedname}}))Default
(&(ObjectCategory=person)(memberof={0}))
syncmemberusernameattributesamAccountNameDefault
samAccountName
syncmemberdistinguishednameattributedistinguishedNameRequired if domain required.

Logging

Where logging is configured, results are stored in the SmartIQ database. Can be retrieved using the following SQL statement.

SELECT TOP(10)*
FROM EventLog
ORDERBY [DateTime] DESC