LDAP (Active Directory) Authentication

Large Iotellect installations are operated by hundreds of people, each of them inheriting one or many roles. Creating and maintaining individual Iotellect Server user accounts for them all is too laborious. In this case, it's possible to authenticate users through an LDAP server (such as Microsoft Active Directory), while authorization (assigning of user permissions) will use role-based Iotellect Server user accounts.

LDAP authentication is enabled and controlled through Active Directory and LDAP Authentication global server property. It has the following fields:

  • Address. IP address or hostname of an LDAP server.

  • Port. Port to connect on the LDAP server, default is 389.

  • Timeout. Timeout for LDAP authentication process. If this timeout elapses during an authentication, an Iotellect Server user trying to log in via LDAP authentication will be denied.

  • Type. Choose your authentication type: Use RDN Prefix or Use Authentication User.

  • Default Container Mapping. Table used to convert LDAP user's primaryGroupID (found in ID column) to the group name (specified in Name column). Used only when Use RDN Prefix authentication type is used.

  • LDAP User Attribute to Iotellect User Mapping. A table that defines how parameters of LDAP users will be mapped Iotellect Server role-based user accounts. Once an LDAP user is successfully authenticated, the system needs to find an Iotellect Server user that matches the authenticated LDAP user. This is performed as follows:

    • The LDAP User Attribute to Iotellect User Mapping table is processed record-by-record

    • For every record, the Attribute Value Expression is evaluated. Its default context is the context pointed by value in the User column.

    • The Attribute Value Expression result is compared to the value of the LDAP user attribute pointed by the Attribute Name column. If they match, the user pointed by the User column is authorized for the current session.

When a matching LDAP User Attribute to Iotellect User Mapping record is found, processing of the table continues. If any other records will match current LDAP user (i.e. more than one record match), the authentication will fail with an error.

Note that the LDAP authorization user logins user1 and user1@domain.com are equivalent and recognized as user1, but the variation domain.com/user1 cannot be used in Iotellect.

  • RDN Prefixes. RDN names to use for user lookup, without DC segments. This field is relevant only to the Use RDN Prefix authentication Type.

  • Default Domain. Name of the domain to use if it wasn't specified in the username during login.

  • Username. This field provides the user's name. It's relevant only to the Use Authentication User type.

  • Password. The user's password. This field is relevant only to the Use Authentication User type.

  • Lookup Domain. Domain to seek users in. Either Use domain part of username (e.g. part of login provided for the authentication procedure that follows @ symbol) or Use default domain (e.g. value of the Default Domain parameter).

  • Use SSL. Defines whether secure LDAPs protocol will be used.

Authentication By Using RDN Prefix

The following steps describe how authentication is performed if Type is set to Use RDN Prefix:

  • LDAP queries are made to list users in the Lookup Domain, one query for every record in the RDN Prefixes table. The domain part of the query is formed by concatenating the current RDN Prefix and ,DC=Lookup Domain. LDAP search scope is set to Subtree Scope. Users are searched by the userPrincipalName LDAP parameter.

  • All above queries must return strictly one result in total, otherwise, the authentication will fail.

  • If found LDAP user has primaryGroupID attribute, the user's group name is evaluated by screening the Default Container Mapping table. Group Name found in a record with ID equal to primaryGroupID is used.

  • Finally, Iotellect Server user is looked up in LDAP User Attribute to Iotellect User Mapping.

Authentication By Using Authentication User

The following steps describe how authentication is performed if Type is set to Use Authentication User:

  • An LDAP query is made to find a user with sAMAccountName LDAP attribute equal to the authentication login name. Username and Password settings are used to execute the query.

  • Iotellect Server user is looked up in LDAP User Attribute to Iotellect User Mapping according to attributes of user found by the above query.

Was this page helpful?