Configuring LDAP Advanced Authentication

The LDAP Advanced authentication type supports authentication across multiple LDAP user groups. In contrast, the LDAP authentication type only works for users in a particular sub-tree. For example, an LDAP directory of employees that is divided into groups based on their location would require LDAP Advanced authentication.

If you choose LDAP Advanced as your authentication method while Creating an Authentication Profile, specify the following values to configure Platform to authenticate users using your LDAP system.

Default Setting: Selecting the Default UI or Default API fields indicate the authentication profile that is currently set as a default UI or default API authentication type. However, there is no compulsion that only one authentication profile should be the default for both the UI & API authentications.

Field Description
Name Type an authentication profile name.
Target URL URL to access the LDAP system (typically, ldap://<host-address>)
Base Distinguished Name The root distinguished name (DN) to use while running queries against your directory server. Example:
  • o=example,c=com
  • cn=users, dc=ad, dc=example,dc=com
  • For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. Replace domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the LDAP structure of your server.
Additional User DN The value to be used in addition to the base DN when searching for and loading users. If no value is supplied, the sub-tree search will start from the base DN.

For example, if an LDAP directory has users as well as printers in it, and you only want to query the users in the directory, you can pass the additional user DN ou=Users in this field.

Authentication Type The authentication mechanism to implement.

For example, for a Sun LDAP service provider, this can be one of the following strings: none, simple, or sasl_mech, where sasl_mech is a space-separated list of SASL (Simple Authentication and Security Layer) mechanism names. The default value for this field is simple.

Search Mode

The LDAP authentication requirements to search for and get results from a search query. You can specify the following based on your LDAP configuration:

  • Anonymous: For LDAP directories that support queries from a source that is not logged in.
  • Authentication: Only authenticated users can query the LDAP directory. If you choose this option, two text fields open where you must specify:
    • Admin Security Principal - The user name
    • Admin Security Credential - The password

Use Name Attribute The attribute field to use when loading the username. Example:
  • cn - Use the common name attribute.
  • uid - Use the user ID attribute.
Additional Parameter Any other additional details required to set up an LDAP call.

After specifying the above values, you must test your authentication method to check whether authentication succeeds. To test your authentication method:

  1. Under Test External Authentication, specify a valid login name and password.
  2. Click Test External Authentication.

Note that you cannot save your changes until the test succeeds.