This requires editing the ivizgroup.properties on your server in the configuration (conf) directory.
Question:
How do you integrate iDashboards with a LDAP directory, such as Active Directory, so that users can log into iDashboards with their AD credentials?
Answer:
Connecting to an LDAP Directory is accomplished through our standard LDAP Integration.
Mode 1 Authentication
Using this method, the LDAP login module will use the login credentials to attempt to login (bind) to the directory server. In many cases it will need to decorate the username with other information to form all or part of the user's Distinguished Name (DN) before presenting the credentials to the directory server. If the bind is successful, then the user is considered authenticated.
To use Mode 1 Authentication, please add the lines below to the ivizgroup.properties file which can be located in the iDashboards installation directory (ivizgroup) under the config folder on the server:
For LDAP:
login.module=com.ivizgroup.idb.security.auth.LDAPLoginModulelogin.module.securityLevel=simple
login.module.connectionURL= ldap://<domain name>:389
login.module.userBindPattern={0}@example.com
The integration requires the information on hand before attempting connectivity to the LDAP directory:
- The LDAP connection URL including Domain name and port (Default LDAP Port: 389)
- Your LDAP bind pattern. The bind pattern in the example above usually works for AD.
Here are a few more examples of bind patterns:
- Example 1. The following set uses the domain name of the user…
- Example 2. The following set uses the domain name of the user...
- Example 3. The following set uses the SAM Account name of the user...
# This method will only work if the sAMAccountName is the same as the iDashboards login.
# Many times the sAMAccountName is in the <First Name> <Last Name> format.
Mode 2 Authentication
In some cases, it may not be possible to bind to the directory server with a partial DN, or to build the user's full DN prior to the bind attempt. In these cases, the LDAP authentication module as configuration options, or by binding anonymously (without any username or password) and searching the directory, if the directory server allows it.
To use Mode 2 Authentication, please add the lines below to the ivizgroup.properties file which can be located in the iDashboards installation directory (ivizgroup) under the config folder on the server:
login.module=com.ivizgroup.idb.security.auth.LDAPLoginModule
login.module.securityLevel=simple
login.module.connectionURL= ldap://<domain name>:389
login.module.userSearch=cn={0}
The above configuration will anonymously search the directory using the username entered during the login process. You may need to format the user search pattern differently depending on your LDAP environment. Here are some other examples:
Example 1: login.module.userSearch=sAMAccountName={0}
Example 2: login.module.userSearch={0}@domain.com
If your directory server does not allow anonymous binds, you will need to provide an LDAP username and password that the login module can use to search the directory. This user should have bind privileges in your directory server. To configure this user, add the following lines to your properties file in addition to those that were previously mentioned:
login.module.connectionName=username
login.module.connectionPassword=password
The connectionName can be a simple username or a full or partial DN. Please note the above two lines are only used for Mode 2 Authentication, it is ignored if you are using Mode 1 Authentication.
Once you have the above set up, try the below steps to confirm if LDAP is successfully configured:
- Log into the Admin application module
- Create a user with a username that exists in your LDAP directory, with password: 1234
- Now, start the user application interface and login as this new user, in the password field, type in the user's LDAP password instead of the 1234
- If you are able to log in, then it confirms that LDAP is successfully integrated
- If you instead encounter a login error, go back into the properties file and make the necessary changes to the bind pattern
NOTE: The iDashboards user name, admin, will always be authenticated through the normal iDashboards authentication process regardless of any external authentication module that may be used. This insures that the admin user can always log into iDashboards even if the external system is unavailable.
For More Information:
13.3.1 External Authentication
13.3.2 Configuring LDAP Authentication
Disclaimer: iDashboards Technical Support Engineers are not Active Directory Administrators (ADA) who know in depth knowledge. We often learn these skills on the job and have limited knowledge. We do our best to help you with your software in determining if: you are not leveraging the software in the best way for your data or you found a bug in the software, because we want to assist you in your success.
If the above is unable to resolve the issue, then please contact Your Organization's Active Directory Admin for further assistance and if unable to resolve internally then contact iDashboards Support for further assistance.
Comments
0 comments
Please sign in to leave a comment.