Back

Configuration

LDAP Settings

Administrators manage the LDAP configuration by clicking the Adapters top level menu, then selecting the LDAP Configuration option.

LDAP Mode

The initial Settings page allows users to specify the LDAP Adapter’s mode of operation based on the existing infrastructure layout and configuration.

The two modes of operation are Search and Bind Mode, and Direct Bind Mode.

Set LDAP Mode - Search and Bind Selected

Figure 1. Select LDAP Mode

Search and Bind Mode

Search and Bind mode, the most commonly used LDAP mode, involves connecting to the LDAP server, either anonymously (anonymous bind) or with a specified account such as a service account. Once configured, when users login, the LDAP server is searched for the appropriate user Distinguished Name (DN) for the user attempting to login. Once the DN is found, an attempt to bind as the user is made passing the DN and password to authenticate.

Search and Bind Configuration

Figure 2. Search and Bind Configuration Page

Configuration Options

  • LDAP Server URL

    URL to your LDAP Server, in the form of ldap://myldap.example.local or ldaps://192.168.1.22. The LDAP protocol prefix is required, using ldap:// for unencrypted LDAP connections, or ldaps:// for SSL secured connections. To specify a non-standard port, use standard syntax such as ldap://10.0.1.21:2294 for example.

  • Custom User Naming Attribute

    Allows administrator to specify the specific user naming attribute. Necessary if not using the standard uid or sAMAccountName values. The configured attribute will be used for lookups, and the associated value will be used by users for login. For example, with a Custom User Naming Attribute value of myCustomId and a DN of myCustomId=batman,uid=bwayne,ou=heroes,dc=waynecorp,dc=com, the user would login into Soltra Edge using the username batman.

  • Bind Methods

    LDAP clients use two basic methods to connect and interact with an LDAP server: Authenticated Bind and Anonymous Bind.

    • Authenticated Bind

      If your organization requires authenticated bind, typically with either a service or administrator account, enter the Bind DN and password for the specified account into the Bind DN and Bind Password fields, respectively.

    • Anonymous Bind

      If your organization supports anonymous bind, check the Anonymous Bind checkbox. Enabling anonymous bind will ignore any values in the Bind DN and Bind Password fields and attempt to bind anonymously.

  • Base DN for Search

    The Base DN for Search allows the Soltra Edge administrator to specify the LDAP directory location to search for users.

  • Save and Test Settings

    For Search and Bind Mode, when the Save and Test Settings button is clicked, Soltra Edge will attempt to connect to the LDAP server using the method specified in the configuration above. If anonymous bind is enabled, an anonymous bind will be attempted, and for authenticated bind, Soltra Edge will attempt to bind as the specified account. The results will be displayed once the test is complete.

Note

Communication to the server and binding are tested on this page. If the Base DN for Search value is incorrect or a custom user naming attribute is used, it is possible to have a successful test but have users that are unable to login. Please check with your LDAP Administrator to validate the Base DN for Search and Custom User Naming Attribute fields.

Apply Settings

Once settings have been saved and tested, the Apply Settings button will be available. Please click the button which will reload the necessary services, at which point users will be able to login to LDAP.

Important

If sudo is disabled, the Soltra Administrator will need to manually restart the services. Please login to the Soltra Edge system via a terminal and execute the following commands as root. Until the commands specifed in the sudo-disabled section have been executed, users will not be able to login via LDAP. If you have not disabled sudo these commands will be executed automatically when the Apply Settings button is clicked.

Direct Bind Mode

Set LDAP Mode - Direct Bind Selected

Figure 3. Select LDAP Mode

Direct Bind skips the search phase, and allows the administrator to fully specify the DN for users. Since no search is performed, the DN must be accurate for authentication via LDAP to work. The DN is specified with a placeholder, making the entire DN customizable so the administrator can adapt the LDAP configuration to any user naming attribute and specify any location in the LDAP Directory hierarchy.

Search and Bind Configuration

Figure 4. Direct Bind Configuration Page

Configuration Options

  • LDAP Server URL

    URL to your LDAP Server, in the form of ldap://myldap.example.local or ldaps://192.168.1.22. The LDAP protocol prefix is required, using ldap:// for unencrypted LDAP connections, or ldaps:// for SSL secured connections. To specify a non-standard port, use standard syntax such as ldap://10.0.1.21:2294 for example.

  • Direct Bind Template

    The Direct Bind Template specifies the specific DN template for all user accounts that will use Soltra Edge. In Direct Bind Mode, users will have an identical DN, with the sole difference beteween users being the username. All attribute names and the hierarchy must be identical. Any users outside of the specified DN will not be able to login.

    An example configuration value for Direct Bind is as follows: uid=%(user)s,ou=People,dc=example,dc=com

    In the above example, the uid attribute would be the value used for the username used to login. For example, with the above example configuration, for a user with the following DN: uid=tstark,ou=People,dc=example,dc=com, the user would login with the username tstark.

Important

The %(user)s placeholder MUST be in the configuration to identify the user naming attribute when using Direct Bind.* The user attribute will determine the the username users use to login. Please contact your LDAP Administrator for the configuration specific to your environment.

Apply Settings

Click the Apply Settings button to apply the configuration changes. Unlike Search and Bind Mode, it is not possible to test the connection as there is no bind step. Users login directly based on the passed in credentials and template specified above.

 

For more information, join the conversation in the CTX/Soltra Edge Forums at forums.soltra.com.