User Access Manager Help >> Operation Guide >> User Access Policy >> LDAP Service >> LDAP Server >> Add/Modify LDAP Server

Add/Modify LDAP Server

This function allows you to add and modify LDAP servers in INC, that is, to add and modify associations with LDAP servers. If the user group synchronization type for an added LDAP server is Synchronize by OU or Synchronize by OU Property, user groups are synchronized immediately after the server is added.

Operation Procedure

1. Select the User tab, and then select User Access Policy > LDAP Service > LDAP Server from the navigation tree to enter the LDAP server configuration page.
2. Click Add or click the link of the LDAP server you want to modify.
3. Configure the basic information, such as the server name, address, server type, Admin DN, Admin Password, Base DN. Specify the version, port, and user group in the Advanced Information area.
4. Configure the standby server information, such as the address.
5. Click OK.

Precautions

• During LDAP server modification, you cannot modify the name of the LDAP server.
• Domain name or IP address of the LDAP server and Base DN must be unique.
• During user authentication for network access, if the primary LDAP server is not working normally and a standby LDAP server is available, INC will automatically turn to the standby server. The primary/standby LDAP server switchover is not supported in other cases, such as login authentication on the self-service center.
• If you do not enter the administrator DN or password, users access the LDAP server as anonymous users. Make sure the LDAP server supports anonymous access.
• MSCHAPv2 authentication does not support accounts with suffixes removed, or with prefixes removed or added.
• Microsoft Active Directory supports using an old password for authentication within the lifetime of the old password. After an LDAP user modifies the password, the user can pass authentication by using the old or new password if the old password is still in its lifetime. The lifetime of an old password is in the range of 5 to 60 minutes, depending on the version of Microsoft Active Directory.

Parameters

Basic Information
• Server Name: Name of the LDAP server. It is required and cannot be the same as any existing LDAP server name.
• Address: Domain name or IP address of the LDAP server. The combination of this argument and Base DN must be unique.
• Server Type: Type of the LDAP server, general LDAP server or Microsoft Active Directory. The former refers to all servers compliant with the LDAP standards, while the latter represents only Microsoft Active Directory.
• Admin DN: Administrator DN of the LDAP server, for managing user data in the LDAP server. Suppose the server type is General (such as Open LDAP) and the domain of the LDAP server is contoso.com. You can configure the admin DN as cn=Manager,dc=contoso,dc=com.
• Admin Password: Administrator password of the LDAP server. The system uses this password when establishing a connection with the LDAP server.
• Plaintext: Select this option to display the administrator password in plaintext form. For security purposes, after you select this option, enter the administrator password again.
• Base DN: Name of the root node that stores user data in the LDAP server. Absolute path is required. You can select or enter a base DN. To obtain all base DN information of a server for selection, make sure you have entered the correct server address, administrator DN, and administrator password. Suppose the server type is General (such as Open LDAP) and the domain of the LDAP server is contoso.com. The domain contains organization group1 that contains organization unit test. If you want to add an LDAP server with organization unit test as the root node, configure the base DN as ou=test,o=group1,dc=contoso,dc=com. And the administrator DN must use either semicolon or comma as the separator.


Advanced Information
• Version: Version of the LDAP protocol running on the LDAP server. Currently, the mainstream versions V2 and V3 are supported.
• Service Sync Type: When the Service Type field has a value of general LDAP server, this field can only be Manual Assignment. When the Service Type field has a value of Microsoft Active Directory, this field can be Manual Assignment or Based On Active Directory Group. Manual Assignment means that when configuring a synchronization policy for the LDAP server, you can specify services for users. Based On Active Directory Group means that when configuring a synchronization policy for the LDAP server, you can only specify services for LDAP groups and the system will assign services for users based on the LDAP groups they belong to. For details about synchronization policy, refer to Sync Policy Management.
• Real-Time AuthN: With real-time authentication, bound users are authenticated on the LDAP server. With non-real-time authentication, bound users are locally authenticated on EIA. The server type Microsoft Active Directory supports only real-time authentication because it does not have the user password query interface. The general LDAP sever supports synchronizing user passwords to EIA and you can select local authentication for it. For details about bound users, refer to Management of Bound Users.
• Reconnect Interval: If INC fails to establish a connection to the LDAP server, it will retry after this interval. During this interval, INC does not try to connect to the LDAP server and will refuse all LDAP user authentication requests.
• Port: Listening port of the LDAP server. The default setting is 389 and the port cannot be empty. If SSL authentication is enabled, port 636 is used by default.
• Sync Wait Time: If INC failed to retrieve the complete user data from the LDAP server for synchronization within the specified time, it stops retrieving the remaining user data from the LDAP server. The wait timer does not limit the time taken by INC to add, delete, or modify user data according to the synced data. The value is an integer in the range of 0 to 10000 seconds, where 0 means no limit.
• Connection Wait Time: If the INC system tries to establish a connection with the LDAP server but fails to establish it during this period, the operations of LDAP server detection, synchronization, and user export cannot be performed normally.
• Use SSL: Enable EIA to communicate with the LDAP server by using the SSL protocol. For successful SSL connection, enable the SSL connection on the LDAP server, import the certificate for the connection to the LDAP server, and import the correct root certificate to EIA. For more information,see Root Certificate.
• User Group: It takes the value of Synchronized by OU or Synchronized by OU Property or Manually Specify. If you select Synchronized by OU, users in different OUs in the Base DN will be synchronized to the user groups corresponding to the OUs.If you select Synchronized by OU Property, the OU property is used as the name of the synchronized user group. As a best practice, use a variable as the OU property for synchronization to uniquely identify each synchronized user group. If you select Manually Specify, you can specify a user group, and all users will be synchronized to the user group. UAM automatically synchronizes the user groups when the synchronization configuration for LDAP user groups is submitted. Note: The value of userGroupName cannot exceed 32 characters.
• Parent Group: When you select Synchronized by OU or Synchronized by OU Property, you can specify a parent group for the synchronized user groups. By default, up to five levels of user groups are available. For example, if you the parent group you specify is a level-2 parent group, up to three levels of user groups can be synchronized.
• Connectivity: When the Connectivity parameter is enabled, UAM forwards user authentication requests to the LDAP server for processing. If the LDAP server cannot be reached, UAM automatically disables the parameter. When the Connectivity parameter is disabled, UAM denies authentication requests of the LDAP users. The Reconnect Interval parameter specifies how long UAM waits before it re-enables the Connectivity parameter for the LDAP server. Operators can manually enable the Connectivity parameter for connecting the LDAP server at any time.
• User Name Attribute: Name of the attribute on the LDAP server that stores the username. The value of the attribute is an access account.
• Password Attribute: Name of the attribute on the LDAP server that stores the user password. It is not required when the server type is Microsoft Active Directory.
• User Password Encryption: Select a method for user password encryption. If Autosense is selected, UAM automatically adopts the same encryption method as the LDAP server to encrypt user passwords. If Not encrypted is selected, UAM does not encrypt user passwords. When you select an encryption method from other options, make sure the selection matches the encryption method used on the LDAP server. This parameter takes effect only when Send Bind Requests is set to No.
• Send Bind Requests: Configure whether UAM can send bind requests to the LDAP server. If Yes is selected, UAM sends the user name and password to the LDAP server for verification. If No is selected, UAM sends only the user name to the LDAP server to query and receive the matching user password. UAM then uses the received password to verify the local user password that is encrypted by the method specified in User Password Encryption.
• Password Policy: Enables an AD user to modify the password when the user goes online by using the iNode client. Make sure the same password policy setting is configured on the LDAP server. The parameter takes effect only when the following conditions are met: (1) The User must change password at next logon option is enabled for the user on the AD server. (2) The LDAP server is a Microsoft Active Directory server and enabled with SSL connections. (3) The administrator DN is a member in the LDAP server administrator group.
• Account Format/Delimiter/Prefix: The account name can use any of the following format: Unchanged, Remove Prefix, Remove Suffix, and Add Prefix. The Unchanged option does not modify the account. The Remove Prefix option removes the specified delimiter and any information before it from the account name. For example, if this option is selected and the delimiter is the at sign (@), UAM changes the account Jack@test.com to test.com. The Remove Suffix option removes the specified delimiter and any information after it from the account name. For example, if this option is selected and the delimiter is the dot (.), UAM changes the account Jack@test.com to Jack@test. The separator contains case-sensitive characters to divide a string into two parts, one part to be kept and the other part to be removed. The Add Prefix option adds information in front of the account name. For example, if this option is selected and the prefix is uam, UAM changes the account guest to uamguest. MSCHAPv2 authentication does not support accounts with suffixes removed, or with prefixes removed or added.


Standby Server Parameters
• Address: Address of the standby LDAP server. With a standby server configured, INC will automatically turn to the standby server for authentication when the primary server is not available. The switchover process is as follows: 1) INC sends authentication requests to the primary server continually. If it receives no response, it considers that the primary server has gone down. 2) INC tries to connect to the standby server. If it gets connected to the standby server, it sets the standby server as the authentication server. The switchover process needs about 1 minute to finish and users trying to be authenticated during this period will see an error message. A switchover does not affect any online user.
• Server in Use: Select Primary to use the primary server for test, synchronization, authentication and so on, or select Standby to use the standby server for test, synchronization, authentication and so on.
• Auto Back to Primary: When INC fails to connect to the primary server, it turns to the standby server and regularly checks whether the primary server has come up. If it finds that the primary server has come up, it will wait for a period specified by the Interval field and then fallback to the primary server if this checkbox is selected.
• Interval: Period that INC waits after it finds that the primary server has come up and before it falls back to the primary server.


MS-CHAPv2 Authentication
• Authentication by Microsoft IAS/NPS Server: This authentication method uses the RADIUS server and the policy server to authenticate users without using the domain controller. If this option is selected, you must configure the IP address and port number of the IAS/NPS server and the shared key. The domain controller options are hidden. This authentication method does not support account names with suffixes.
• Server IP address: Enter the IP address of the IAS/NPS server.
• Server Port: Enter the port number of the IAS/NPS server.
• Shared Key: Enter a shared key used for communication with the IAS/NPS server.
• Authentication by SMB Protocol: If you select this option, you must configure the DNS server IP address and domain controller IP address. Other parameters are hidden. This option is available only when the INC server is running on Linux. The Microsoft SMB protocol is a network file sharing protocol implemented in Microsoft Windows.
• Authentication by Virtual Computer: This authentication method uses a virtual computer for authentication. INC (the mschapv2server process) communicates with the domain controller through the virtual computer. You can create a virtual computer under the computers directory of the domain controller.
• DNS Server IP: Specify the IP address of the DNS server. Generally, the IP address of the DNS server is the same as the IP address of the domain controller.
• Domain Controller Address: Domain IP address of the domain controller.
• Use IP Addresses of LDAP Servers: Select this option to use the IP address of the primary or standby LDAP server as the IP address of the primary or standby domain controller. When this option is selected, the Domain Controller Address and Standby Domain Controller Address parameters do not appear.
• Domain Controller in Use: Select a domain controller for MSCHAPv2 authentication.
• Domain Controller Address: Domain name or IP address of the domain controller.
• Standby Domain Controller Address: Specify the IP address of a standby domain controller. When the primary domain controller fails due to reboot or network disconnection, INC switches the user authentication services to the standby domain controller. During the switchover period (about 1 minute), users cannot pass authentication. INC does not switch the user authentication services back to the primary domain controller unless the standby domain controller fails. To manually change a domain controller, you can modify the setting of the Domain Controller in Use parameter.
• Standby Domain Controller Full Name: Configure this parameter if a standby domain controller has been configured. To view the configuration of this parameter, use the same method as you view Domain Controller Full Name.
• Domain Controller Full Name: Full computer name of the domain controller, including the domain name. To view the name, right-click "My Computer", select "Properties" from the shortcut menu, and view "Full computer name" in the "Computer Name" tab.
• Auto Join Computer Domain: If this parameter is selected, you must specify the directory of the domain that the virtual computer automatically joins. The administrator of the LDAP server must have the management privilege of the directory. For this parameter to take effect on the newly added LDAP server, you must configure the SSL certificate for the server. After the parameter takes effect, you do not need to manually add a virtual computer to the Computers directory of the domain controller for MS-CHAPv2 authentication. After you specify a directory for the computer domain, the system automatically creates an account named testAccount in the directory. If you want to modify the directory, you must first delete the testAccount account that can cause conflict from the previous directory.
• Virtual Computer Name: To enable the mschapv2server process of INC to communicate with the domain controller, you need a virtual computer. In the computers directory of the Active Directory, you can create a new computer as a virtual computer. The virtual computer name configured here must be the same as the computer you create in the Active Directory. Note that, the name configured here does not need a domain name, the virtual computer name cannot exceed 15 characters.
• Virtual Computer Password:After creating a virtual computer in the Active Directory, follow these procedures to configure a password for the computer: 1) copy the script to modify the computer password provided by UAM to the domain controller; 2) use the text editor to edit the script: replace CN=testAccount,CN=Computers,DC=CONTOSO,DC=COM with the virtual computer account DN, and default password with the virtual computer password; 3) execute the script. The password configured in the script must be the same as the password set for the virtual computer on the Domain Controller-Assisted PEAP Authentication page.
• Secondary Virtual Computer Name: A virtual computer account can be used to create only one authentication channel. When INC is deployed in primary/secondary mode, you must set the secondary virtual computer name and password and then create the same secondary virtual computer on the LDAP server. The secondary INC server uses the authentication channel created by using the secondary virtual computer.
• Secondary Virtual Computer Password: Set the password for the secondary virtual computer. You must set the same password for the secondary virtual computer on the LDAP server.

Configuration examples

Example I:
When the LDAP server type is General, the server name is OpenLDAP, and the LDAP server is in the opentest.com domain:

• Typically, a domain has multiple OUs (attribute o or ou) and each OU has different users. When you add an LDAP server with an OU as the root node, set the base DN to ou=OU name,dc=opentest,dc=com. To allow INC to use user data in the whole domain, set the base DN to dc=opentest,dc=com.
• The account attribute name is the unique user identification on the LDAP server and its default value is the CN attribute of users. The account attribute name can also be the UID or the attribute that is specified on the LDAP server for unique user identification.
• The password attribute name is the name of user password attribute on the LDAP server and its default value is the userPassword attribute. The OpenLDAP server supports synchronizing user passwords to INC. When the OpenLDAP server fails or Real-Time AuthN is set to No, INC verifies user validity by using user passwords that have been synchronized to INC.
• The following figure displays parameter configurations:


Example II:
When the LDAP server type is Microsoft AD, and the LDAP server is in the contoso.com domain:

• Typically, a domain has multiple OUs (attribute o or ou) and each OU has different users. When you add an LDAP server with an OU as the root node, set the base DN to ou=OU name,dc=contoso,dc=com. To allow INC to use user data in the whole domain, set the base DN to dc=contoso,dc=com.
• The account attribute name is the unique user identification on the LDAP server and its default value is sAMAccountName.
• The password attribute name is not editable. Microsoft AD does not provide any interface for password query and user passwords cannot be synchronized to INC. When a Microsoft AD server is used for authentication, users must be authenticated in Microsoft AD in real time.
• The following figure displays parameter configurations:

FAQ

1. Q: What is the difference between Microsoft Active Directory and the general LDAP server?
           A: 
   1. The general LDAP server is a category of LDAP servers including Sun ONE 5.2, Netscape 6.0, Novell eDirectory 8.5.1, and OpenLDAP servers.
   2. Microsoft Active Directory supports only real-time authentication because it saves user passwords in encrypted form and does not have the user password access interface. The general LDAP server supports synchronizing user passwords to EIA. You can select local EIA authentication or LDAP server authentication when adding a general LDAP server.
   3. Microsoft Active Directory supports assigning services based on AD groups or manually specifying services for users. The general LDAP server supports only manually specifying services for users.
   4. The general LDAP server enabled with real-time authentication supports bind requests.
2. Q: Why does EIA fail to synchronize data from the LDAP server?

   A: For successful data synchronization from the LDAP server to EIA, make sure the following parameters are correctly configured: LDAP server version, IP address, port number, admin DN, and admin password. A typical failure reason is the incorrect setting of the admin DN. The format of the admin DN must be in accordance with the LDAP server setting. To obtain the LDAP server setting information, contact the LDAP server administrator.

3. Q: Why do I fail to export users from the LDAP server?

   A: To resolve the problem:1.Verify that the LDAP server and EIA can correctly communicate with each other.2.Verify that the filtering parameters for user export are correctly set.

4. Q: What is the benefit of user data synchronization?

   A: User data synchronization from the LDAP server to EIA improves authentication efficiency. If a user is removed from the LDAP server, the user is marked as nonexistent in EIA after synchronization. When this user initiates authentication, an error is returned.

5. Q: What is the advantage of real-time authentication?

   A: When you enable real-time authentication, EIA forwards user authentication requests to the LDAP server. EIA periodically synchronizes user information from the LDAP server. When an LDAP user changes the user password, the new password might not be promptly synchronized to EIA and the user will fail authentication. If you enable real-time authentication, the user is authenticated on the LDAP server and can access the network in a timely manner.

6. Q: Which LDAP servers does EIA support in the current software version? Which LDAP servers do not support password synchronization?

   A: In the current software version, EIA supports Sun ONE 5.2, Netscape 6.0, Microsoft Active Directory 5.0, Novell eDirectory 8.5.1, and OpenLDAP servers. All these servers (except for Microsoft Active Directory, which does not have the user password query interface) support synchronizing passwords to EIA.

7. Q: What should I do if the following message is displayed during the synchronization: The number of LDAP users to be synchronized exceeds the maximum number of users that the LDAP server allows the operator to obtain. Please modify the setting on the LDAP server.

   A: By default, the LDAP server supports synchronizing up to 10000 users at one time. If this message is displayed, you must manually modify the setting on the LDAP server.

Related Topics

• Delete LDAP Server
• Test LDAP Server
• Modify Administrator Password
• Synchronize User Group
• Batch Test
• Certificate