LDAP user authentication

Application Studio provides the following types of user authentication:

LDAP Only: The mode of Directory Manager supported by LDAP. The related configuration allows the administrator to configure how the LDAP information is mapped to internal constructs (for example, by group, by department, by role, and so on). When using this mode, all user management pages in the user interface become read-only because LDAP is read-only to Application Studio.
DB Only: If you use the Secure Directory Manager (the default for Application Studio) and do not configure an LDAP directory, you are effectively running in database-only mode. In DB-Only mode, Application Studio reads the user information from the database. Because the information is in the same database that Application Studio is running against, it has full create, read, update, delete (CRUD) access. You can create users, delete them, edit them, and so on. The user management pages in the UI allow you to create, edit, and delete entries.
Combined: Combined mode is also supported by Secure Directory Manager. Combined mode allows you to merge LDAP and DB authentication; that is, users can be in either LDAP or DB. In this mode, the UI allows you to edit only users who are in the DB. Users in LDAP are read-only. Further, if LDAP is configured in addition to the local DB directory, the DB entities cannot contain elements from LDAP. For example, a local Group cannot contain LDAP users.

User management objects

The following describes objects in the user management structure.

Organization

The top-level grouping representing the entire organization.

Department

Represents an organizational department. It can be hierarchical (for example, a department might have sub-departments). Departments can contain a user designated as head of department (HOD). This feature can be used in the workflow to assign an approver based on department. Departments can only contain users from the parent organization or from no organization.

Grade

Represents the user's job grade (for example, software engineer). Grade is organized as a horizontal grouping of users who all do the same job. Grades can only contain users from the parent organization or from no organization.

Groups

A grouping of users based on common goals, interests or projects.

Set up LDAP

To configure the Directory Manager plugin, select System Settings -> Directory Manager Settings to open the Directory Manager Implementation page.

By default, Application Studio runs in DB Only mode, using the configuration present in the Security Enhanced Directory Manager.

The LDAP Directory Manager Plugin does not support the enhanced security features available when selecting Configure Plugin in the default Security Enhanced Directory Manager.

LDAP is configured manually, defining what LDAP attribute maps to which internal concept. The plugin configuration consists of successive dialog pages, each pertaining to specific user management entities.

There are two ways LDAP Directory Manager can be configured:

LDAP in addition to the local (DB) directory management (Combined mode)
LDAP only

Note

If you want to connect to an external server via TLSTransport Layer Security (TLS) is an encryption protocol that ensures communication security over the Internet. TLS encrypts the network connection above the transport layer. TLS uses asymmetric cryptography for key exchange, symmetric encryption for privacy and message authentication codes for message integrity. Secure Sockets Layer (SSL) is the predecessor of TLS., and the external server uses a self-signed certificate or a certificate issued by your internal CAA certificate authority or certification authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. A CA is a third party trusted by the subject (owner) of the certificate and the party relying upon the certificate., see Certificate management tools for implementation details.

Configure LDAP in combined mode

Select System Settings > Directory Manager Settings. The Directory Manager Implementation page is displayed.
In the Current Plugin Name section, click Configure Plugin for the Security Enhanced Directory Manager. The General page is displayed.
Click Next three times to open the External Directory Manager page.
From the External drop-down menu, select LDAP Directory Manager and click Next. The Configure LDAP Director Manager page is displayed.
See LDAP fields.

Configure LDAP Directory Manager for LDAP only

Select System Settings > Directory Manager Settings. The Directory Manager Implementation page is displayed.
In the Select Plugin section, select the desired LDAP Directory Manager from the drop-down menu and click Select. The Configure LDAP Directory Manager is displayed.
See LDAP fields.

LDAP fields

The following are the pages and fields for configuring LDAP.

Configure LDAP Directory Manager page

URL

URL of the LDAP server. For example,

ldap://<host>:<port>

Or, if SSL:

ldaps://<host>:<port>

Note If you want to connect to an external server via TLSTransport Layer Security (TLS) is an encryption protocol that ensures communication security over the Internet. TLS encrypts the network connection above the transport layer. TLS uses asymmetric cryptography for key exchange, symmetric encryption for privacy and message authentication codes for message integrity. Secure Sockets Layer (SSL) is the predecessor of TLS., and the external server uses a self-signed certificate or a certificate issued by your internal CAA certificate authority or certification authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. A CA is a third party trusted by the subject (owner) of the certificate and the party relying upon the certificate., see Certificate management tools for implementation details.

Admin Username (Principal)

LDAP administrator user name. Application Studio uses this user name for binding LDAP to do queries. The user name format is dependent on the LDAP directory. For example, for Active Directory it could be the sAMAccountName Axway\Administrator.

Admin Password (Credential)

LDAP administrator's password.

RootDN

Root domain name used when binding as administrator.

Click Next to display the User page.

User page

Use the User page to configure how entries in LDAP map to users in Application Studio.

User Base DN

Domain name under which the search filter is applied to find records that identify users.

User Import Search Filter

Search filter to select user records. For example, (objectClass=person).

Attribute Mapping - Username

Identifies the user. For example, sAMAccountName, userPrincipalName, uid.

Attribute Mapping - First Name

Identifies the users first name. For example, givenName

Attribute Mapping - Last Name

Identifies users last name. For example, sn.

Attribute Mapping - Email

Identifies the users email. For example, userPrincipalName.

Attribute Mapping - Status

Identifies whether the user is active or inactive.

Attribute Mapping - Time Zone

Users time zone (offset from UTC) as a number from -12 to 12.

Click Next to display the Employment configuration page.

Employment page

Use the Employment page to enter additional information about users.

Attribute Mapping - Employee Code

Allows mapping an attribute that represents an employee code.

Attribute Mapping - Job Title

Allows mapping an attribute that represents a job title.

Attribute Mapping - Report To

If the user contains an entry for someone to whom they report, this attribute allows it to be mapped.

Map To "Report To" Entry Attribute

This attribute maps to another user record whose value is Attribute Mapping - Report To. For example, Attribute Mapping - Report To is manager and Map To "Report To" Entry Attribute is distinguishedName. In this way, user A has a manager with attribute xyz and reports to the user whose distinguishedName equals xyz.

Attribute Mapping - Groups

If the user contains an entry for a group to which they belong, this attribute allows it to be mapped.

Map to LDAP Group Entry Primary Attribute

If the user contains an LDAP group entry for a group to which they belong, this attribute allows it to be mapped.

Attribute Mapping - Departments

If the user contains an entry for a department to which they belong, this attribute allows it to be mapped.

Map To LDAP Department Entry Primary Attribute

If the user contains an LDAP department entry for a department to which they belong, this attribute allows it to be mapped.

Attribute Mapping - Grade

If the user contains an entry for a grade level to which they belong, this attribute allows it to be mapped.

Map To LDAP Grade Entry Primary Attribute

If the user contains an entry for an LDAP grade level to which they belong, this attribute allows it to be mapped.

Click Next to display the Group page.

Group page

Use the Group page to configure how LDAP records map to groups in Application Studio.

Group Base DN

Domain name under which the search filter is applied to find records that identify groups.

Group Import Search Filter

Search filter to select group records. For example, (objectClass=group).

Attribute Mapping - ID

Attribute used as the group ID. For example, cn.

Attribute Mapping - Name

Attribute used as the group name. For example, cn.

Attribute Mapping - Description

Attribute used as the group description.

Attribute Mapping - Users

Attribute that contains users listed in a given group record. For example, member.

Map To LDAP User Entry Primary Attribute

Used with Attribute Mapping - Users, this is the attribute whose value is expected to match the value in Attribute Mapping - Users. In this way, user A has a manager with attribute xyz and reports to the user whose distinguishedName equals xyz. For example, distinguishedName.

Click Next to display the Department page.

Department page

Use the Department dialog to configure how LDAP records map to departments in Application Studio.

Department Base DN

Domain name under which the search filter is applied to find records that identify departments.

Department Import Search Filter

Search filter to select department records. For example, (objectClass=organizationalUnit).

Attribute Mapping - ID

Attribute used as the department ID. For example, cn.

Attribute Mapping - Name

Attribute used as the department name. For example, cn.

Attribute Mapping - Description

Attribute used as the department description.

Attribute Mapping - HOD

If the department record keeps the head of department (HOD), this attribute identifies the HOD. For example, manager.

Attribute Mapping - Users

If the department record keeps a list of the users in the department, this is the attribute that contains those users. For example, member.

Map To LDAP User Entry Primary Attribute

Used with Attribute Mapping - Users and Attribute Mapping - HOD, this is the attribute whose value is expected to match the value in Attribute Mapping - Users or in Attribute Mapping - HOD. For example, distinguishedName.

Click Next to display the Grade page.

Grade page

Use the Grade page to configure how LDAP records map to grades in Application Studio.

Grade Base DN

Domain name under which the search filter is applied to find records that identify grades.

Grade Import Search Filter

Search filter to select grade records. For example, (objectClass=grade).

Attribute Mapping - ID

Attribute used as the grade ID. For example: cn.

Attribute Mapping - Name

Attribute used as the grade name. For example, cn.

Attribute Mapping - Description

Attribute used as the grade description.

Attribute Mapping - Users

If the grade record keeps a list of the users in a specific grade, this is the attribute that contains those users. For example, member.

Map To LDAP User Entry Primary Attribute

Used with Attribute Mapping - Users, this is the attribute whose value is expected to match the value in Attribute Mapping - Users. In this way, user A has a manager with attribute xyz and reports to the user whose distinguishedName equals xyz. For example: distinguishedName.

Click Next to display the Admin Role page.

Admin Role page

Use the Admin Role page to identify LDAP users assigned to the Application Studio administrator role. This is most often a group record, but could be any individual user or other record.

Admin Role Base DN

Domain name under which the search filter is applied to find records that identify administrator users.

Admin Role Import Search Filter

Search filter to select admin users records. For example, (objectClass=administrators).

Attribute Mapping - Users

Identifies the admin users. If this is a group record it could be member, or if an individual record it could be distinguishedName.

Map To LDAP User Entry Primary Attribute

Click Next to display the Advanced page.

Advanced page

The Advanced page has two settings to aid with debugging. If LDAP is not working as expected, enable debug mode and review the log files to help in troubleshooting.

Click Submit to save your changes.

Administrator UI access when LDAP is down

If the LDAP server is unavailable or configured incorrectly in Application Studio, you cannot log on to the administrator user interface with a user on LDAP, as the list of LDAP users is not available. The default Application Studio admin user also cannot log on. However, there is a safeguard that enables you to log on if LDAP is unusable.

As part of the LDAP configuration in Application Studio, you must enter the user name and password for connecting to the LDAP server. You can log on to Application Studio with these credentials in the event of LDAP failure. Once logged on, you can correct the configuration issue if that was the cause of the failure.