LDAP authenticator - j5 - 30 - Installation & Upgrade - Hexagon

j5 Installation and Upgrade

Language
English
Product
j5
Search by Category
Installation & Upgrade
j5 Version
30

After the LDAP Connection has been configured, the Authentication Configuration can be updated to use an LDAP authenticator.

Ensure that you have created an administrator user on the Users configuration page before you change the Authentication Configuration settings. The user must have the Administrator rights group, and the username must be set to the Active Directory username, without domain qualification. For example, if the administrator’s username is MYDOMAIN\JohnSmith, the username in j5 should be JohnSmith.

  • Authenticator: Select LDAPAuthenticator from the option list.

LDAP Authenticator

LDAP

  • Constrain Users: When true, this ensures that users must have a username on j5 before they can sign in. The default setting is True.

  • Login Attributes: Enter a LDAP search filter to identify the users that are allowed to sign in to j5. This field is required. Refer to LDAP search filters for formatting.

  • Make LDAP usernames lowercase: When true, the LDAP usernames are made lowercase when compared to the j5 usernames. The default setting is False.

Misc

  • Name: Displays the name of the authenticator that this setting screen affects. This is useful when you have multiple authenticators.

By default, j5 takes the following steps to authenticate users against the Active Directory. For example:

  1. We will assume the attributes have been set to "CN=j5-Users,OU=Operators,DC=example,DC=j5Hexagon,DC=com" and that a user named "john.smith" is attempting to sign in.

  2. The "DC=" attributes are extracted and used to construct an AD username. In our example, the username is "john.smith@example.j5Hexagon.com"

  3. This username and the provided password are passed to the Active Directory for authentication.

  4. The attributes are then split into two groups - one for all "OU" and "DC" attributes, and one for the rest. In our example, the first group would be "OU=Operators,DC=example,DC=j5int,DC=com", and the second "CN=j5-Users".

  5. j5 searches for the user in AD with the first group as a search filter. It can find this user in two ways. In our example, it first searches for a user with "SAMAccountName=john.smith", filtering with the first group. If it can't find the user, it searches for a user with "userPrincipalName=john.smith@*", filtering with the first group.

  6. j5 takes each attribute from the second group (in our example, "CN=j5-Users"), and compares the matching attribute on the user for a match. If the attribute on the user is a string, it checks for an exact match. If the attribute is a list, it checks that there is an exact match in the list.

If this behavior is not desired, and you only want the first three steps to occur to authenticate, set the Additional Authentication Checks on the LDAP connection to False. This allows any user who can authenticate against Active Directory access to the j5 system, provided their username has been added to the Users configuration page in j5.