LDAP/AD v1.0 User Guide

Similar documents
MS Exchange Scheduling

ACS 5.x: LDAP Server Configuration Example

Installing an Add-on for the i-vu v6.5 Application CARRIER CORPORATION 2018 A member of the United Technologies Corporation family Stock symbol UTX Ca

Managing External Identity Sources

What is the Weather add-on?

Cisco Expressway Authenticating Accounts Using LDAP

Managing CX Devices in Multiple Device Mode

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Authenticating Cisco VCS accounts using LDAP

User Management in Resource Manager

Evaluation Guide Host Access Management and Security Server 12.4

Authenticating and Importing Users with AD and LDAP

BACnet Scheduling Interface

LDAP Configuration Guide

FieldView. Management Suite

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Configuring Cisco TelePresence Manager

CounterACT User Directory Plugin

Authenticating and Importing Users with AD and LDAP

Message Networking 5.2 Administration print guide

How Do I Manage Active Directory

Authenticating and Importing Users with Active Directory and LDAP

LDAP Synchronization

Cluster creation and maintenance

What is the Weather add-on?

Creating Column Profiles on LDAP Data Objects

Active Directory 2000 Plugin Installation for Cisco CallManager

NBC-IG Installation Guide. Version 7.2

Integrating a directory server

Enforced Client Policy & Reporting Server (EPRS) 2.3. Administration Guide

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Troubleshooting CHAPTER

ForeScout CounterACT. Configuration Guide. Version 6.3

Forescout. Plugin. Configuration Guide. Version 2.2.4

Instant HR Auditor Installation Guide

Configuring User Access for the Cisco PAM Desktop Client

AT&T Global Network Client for Mac User s Guide Version 1.7.3

Equitrac Embedded for Ricoh Basic. Setup Guide Equitrac Corporation

Equitrac Integrated for Konica Minolta

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

AT&T Global Network Client for Mac User s Guide Version 2.0.0

Novell Identity Manager

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Aventail Connect Client with Smart Tunneling

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

How to Configure Authentication and Access Control (AAA)

Cisco TelePresence VCS Cluster Creation and Maintenance

Installation on Windows Server 2008

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

AT&T Global Network Client for Android

Host Access Management and Security Server Administrative Console Users Guide. August 2016

Managing GSS Devices from the GUI

Evaluation Guide Host Access Management and Security Server 12.4 SP1 ( )

What is Tenant Override Billing?

Embedded for Xerox EPA-EIP Setup Guide

Reconfiguring VMware vsphere Update Manager. 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7

Configuring Vulnerability Assessment Devices

NetScaler Radius Authentication. Integration Guide

DoD Common Access Card Authentication. Feature Description

Active Directory as a Probe and a Provider

Realms and Identity Policies

The LDAP plugin for Fuel documentation

VMware Identity Manager Administration

VMware AirWatch Integration with SecureAuth PKI Guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

RealPresence Access Director System Administrator s Guide

Migrating vrealize Automation 6.2 to 7.2

ONESolution 16.1 Desktop Client Installation

Using ANM With Virtual Data Centers

Dell Storage Integration Tools for VMware

estos XMPP Proxy

ForeScout CounterACT. Configuration Guide. Version 4.1

VMware AirWatch Certificate Authentication for EAS with ADCS

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

Forescout. Configuration Guide. Version 4.2

Integration Guide. Entrust Authority Security Manager 8.1 SP1 Microsoft Windows Server 2012 R2 Standard

WebEx Integration User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

UC for Enterprise (UCE) NEC Centralized Authentication Service (NEC CAS)


Installation Guide Worksoft Certify Execution Suite

Configuring 802.1X Settings on the WAP351

NetWrix Account Lockout Examiner Version 4.0 User Guide

Directory Integration with VMware Identity Manager

Configuring User Access for the Cisco PAM Desktop Client

Digest Authentication Setup for SIP Trunks

Administration Guide. Lavastorm Analytics Engine 6.1.1

Security Center Installation and Upgrade Guide 5.5 SR3. Click here for the most recent version of this document.

Cisco Expressway Cluster Creation and Maintenance

Obtaining the LDAP Search string (Distinguished Name)?

User Guide. Connect to: Installer for DocuShare version 1.1. March 2014 Issue 1.2

RSA Identity Governance and Lifecycle Collector Data Sheet For Open LDAP

Password Reset Server Installation

Access Control Rules: Realms and Users

create-auth-realm adds the named authentication realm

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

To upgrade to the i-vu v6.0 application

Realms and Identity Policies

Aprimo Marketing Studio Configuration Mover Guide

Authenticating Devices

ER/Studio Enterprise Portal 1.1 Installation Guide

Transcription:

LDAP/AD v1.0 User Guide For v6.5 systems Catalog No. 11-808-615-01

Important changes are listed in Document revision history at the end of this document. UTC 2017. throughout the world. All trademarks are the property of their respective owners. The content of this guide is furnished for informational use only and is subject to change without notice. United Technologies assumes no responsibility or liability for any errors or inaccuracies that may appear in the informational content contained in this guide.

Contents What is the LDAP/AD add-on?... 1 Requirements... 1 Login names and passwords... 1 Setting up the LDAP/AD add-on... 1 Using the LDAP Questionnaire... 2 Step 1: Configure the LDAP/AD add-on... 2 Digest-MD5 requirements... 3 Simple requirements... 3 Step 2: Configure the truststore... 4 Selecting a truststore type... 4 Managing a truststore... 4 Step 3: Set up local operators... 5 Step 4: Turn on LDAP/AD authentication... 5 Troubleshooting... 6 Appendix... 7 LDAP Questionnaire... 7 Document revision history... 9

What is the LDAP/AD add-on? The LDAP/AD add-on is an authentication provider that allows you to log in to the building automation system using LDAP (Lightweight Directory Access Protocol) or AD (Active Directory ) credentials. Requirements You are running a v6.5 system with the latest cumulative patch applied. You have the building automation system Admin privilege. See "Installing an Add-on User Guide" for the following: Installing an add-on Applying a license Running an add-on Upgrading an add-on Login names and passwords The building automation system operator login name does not have to match the user's LDAP login name. The add-on uses the building automation system (BAS) operator login name to find the user's LDAP entry and then to discover their LDAP login name from the entry. The exact configuration is determined by the authentication type chosen, but all will require a Search Base where the LDAP add-on will search to find users. The values set in the Search Filters determine how that search is performed. TIP When logging into a BAS using LDAP/AD as the Authentication Provider, the operator must enter their BAS operator login name with their LDAP password. Setting up the LDAP/AD add-on Step 1: Configure the LDAP/AD add-on (page 2). Step 2: Configure the truststore (page 4), if needed. Step 3: Set up local operators (page 5), if needed. Step 4: Turn on LDAP/AD authentication (page 5). NOTE The add-on is not active until Step 4 is complete. 1

Using the LDAP Questionnaire An LDAP Worksheet is included in the Questionnaire (page 7). We recommend that the customer s network administrator complete this questionnaire to allow you to configure the add-on appropriately. NOTE The LDAP/AD add-on supports two LDAP authentication methods: Simple with TLS Digest-MD5 with or without TLS TIP No other authentication method is supported at this time. If the customer uses a different type of authentication, notify Technical Support to make them aware of the need. If your LDAP configuration is supported, proceed to Step 1 To configure the LDAP/AD add-on (page 2) using the completed worksheet. Step 1: Configure the LDAP/AD add-on The LDAP/AD add-on supports two LDAP authentication methods: Simple with TLS Digest-MD5 with or without TLS TIP No other authentication method is supported at this time. Configure the LDAP Host Use the LDAP Questionnaire (page 7) to configure the add-on. 1 On the Configuration tab, enter the host address and the port number from the worksheet (Q1a and 1b). NOTE 389 and 636 are standard LDAP ports, but the add-on also supports custom ports. 2 Select the authentication type (Q4). 3 Select whether the LDAP/AD server uses referrals or not (Q2). 4 Select whether TLS is used or not (Q3). 5 Enter the LDAP bind name and password assigned to the building automation system (BAS) server (Q6). In order to use LDAP, the BAS server will need to be able to authenticate with the LDAP server. 6 If using Digest-MD5, enter the remaining information (5b). 7 If TLS is used, you must configure your truststore (page 4) now. 8 Click Update for the add-on to attempt to authenticate with the LDAP host server. 9 On the Diagnostic Logs tab, verify if the authentication was successful. 2

Digest-MD5 requirements Digest-MD5 authentication requires the following configuration. Digest-MD5 may be used with or without TLS. NOTE If TLS is used, a truststore (page 4) must be configured. Default Realm Quality of Protection Search Base ID Lookup Field Search Filter This is used when attempting to authenticate a user. If no realm is specified in the bind name or found when looking up the user on the server, this value is used to attempt the authentication. It is also used when the add-on creates the initial connection pool. NOTE A default realm may not be required, depending on how your LDAP server is configured. Specify the quality of the protection required by your LDAP server. If TLS is being used, then Authentication only is used as the Quality of Protection setting. This is the base directory where the LDAP/AD add-on searches for user authentication information. If the user entries are located at the server s base suffix, the Discover Base Suffix button can be used to set this value. Otherwise, the Search Base must be entered manually. This is the name of the field that contains the user's LDAP login name. The name of the LDAP entry attribute used by the add-on to attempt to match the BAS operator login name in order to discover the operator's LDAP entry. NOTE You must set at least one search filter field, but more can be used if needed. Add additional search filters using the + button; remove them by using the X button. Simple requirements The Simple authentication method requires TLS to be used, so you must configure a truststore as well. Two configuration options are required to use simple authentication: search base and a search filter. Search Base Search Filter This is the base directory where the LDAP/AD add-on searches for user authentication information. If the user entries are located at the server s base suffix, the Discover Base Suffix button can be used to set this value. Otherwise, the Search Base must be entered manually. The name of the LDAP entry attribute used by the add-on to attempt to match the BAS operator login name in order to discover the operator's LDAP entry. NOTE You must set at least one search filter field, but more can be used if needed. Add additional search filters using the + button; remove them by using the X button. 3

Step 2: Configure the truststore Many LDAP configurations will require TLS. To use TLS, a certificate truststore is required. CAUTION If a truststore has already been configured and you go through this process again, the previous truststore will be replaced. In the case of a truststore managed by the building automation system (BAS), it will be overwritten. Selecting a truststore type To use the BAS-managed truststore 1 On the Configuration tab, click Create Truststore. 2 Select Create New. 3 Provide a truststore password. 4 Select OK to accept the truststore configuration. The add-on creates an empty truststore to which certificates can be added (see Managing a Truststore (page 4)). To use an existing truststore 1 On the Configuration tab, select Existing Truststore. 2 Enter the path to the truststore file. The add-on uses this file at this location. If it is deleted or moved, the configuration will fail. 3 If you want to be able to manage the truststore through the add-on, provide the truststore password. If you provide the truststore password, you will be able to view, add and delete the certificates in the truststore just as if the truststore was being managed by the add-on. 4 Select OK to accept the truststore configuration. Managing a truststore If you are using a BAS-managed truststore, or you provided the password to an existing truststore, you can view and manage the certificates in that truststore. If you have just created a new truststore, you can add certificates to it using this add-on. There are two methods for adding certificates to the truststore: by discovering the LDAP host certificates by adding a certificate manually To view the certificates in the truststore 1 On the Configuration tab, click Manage Truststore to view a list containing the serial number, validity, and subject name of each certificate for identification. NOTE Certificates can expire over time, rendering them invalid. Invalid certificates need to be removed and replaced to keep the LDAP connection working. 4

To discover LDAP host certificates 1 Click Discover Host Certificates. A second table of certificates will appear below. NOTE If it is empty, no certificates were discovered and the LDAP add-on is likely mis-configured. 2 Select the certificates to be added to the truststore by selecting their checkboxes. 3 Click Add Selected Certificates to refresh the list, showing the newly added certificates. To add a certificate manually 1 Click Add Certificate. 2 Copy and paste the Base 64 encoded certificate text (including the BEGIN CERTIFICATE and END CERTIFICATE lines). 3 Click Add Certificate to refresh the list, showing the newly added certificates. NOTE If the certificate encoding was invalid, an error will occur. 4 Close the Manage Truststore dialog when you are done. To delete a certificate 1 Check the checkbox of the certificate(s) to be deleted. 2 Click Delete Selected Certificates to view the refreshed list. NOTES Deleting a certificate can cause the LDAP connection to fail. Deleted certificates cannot be recovered, but you can re-add them to the truststore. Step 3: Set up local operators You can configure operators who will use their building automation system (BAS) credentials instead of an LDAP authentication. To add a local operator, you must to know their BAS operator login name. TIP You should set up at least one admin level local operator before turning on LDAP/AD authentication in Step 4. To add a Local Operator 1. On the Local Operator tab, enter the operator name in the text field. 2. Click Add to allow that operator to be able to log in using their BAS operator login name and password. To remove a Local Operator 1 On the Local Operator tab, select the operator name and click Remove Selected. Step 4: Turn on LDAP/AD authentication NOTE The add-on is not active until this step is complete. 1. In SiteBuilder, click the Configure > Preferences > Web Server tab. 2. Select LDAP/AD in the Authentication Provider drop-down list. TIP To turn off LDAP/AD authentication, select Default in the Authentication Provider drop-down list. 5

Troubleshooting TIPS You can view the date and time of each LDAP/AD login on the Logs tab in the LDAP/AD add-on, plus any diagnostic messages and errors that occur. For more detailed logging, turn Verbose Logging on. Note that verbose logging only remains on while the LDAP Configuration page is open. In the event that users are locked out of building automation system due to issues with the LDAP server, LDAP/AD authentication can be turned off in SiteBuilder until the issue is resolved. See the TIP in section "Step 4 (page 5): Turn on LDAP/AD authentication" for details. In the event that the building automation server loses its connection with the LDAP server, the LDAP/AD add-on will recognize the disconnected state the next time an operator tries to log in using their LDAP credentials. Once the disconnect has been recognized, the LDAP/AD add-on will attempt to reconnect every minute until the connection succeeds. 6

Appendix LDAP Questionnaire To be filled out be the system administrator. Q1a Q1b Q2 Q3 Q4 Q5a What is the address of the LDAP/AD host server? What is the port number of the LDAP/AD host server? Does the LDAP/AD host server use referrals? Yes No Does the LDAP/AD host server support TLS? What type of authentication does the LDAP/AD host server support? Simple (See Q5a) Digest-MD5 (See Q5b) Other (See Q5c) Simple When using Simple authentication, the LDAP add-on attempts to find a user entry under the Search Base directory where the user s building automation system (BAS) username matches the value in one or more of the Search Filter attributes. If one and only one user entry is found, the add-on uses that entry s Distinguished Name (DN) as the bind name when the authentication is attempted. Search base ID Lookup NOTE Specify Default if the server s base suffix is the search base. Search filters 7

Q5b Digest-MD5 To authenticate LDAP users with Digest-MD5, the add-on searches the entries under the directory indicated by the Search Base. It then attempts to match one (and only one) entry where the user s building automation system (BAS) operator login name matches the value of at least one of the values in the search filter. If a match is found, the add-on uses the user s bind name when attempting the authentication. What is the default realm, if any? Search base ID Lookup NOTE Specify Default if the server s base suffix is the search base. Search filters What user entry attribute is used to get the user's LDAP bind name? Q5c Other What type of authentication is used? Q6 What are the LDAP credentials assigned to the LDAP/AD add-on? NOTE The LDAP/AD add-on requires an LDAP login. It uses this login to: bind to the server. establish a small pool of connections that are used for directory searches. authenticate BAS users when they log in. a. Username b. Password 8

Document revision history Important changes to this document are listed below. Minor changes such as typographical or formatting errors are not listed. Date Topic Change description Code* No changes yet * For internal use only 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback