Lightweight Directory Access Protocol (LDAP) is an Internet directory protocol standard. This protocol defines a directory service and access to that service. By enabling LDAP authentication, initial authentication is done using an LDAP Server, such as Novell or eDirectory. The user must also exist in the PRECISION Web UI database for authentication to complete successfully. To enable LDAP Authentication in the Web UI, set the login method to ldap.

After LDAP is enabled, configure the LDAP server location and search settings properties in the precision.properties file. Possible properties and their values are displayed in LDAP Setup.

The correct IP address of the LDAP Server is specified in this setting. LDAP uses TCP/IP port number 389 for basic authentication. If basic authentication is set to a different port on your server, the port number must correspond to the port number allocated. For failover purposes, you can specify multiple LDAP servers, as in the following example.

LDAP is a tree of directory entries. Each entry has a unique identifier, known as a distinguished name (DN). The authentication service needs to initially bind as the administrator DN to have permissions to search for a user DN that matches the user login ID. The manager DN specifies the administrator DN that is initially used to bind to the LDAP Server.

All LDAP operations require some form of authentication with the LDAP server. If a manager DN and password are given, these are used to authenticate with the LDAP server. Otherwise, the system typically uses the current user DN and password. The DN is written left to right. For example, bill.people.domain.com is written as:

In this example uid=bill is the Relative Distinguished Name (RDN) and ou=people, dc=domain, dc=com is the parent entry DN where dc denotes Domain Component.

Each user DN pattern relates to the subbranch of your LDAP database that contains user records. Therefore, these fields specify the DN of the branches where the search for a user is to start. For performance reasons, make the DN as specific as possible. You can specify up to ten different patterns. Each pattern is tried until the user is found.

The user DN pattern function involves basic pattern matching. The login name supplied is substituted for the pattern argument {0}. By default, the Access Manager assumes that user entries are identified by the uid attribute "uid={0}". For example, the following two entries are the same:

However, if your directory server uses a different attribute to specify a user DN, such as givenname/uniqueID/CN, you also must specify the attribute name in this field.

The following dump is from LDAPSearch. You can use the italicized code for userDnPattern1 to 10:

This dump means that you specify the following for uid={0} to be searched in the Servers.Group subtree and CORP.Group subtree:

If you want to search in cn for the user login:

If there are too many subtrees to specify, you can configure an LDAP search filter to locate the user. Instead of specifying userDnPatterns, you specify the userSearchBase and userSearchFilter attributes. A search is then performed under the userSearchBase node, which is usually close to the root node, using the value of the userSearchFilter attribute as a filter. Again, the user login name is substituted for the parameter in the filter name. If the userSearchBase is not supplied, the search is performed from the root. However, this method negatively impacts performance. Therefore, use userDnPatterns if they are known and limited to less than ten subtrees.

The search subtree option indicates the number of levels in the LDAP Server searched for a matching user profile from the base subtrees or roots specified in userDNPatterns or userSearchFilter. The search begins from the node specified in the attribute userDnPattern or userSearchFilter. The default value is SUBTREE=true. The search encompasses all entries at and below the specified node.