Configuring access to the LDAP Directory

To configure access to a LDAP directory, do the following:

The deviceWISE Runtime must be at release 17.2.2 or newer to enable LDAP support.

1. Go to Packages and install the LDAP extension package. For more information on installing packages, see Packages.
   
   After the installation, the LDAP Extension is listed in the Packages tab. You will also see an LDAP tab under Administration.
2. To configure LDAP, navigate to the  LDAP tab under Administration.
   
3. Enter the following parameters as explained in the table below.
   

   Parameter	Description
   LDAP Server	The Primary LDAP server hostname or IP address.
   LDAP Secondary Server	The Secondary LDAP server hostname or IP address. If Primary LDAP Server fails to authenticate (due to bad credential, server down, network down, and so on). A second attempt of the login will be sent to the Secondary LDAP Server.
   LDAP Port	The LDAP server port. The default LDAP Ports are:  389 (nonsecure)   686 ( secure ).
   Protocol	Select ldap if you selected port 389. Select ldaps if you selected port 686.
   Server Pem file	The location of a Certificate Authority (CA) PEM file that is used to verify the LDAP server you are connecting to when using ldaps. You can use the file chooser control to select the file from the Staging Browser area. This field is only visible if the node is on Linux or AIX.
   Query Username	This field is only required to be specified If the Active Directory administrator has limited the ability of users to browse the entire directory tree. Specify the user name that will be used to query the LDAP directory for group information. Some examples of the name are shown below: cn=admin,cn=users,dc=ad,dc=example,dc=com cn=query_user,dc=domain,dc=name query_user@domain.name \\domain\query_user
   Query Password	The password of the query user specified above.
   Base Directory	The starting location, or root, of the subtree that is used when searching for the user record to determine group information on the LDAP server. For example:ou=ENTERPRISE,dc=myorg,dc=mycompany,dc=com Currently only one root location can be specified.
   Filter	This parameter allows attributes and values to be used when locating the user's record. The query is in an LDAP format with starting and ending parentheses. For example: (sAMAccountName=$(User)). The $(User) is substituted with the user id that the user enters for authentication.
   Format for $(User)	Specifies how the user id is extracted from the login information provided by the user. The options includes: None - The entire user id typed in by the user to substitute $(User) Domain\User - The user id value is obtained by stripping out the windows style domain name user@domain - The use id value is obtained by stripping out the internet style domain name.
   Group Attributes	The name of the attribute in the user's record that will contain group information for the user's record. The default value is memberOf .
   Email Notification	Setup Email notification when someone connects to the deviceWISE installation. To setup email notification through LDAP, do the following: Click Email Notification Click on Notify On drop-down and select an action(Local User Login) Enter a valid email address in the To field Enter a valid email address in the From field Enter the SMTP Server Address Enter the SMTP Server Port number. The port number is in between 1 to 65535 and the default is set to 25 (optional) Click on the Connection security drop-down and select the security level. SSL/TLS - Encrypts communication channel between two machines over the Internet STARTTLS - Converts an existing insecure connection to a secure connection using SSL/TLS (optional) Click on the Authentication method drop-down and select Normal password to include Username and Password that is used to authenticate while connecting to the SMTP server Click Save to save the settings It is possible to test the settings by sending a Test Email. To send a test email, click Send Test Email

4. Map Runtime Roles  and Active Directory Groups. 
   You need to choose one of the following ways to map from an Active Directory Group to a runtime Role or vice versa.
   1. To configure Roles in a runtime based on existing Active Directory group names. The administrator needs to do the following:
      1. Configure Active Directory groups and add users to them. 
      2. Create Roles in the runtime that have the same name as Active Directory groups. To do this Navigate to the Administration -> Security tab and then the Roles tab. This is explained here Roles tab.
      3. Navigate to the Administration -> Security tab and then the Policies tab. Configure the permissions for that Role.This is explained here  Security Policy Control.
   2. To configure Groups within Active Directory based on Roles that are previously configured in a runtime. The administrator needs to:
      1. Create Active Directory Groups that have the same name as the Roles that are already configured in the runtime. 
      2. Add the users to the Active Directory groups.
         

   The figure shown below illustrates how the Active Directory group name relates to a Role in the deviceWISE runtime. The top part of the figure displays the contents an Active Directory user record. The Attribute Properties window displays the contents of the memberOf attribute. 

   The Security Policy tab from the deviceWISE runtime  shows how the Common Name (CN) of the group USB_DW_Test is the same as  the Role USB_DW_Test configured within the node.
   

    

A gateway can support integration with LDAP or OAuth2, but not both at the same time.

---

Related topics

• LDAP
• Policies tab
• LDAP actions