To access a runtime configured with the LDAP extension, do the following:
- Open the Workbench and do one of the
following to be presented with a login panel
- Click User >> Set Gateway Node credentials.
- Right click on a node and select Use Alternate Credentials.
- Enter your domain credentials (User and
Password).
-
Click Log on.
The node will authenticate your credentials with Active Directory and you will be allowed to access the node if your credentials are authenticated and you belong to an Active Directory group that matches one of the Roles configured in the runtime.Order of authentication
The LDAP extension will attempt to authenticate the credentials using local security before it authenticates with Active Directory.
In case the network connectivity with the Active Directory (Domain Controller) server is down, then a domain user will not be able to access the runtime.
It is recommended that a node administrator creates a local account that can be used to administer the runtime in cases when the node does not have network connectivity with the Domain Controller.Once the LDAP extension authenticates a domain user, it will create an internal local user account to store the user's roles.This account will have an prefix of "LDAP_" followed by the user's login id. It will have a randomly generated password that will prevent anyone from accessing the runtime using this internal id.
The roles of the user will be updated every time the user logs into that node. If the user starts a trigger, this internal local user account will be associated with that trigger and will be used by the trigger execution engine to evaluate the security policy for the trigger execution.
This means that triggers that are started by a domain user will continue to execute even after their Active Directory domain credentials have been revoked by the Domain Administrator.
Related Topics