June 22, 2010
To implement LDAP authentication in iPrism using a Windows 2000/2003/2008 server network, you must perform the following basic steps:
Use Users > LDAP to identify the LDAP server (and related information)
Use LDAP Diagnostics to test your LDAP server connection
Assign Profiles to Windows Global Groups so LDAP Authenticated users are filtered. This uses the required attribute option with a sub-query search to match the profile to a windows group.
For Active Directory 2008-specific information and instructions, click here.
In a Windows 2000/2003/2008 Active Directory (AD) environment, each Windows 2000/2003/2008 Domain Controller (Standard or Global Catalog Server) is an LDAP server.
AD is a hierarchical environment consisting of forests, trees, and domains. Domains are the fundamental building blocks of AD. An AD tree is a collection of domains grouped together in a hierarchical fashion with one (1) domain serving as the root domain of the AD tree. AD trees can be grouped into forests. Trees that are in the same forest share the same AD schema.
Standard Domain Controllers contain AD information for objects within its own domain.
Global Catalog Servers contain AD information for objects within its own domain plus a replica of AD information for objects within other AD domains in the AD tree (and forest).
In configuring iPrism for LDAP Authentication in an Active Directory environment, five (5) items are necessary:
LDAP Server IP addresses
ThisIP addresses for "Server" and "Backup Server" fields should be for a:
Standard Domain Controller(single domain) or...
Global Catalog Server(single or multiple domains).
In multi-domain AD environment, it is generally best to use the IP address of the Global Catalog server. Standard domain controllers only contain AD information for objects within its own domain. As a result, it can only respond to LDAP queries for objects within its own domain; it cannot respond to LDAP queries for objects within other AD domains in the AD forest. Because a Global Catalog Server contains AD information for every object in the entire AD forest, it can respond to LDAP queries for objects within its domain and other AD domains in the AD forest.
LDAP Server TCP/IP Ports
ThePort numbers for "Port" and "Backup Server Port" fields should be:
389(single domain) or...
3268(single or multiple domains).
All Windows 2000/2003/2008 AD domain controllers (including Global Catalog Servers) listen for LDAP requests on the standard LDAP port 389. However, domain controllers (including Global Catalog Servers) respond to LDAP queries on port 389 with AD information from within its own AD domain only. Again, this works fine in a single domain configuration but not in a multi-domain setup. Global Catalog Servers additionally listen for LDAP requests on port 3268, Microsoft's AD LDAP port. Global Catalog Servers respond to LDAP queries on port 3268 with AD information from the entire AD forest. In multi-domain AD environments, it is best to use port 3268.
The LDAP Binding Account for "Base" field should be:
LDAP format or...
Windows User Principal Name (UPN) format
In order for the Windows 2000/2003/2008 LDAP service to process LDAP queries to the AD database, the iPrism should bind to the LDAP server (Windows 2000/2003/2008 domain controller) with a domain user account (DN). The DN can be in the Windows 2000/2003/2008 LDAP format or in Windows 2000/2003/2008 User Principal Name (UPN) format. The standard LDAP format traces the path to the object in the LDAP directory. An example of a Windows 2000/2003/2008 LDAP search DN is:
CN=iprism, CN=users, DC=iprism, DC=stbernard, DC=com
The Windows 2000/2003/2008 UPN format is a short-hand notation that uniquely identifies the DN in the Active Directory tree. Both the user account and respective domain are included in the UPN. An example of a Windows 2000/2003/2008 UPN is:
LDAP search DN
The LDAP Directory Starting Point for "Search DN" field should be:
The most general point in the AD forest, the AD root domain object
The LDAP search DN is the starting point in the LDAP directory for LDAP searches. Ideally, the LDAP search base should be set to the root domain of the entire AD forest. This will allow the iPrism to query the entire windows 2000/2003/2008 AD forest. AD trees are subdivided into AD domains, while AD domains can be further subdivided using Organizational Units (OUs). OUs are logical containers located within AD domains and can contain other AD objects (user accounts, computer accounts, printers, etc.). If the LDAP search base is set at a particular OU level, only child objects of that particular OU can be queried. Similarly, if the LDAP search DN is set at a particular domain level, only child objects of that particular domain can be queried. For this reason, the LDAP search base should be as general as possible. The most general point in the AD forest is the AD root domain object.
The Logon Account Attribute for "Mask" field should be:
In Windows 2000/2003/2008, user logon accounts are represented by two AD user object attributes, samaccountname and userprincipalname. The samaccountname attribute is the standard user logon name used for NetBIOS-based authentication in Windows 2000/XP/2003, NT, and 9X operating systems. The userprincipalname attribute is the user logon name used for DNS-based authentication in Windows 2000/2003/2008 operating systems. For a user account, both of these items can be located using the Active Directory Users and Computers applet. They are located on the Account tab in the user properties.
Either attribute can be used. However, there is an issue regarding the samaccountname attribute. When using samaccountname, the user account name has to be unique within the AD forest. The samaccountname attribute doesn't include the domain of the user account. As a result, if the same account name exists in multiple domains, only the account in the local domain of the LDAP server (global catalog server) will actually work for iPrism LDAP authentication. The userprincipalname attribute does not have any uniqueness issues, because the domain object is specified within the attribute. Also, all userprincipalname attributes are unique throughout the AD forest.
The potential drawback with using userprincipalname is that it is normally blank in Windows 2000/2003/2008 domains that were migrated from Windows NT. NT is not a LDAP-compliant database. Furthermore, no such attribute existed in NT. As a result, when a domain is migrated from NT to Windows 2000/2003/2008, the userprincipalname attribute is left blank. The samaccountname attribute does not have this type of issue, because samaccountname is a required attribute (for backwards compatibility) and is populated with the NT account information, when migrating from NT to Windows 2000/2003/2008.
Require Attribute is checked to enable searching AD for a specific Group related to a Profile defined in iPrism.
For example, you create an iPrism Profile named”r;Internet” and also have an AD Global Security Group called "Internet”.
iPrism can match the AD Group with the profile of the same name in iPrism by entering memberof in Attribute and cn into SubQuery attribute. This tells iPrism to search the DN for any security groups that match the defined profiles in iPrism.
A user that belongs to the ”r;Internet” AD global security group will be mapped to the iPrism profile called ”r;Internet” and inherit all privileges that are defined to that iPrism profile. You must setup profiles in iPrism to match the existing (or create new) AD Global Security Groups to be able to use this option.
To learn how to setup profiles in iPrism please see our administrator guide or follow the link below.
Defining Web Profiles
Defining IM/P2P Profiles
In summary, when configuring the iPrism for Windows 2000/2003/2008 LDAP authentication:
"Server" should be set, if possible, to the IP address for a Windows 2000/2003/2008 Global Catalog Server. "Backup Server" can be set to another Global Catalog Server.
The "Port" and "Backup Server Port" numbers for the LDAP server should be set to 3268 (or 389).
The "Search DN" needs to be a domain user account. The DN can be in Windows 2000/2003/2008 LDAP format or Windows 2000/2003/2008 UPN format. Example=(email@example.com)
The "Base" should be set to the root domain object of the AD forest.
The "Mask" should be set to samaccountname=%1 (preferably) or userprincipalname=%1.
You may check LDAP user credentials with the LDAP diagnostic. Some of the information displayed will reflect the LDAP tab. For instructions on running LDAP diagnostics, see: