−Table of Contents
LDAP authorization function
The description is valid for software version 2.10.119.99 and newer.
. Activating the authorisation function via LDAP does not disable the inbuilt accounts, but supplements this mechanism. To use local accounts, select Authentication=Internal User in the Storage settings of the client application and continue to use the accounts created in the Storage module.
In the 2.10.37.99 version, the ability to authorise media storage users via the LDAP protocol has been added.
General Information
- LDAP (Lightweight Directory Access Protocol) is an open standardised protocol used for various directory service implementations, including Active Directory. LDAP allows users to access resources based on the permissions configured by the directory service administrator.
- Active Directory (AD) is a proprietary implementation of Microsoft's directory service - a set of software services and databases for hierarchical representation of company resources (departments, computers, printers, network drives, etc.) and configuring access to them.
How It Works
- In the module Storage (
Administrator Control Panel→Status→Storage_N→Manage Users…→Manage Groups→Add New Group) user groups are created that will correspond to the implemented technical process (for example: Skylark Editors, Skylark Operators, Skylark Users, etc.). - In the Directory Service, user groups are created with the same names as defined in the Storage module. If you are using Active Directory, this can be done through the Active Directory Users and Computers snap-in
dsa.msc. - Users are only created in the Directory Service.
- Users created in the directory service are assigned the desired groups based on their role in the workflow.
- If the LDAP function is enabled in the Storage module and Authentication=LDAP authorisation type is selected in the client application, the specified username and password will be verified through the LDAP server.
- If authentication is successful, all groups assigned to the user will be retrieved from the memberOf attribute.
- The retrieved groups will be matched with the groups created in the Storage module, if a match is found, then rights of such group are assigned to the user. The built-in Everyone group is assigned to the user in any case.
In addition, user name, phone number and email address information can be downloaded from the directory service and synchronised on a regular basis.
When a user is authorised via LDAP, the login is cached for 30 seconds. This must be taken into account when working in a real system. For example, if a new group is assigned to a user in the directory service, its mapping may occur with the specified delay.
Obtaining Data from Active Directory
You can obtain the data required to configure the function using the Get-ADUser command in the Power Shell. You must run Power Shell as an administrator to display all available data.
Command examples:
Display a summary of user information:
Get-ADUser -filter *
Output extended information about the selected user:
GetADuser -identify <USERNAME> -properties *
A short list of frequently used values:
- DistinguishedName - the entry's location in the directory,
- MemberOf - list of groups associated with the user,
- SamAccountName - user login (e.g. sky),
- CN - user's display container name (e.g. sky),
- DisplayName - user's visible name (e.g., “User Skylark”),
- telephoneNumber - phone number,
- mail - email,
- ObjectClass - specifies the object type (e.g. user - user).
Configuration
Server Part
LDAP server connection parameters are configured on the tab: Administrator Control Panel→Manage→Storages→Storage_N→LDAP.
| Parameter | Description |
|---|---|
| Enabled | Activates the LDAP connection function. |
| Server Address | The field specifies the address of the server with the directory service and the connection port in the format: ip_address:port. If no port is specified, the default TCP port is 389. Your directory service port may be different from the default. |
| Encryption | Select the encryption mode:
Please note that for LDAPS (LDAP over SSL) secured connections, TCP port 636 is normally used. For non-encrypted connections, the default TCP port is 389. Your directory service port may be different from the default. |
| Enable User Name Mapping | Option enables the ability to read additional attributes of directory accounts, which allows you to read the user login (SamAccountName field) in Active Directory. |
| Admin DN | The field specifies the DistinguishedName value for the account that will be used to retrieve data from the directory. The account must have the appropriate permissions to access the attributes of the directory. |
| Admin Password | The field specifies the password for the account that will be used to retrieve data from the catalogue. The password is encrypted when saved. |
| Display Name Attribute | The name of the attribute that will be matched with the login of the user being authorised in the media storage. In fact, enabling this feature activates the index construction for the Display Name Attribute→AD Object Identifier transformation. For Active Directory this field will have the value - SamAccountName. If no match is found, the attempt to authorise the user will fail with an error: LDAP Auth error received on bind attempt. |
| User Search DN | The directory path to the location of the user accounts where the user to be authorised will be searched. For example, it can be found using the DistinguishedName value. Example value: OU=TestOU,DC=DomainName,DC=local. |
| AD Object Class | Sets the searched ObjectClass value for objects of type user, which allows you to filter other object types if they are in the same location specified by the ‘User Search DN’. Most often this field will have the value user. |
| AD Object Identifier | The object identifier used for directory-side authentication. The value of this attribute will be directly matched to the user name being authorised unless the ‘Enable User Name Mapping’ option is used. If no match is found, the attempt to authorise the user will fail with an error: ‘LDAP Auth error received on bind attempt’. Example value: CN. |
| User Permissions Attribute | The name of the attribute that will be used to search for assigned groups. Example value for Active Directory: MemberOf. |
| Group Base DN | The path in the directory to the location of the user group records where the assigned groups will be searched. Example value: OU=TestOU,DC=DomainName,DC=local. |
| Group Object Identifier | The name of the identifier/attribute whose value will be matched against the group names found in the user account. Example value: CN. |
| User Real Name Attribute | The name of the attribute containing the real name of the user. The information will be broadcast to the corresponding fields of the account in media storage: Added in version 2.10.65.99. |
| User Phone Number Attribute | Name of the attribute containing the phone number. Added in version 2.10.65.99. |
| User Email Attribute | The name of the attribute containing the user's email address. Added in version 2.10.65.99. |
Client Side
To start using LDAP accounts, on the Storage| tab of client applications, select Authentication=LDAP and specify your directory service account details.
If the connection is successful, the media storage will switch to the online status and you will see the folders and files:
Application
The function can be used as part of MAM servers in large companies with centralised user account management based on directory services.