LDAP Authentication

Plugins.ini

The plugins.ini [LDAP] section defines the configuration for LDAP integration:


   LDAP=MobileLabs.DeviceConnect.SingleSignOn.LDAP.dll

Add a [LDAP] section header. LDAP/LDAPS integration settings will be under this section:


   [LDAP]

The following are LDAP/LDAPS integration settings:

EnableLogging=<true | false> Used to add additional logging. The default value is False.


   EnableLogging=false

GroupRegex=<RegularExpression> A regular expression defining the GigaFox Group Roles prefix. By default, the prefix should begin with "DeviceConnect" followed by the role name, for example DeviceConnectAdministrator:


   GroupRegex=CN=DeviceConnect(.*?),

AllowLocalLogins=<true | false> Allows existing GigaFox users defined to log in. True allows local and LDAP users to login. False allows only LDAP users to login. If more than one server is defined, all domain servers must follow this convention:


   AllowLocalLogins=true

LDAP server details include:

server=<IP Address or Domain name of LDAP server> LDAP server address:


   Server=dc.example.com

Timeout=<delay in ms> The wait time, in milliseconds, to attempt to connect and authenticate a user, the default is 30ms:


   Timeout=30000

Port=<LDAP port number> The port connecting to the domain controller. By default, the port for Active Directory is 389 for LDAP and 636 for LDAPS:


   Port=389

SSL=<true | false> false if a LDAP connection, true if it's LDAPS:


   SSL=false

AutoCreateAccountsForAuthorizedUsers=<true | false> If set to false, new LDAP users will not be able to login because it will not create local dC accounts. If false, users will already need to be GigaFox users:


   AutoCreateAccountsForAuthorizedUsers=true

BaseDN=<LDAP object name | domain name> All LDAP object lookups will be limited to this tree:


   BaseDN=DC=example,DC=com

MaxConcurrentConnections=<number> Maximum number of concurrent connections allowed to the LDAP server. The default is 5 connections:


   MaxConcurrentConnections=5

NestedGroups=<true | false> Determines how user roles are found depending on how lated groups are searched. When set to true and used with Active Directory, LDAP will perform a nested search of groups. If set to false, only groups the user is a direct member of will be considered for access:


   NestedGroups=true

GroupMembershipAttribute=<group membership name>

If the server uses a group membership attribute other than memberOf, set GroupMembershipAttribute to the attribute which contains the group memberships: 

   GroupMembershipAttribute=deviceConnectUsers

BindTemplate changes the bind request username format; defaults to {0}.

SearchTemplate allows you to change the search string; defaults to (&(sAMAccountType=805306368){0})

IdentifierAttribute customizes which field is used for username; defaults to userPrincipalName. As an optional parameter, a different field can be used, for example email address.

TIP: To add multiple LDAP servers, starting with the number 2, add an increasing integer to the end of each definition.

plugins.ini example:


        GigaFox Plugin Configuration

   PluginName=RelativePathToDll

   Paths are relative to $DEVICECONNECT_BIN_PATH. PluginName may be any name,
   but each plugin must have a unique name.

   Configuration settings for each plugin may be set by adding a [PluginName]
   section.

   <Optional Parameters>

   BindTemplate= : defaults to "{0}"

   SearchTemplate= : defaults to "(&(sAMAccountType=805306368){0})"

   IdentifierAttribute= : defaults to "userPrincipalName"

   Path of LDAP dll in deviceconnect directory
   LDAP=Plugins/MobileLabs.DeviceConnect.SingleSignOn.LDAP.dll
   [LDAP]
   GroupRegex=CN=DeviceConnect(.*?),
   AllowLocalLogins=true
   EnableLogging=true
   Server=dc.example.com
   BindTemplate={0}
   SearchTemplate=(&(sAMAccountType=805306368){0})
   IdentifierAttribute=userPrincipalName
   Timeout=30000
   Port=636
   SSL=true
   AutoCreateAccountsForAuthorizedUsers=true
   BaseDN=DC=example,DC=com
   MaxConcurrentConnections=5
   NestedGroups=true
   Server2=dc.model.com
   BindTemplate2={0}
   SearchTemplate2=(&(sAMAccountType=805306368){0})
   IdentifierAttribute2=userPrincipalName
   Timeout2=10000
   Port2=389
   SSL2=false
   AutoCreateAccountsForAuthorizedUsers2=true
   BaseDN2=DC=model,DC=com
   MaxConcurrentConnections2=5
   NestedGroups2=true

After making edits to plugins.ini, restart GigaFox services. To restart services, in terminal run:


   /usr/local/deviceconnect/Build/svcrestart

Secure LDAPS Connection

To secure a LDAPS connection:

  1. Configure SSL.
  2. To add the exported LDAP server certificate to the mono Trust store, in terminal run:
    3. 
   certmgr -add -c Trust <exported_certificate_file>
  3. In Active Directory, enable the LDAPS server certificate:
    1. Make a remote desktop connection or log into the console of a Domain Controller.
    2. Open Powershell.
    3. Run MMC to launch the Microsoft Management Console.
    4. On the File dropdown menu, select ADD/REMOVE SNAP-IN.
    5. Select Certificates and click the Add button.
    6. Select Computer Account > local computer.
    7. Click Finish.
    8. Click OK.
    9. Expand Certificates.
    10. Expand Personal.
    11. On the right, select Domain Controller.
    12. Select All Tasks- export.
    13. Click Next three times.
    14. Name the certificate for the Domain Controller.
    15. Copy the file and import where it's needed.