LDAP Authentication
Plugins.ini
The plugins.ini [LDAP] section defines the configuration for LDAP integration:
LDAP=MobileLabs.DeviceConnect.SingleSignOn.LDAP.dll
Add a [LDAP] section header. LDAP/LDAPS integration settings will be under this section:
[LDAP]
The following are LDAP/LDAPS integration settings:
EnableLogging=<true | false> Used to add additional logging. The default value is False.
EnableLogging=false
GroupRegex=<RegularExpression> A regular expression defining the GigaFox Group Roles prefix. By default, the prefix should begin with "DeviceConnect" followed by the role name, for example DeviceConnectAdministrator:
GroupRegex=CN=DeviceConnect(.*?),
AllowLocalLogins=<true | false> Allows existing GigaFox users defined to log in. True allows local and LDAP users to login. False allows only LDAP users to login. If more than one server is defined, all domain servers must follow this convention:
AllowLocalLogins=true
LDAP server details include:
server=<IP Address or Domain name of LDAP server> LDAP server address:
Server=dc.example.com
Timeout=<delay in ms> The wait time, in milliseconds, to attempt to connect and authenticate a user, the default is 30ms:
Timeout=30000
Port=<LDAP port number> The port connecting to the domain controller. By default, the port for Active Directory is 389 for LDAP and 636 for LDAPS:
Port=389
SSL=<true | false> false if a LDAP connection, true if it's LDAPS:
SSL=false
AutoCreateAccountsForAuthorizedUsers=<true | false> If set to false, new LDAP users will not be able to login because it will not create local dC accounts. If false, users will already need to be GigaFox users:
AutoCreateAccountsForAuthorizedUsers=true
BaseDN=<LDAP object name | domain name> All LDAP object lookups will be limited to this tree:
BaseDN=DC=example,DC=com
MaxConcurrentConnections=<number> Maximum number of concurrent connections allowed to the LDAP server. The default is 5 connections:
MaxConcurrentConnections=5
NestedGroups=<true | false> Determines how user roles are found depending on how lated groups are searched. When set to true and used with Active Directory, LDAP will perform a nested search of groups. If set to false, only groups the user is a direct member of will be considered for access:
NestedGroups=true
GroupMembershipAttribute=<group membership name>
If the server uses a group membership attribute other than memberOf, set GroupMembershipAttribute to the attribute which contains the group memberships:
GroupMembershipAttribute=deviceConnectUsers
BindTemplate changes the bind request username format; defaults to {0}.
SearchTemplate allows you to change the search string; defaults to (&(sAMAccountType=805306368){0})
IdentifierAttribute customizes which field is used for username; defaults to userPrincipalName. As an optional parameter, a different field can be used, for example email address.
TIP: To add multiple LDAP servers, starting with the number 2, add an increasing integer to the end of each definition.
plugins.ini example:
GigaFox Plugin Configuration
PluginName=RelativePathToDll
Paths are relative to $DEVICECONNECT_BIN_PATH. PluginName may be any name,
but each plugin must have a unique name.
Configuration settings for each plugin may be set by adding a [PluginName]
section.
<Optional Parameters>
BindTemplate= : defaults to "{0}"
SearchTemplate= : defaults to "(&(sAMAccountType=805306368){0})"
IdentifierAttribute= : defaults to "userPrincipalName"
Path of LDAP dll in deviceconnect directory
LDAP=Plugins/MobileLabs.DeviceConnect.SingleSignOn.LDAP.dll
[LDAP]
GroupRegex=CN=DeviceConnect(.*?),
AllowLocalLogins=true
EnableLogging=true
Server=dc.example.com
BindTemplate={0}
SearchTemplate=(&(sAMAccountType=805306368){0})
IdentifierAttribute=userPrincipalName
Timeout=30000
Port=636
SSL=true
AutoCreateAccountsForAuthorizedUsers=true
BaseDN=DC=example,DC=com
MaxConcurrentConnections=5
NestedGroups=true
Server2=dc.model.com
BindTemplate2={0}
SearchTemplate2=(&(sAMAccountType=805306368){0})
IdentifierAttribute2=userPrincipalName
Timeout2=10000
Port2=389
SSL2=false
AutoCreateAccountsForAuthorizedUsers2=true
BaseDN2=DC=model,DC=com
MaxConcurrentConnections2=5
NestedGroups2=true
After making edits to plugins.ini, restart GigaFox services. To restart services, in terminal run:
/usr/local/deviceconnect/Build/svcrestart
Secure LDAPS Connection
To secure a LDAPS connection:
- Configure SSL.
- To add the exported LDAP server certificate to the mono Trust store, in terminal run:
- In Active Directory, enable the LDAPS server certificate:
- Make a remote desktop connection or log into the console of a Domain Controller.
- Open Powershell.
- Run MMC to launch the Microsoft Management Console.
- On the File dropdown menu, select ADD/REMOVE SNAP-IN.
- Select Certificates and click the Add button.
- Select Computer Account > local computer.
- Click Finish.
- Click OK.
- Expand Certificates.
- Expand Personal.
- On the right, select Domain Controller.
- Select All Tasks- export.
- Click Next three times.
- Name the certificate for the Domain Controller.
- Copy the file and import where it's needed.
certmgr -add -c Trust <exported_certificate_file>