LDAP Authentication

MEGA Administration : Administrator Guide : Managing Users : Authentication in MEGA : LDAP Authentication

LDAP Authentication

LDAP authentication is available only if you have technical module MEGA Supervisor.

An LDAP directory enables storage of user data of the enterprise.

MEGA Administration allows you to create users authenticated at LDAP server level.

Only users (example: Administrator) with a MEGA Administrator or User Administrator profile, see "Administrator profile".

Configuring LDAP authentication

To configure LDAP authentication:

1. Create an LDAP server in MEGA Administration.

See "Creating an LDAP server".

2. Specify parameters of your LDAP server.

See "Configuring the LDAP server".

3. (Optional) You can:

• configure LDAP parameters

See "Configuring an LDAP parameter".

• modify LDAP import parameters

See "Modifying LDAP directory import content".

4. (Web Front-End) Check the configuration of the LDAP server.

See "Checking the configuration of an LDAP server (Web Front-End)".

When LDAP authentication has been configured:

• you can import persons from the LDAP directory.

See "Importing persons from an LDAP server".

• or you can manually map a MEGA user group with a user group declared in your LDAP server.

See "Associating a MEGA user group with an LDAP user group".

When connecting to MEGA, the authentication service uses the MEGA Login and password of the user to authenticate the user with the list of available LDAP servers.

Accessing LDAP server management

To access LDAP server management:

• Web Front-End:

From the Administration desktop, select the LDAP Servers sub-folder.

See "Accessing the User Management Pages (Web Front-End)".

• Windows Front-End:

From MEGA Administration, in the User Management folder, right-click on LDAP Servers and select Administer.

See "Accessing User Management and UI Access Management Folders (Windows Front-End)".

The LDAP Servers folder is available only if you are connected with a user with MEGA Administrator profile (example: Administrator), see "Administrator profile".

Creating an LDAP server

The LDAP server is the server on which the LDAP directory is installed.

The LDAP directory can be an Active Directory directory.

To create an LDAP server:

1. Access LDAP server management.

See "Accessing LDAP server management".

2. In the LDAP server menu bar, click New

3. In the creation of LDAP server dialog box, enter the Name of the LDAP server and click OK.

The new LDAP server appears in the list of LDAP servers.

You must configure the LDAP server, see "Configuring the LDAP server".

Configuring the LDAP server

LDAP server configuration is restricted to users with a MEGA Administration or user Administration profile.

To configure an LDAP server:

Prerequisite: the LDAP server is already created.

See "Creating an LDAP server".

1. Access LDAP server management.

See "Accessing LDAP server management".

2. Select the new LDAP server and click Properties

3. In the Characteristics tab, complete the following fields:

• LDAP Server Name: name of the server hosting the LDAP directory.

• LDAP Port: LDAP communication bridge

Example: 389

• LDAP Root Address: root address of LDAP server. This is an important attribute to limit query for a user in the LDAP directory or to address a particular forest.

• LDAP Identifier: this is the LDAP attribute enabling unique identification of a user

Example: SAMAccountName, UID

• LDAP SSL Encryption: select Yes if you wish LDAP directory connection to be SSL protocol encoded

• LDAP Anonymous Connection : if you select No, you must specify the user via which LDAP directory connection will be made, as well as the user password

Only an administrator user can connect anonymously to an LDAP server.

• LDAP User: enter the identifier of the LDAP user used for LDAP directory connection. If connection is anonymous, this field should not be completed.

This user must have reading rights on data that MEGA needs to access (example: LDAP person group, membership of a group in LDAP, e-mail in LDAP, etc.).

• Authentication Password: enter the password of the LDAP user used for LDAP directory connection. If connection is anonymous, this field should not be completed.

4. Click Save (Web Front-End) / OK (Windows Front-End).

The LDAP server is configured.

You can also:

• configure an LDAP parameter, see "Configuring an LDAP parameter".

• modify content of LDAP directory import, see "Modifying LDAP directory import content".

Configuring an LDAP parameter

An LDAP parameter is a parameter that exists in the LDAP directory and is associated uniquely with a MEGA attribute.

Configuring an LDAP parameter is useful when importing persons from an LDAP directory. This configuration enables initialization of attributes (of the person or login created in MEGA) corresponding to parameters with values stored in the LDAP directory.

Example: the "E-mail address" MetaAttribute of the person is initialized with the "mail" LDAP parameter of the person in the "Active Directory" LDAP directory (if mapping has been carried out).

To configure an LDAP parameter:

1. Access LDAP server management.

See "Accessing LDAP server management".

2. Select the LDAP server for which you want to configure an LDAP parameter and click Properties

3. In the LDAP Parameters tab, click New

The LDAP parameter enables pre-completion of characteristics of a person corresponding to the LDAP parameters.

4. Enter the Name of the LDAP parameter (example: Mail), then click Properties

5. (Optionally, access the "expert" metamodel) Select Index on Persons, so that the parameter value enables unique identification of a person. If a person in MEGA has the same e-mail as a person defined in the LDAP directory, this person is reused (instead of creating a new person and risk duplicating the same person).

6. (Optionally, access the "expert" metamodel) Select Is available for search so that an e-mail address can be entered in the import entry area.

Example: if you enter ctodd@mega.com, you should find Clara TODD.

7. In the MetaAttribute field, click the arrow and select Connect MetaAttribute.

8. Execute a query on the MetaAttribute (example: E-mail).

When importing persons from the LDAP directory, the LDAP parameter (example: mail) will initialize the MetaAttribute (example: E-mail address).

Modifying LDAP directory import content

You can modify LDAP directory import content:

• export candidate objects:

This option enables definition of the type of objects to be imported from the LDAP directory.

Default value: person.

• the list of objects browsed for LDAP query

This option enables addition to the import of a particular person and/or persons of a team ("organization").

Default value: organization,organizationalUnit,person

To define content of LDAP directory import:

1. Access the environment options management window.

See "Modifying options at environment level", page 368.

2. In the options tree, expand the Installation folder and select User Management.

3. (Optional) In the right pane, modify the List of ObjectClass candidates for import from LDAP option.

To import objects other than persons (default value), for example resources or org-units, specify this in this field. Objects should be separated by commas.

Everything that is imported creates occurrences of persons with login.

4. (Optional) In the right pane, modify the List of ObjectClass browsed for LDAP query option.

To add a person or organization to the import, enter the name of the person or organization (example: Quality) in the field.

The result is the list of ObjectClass candidates for import from LDAP, that is persons by default.

Checking the configuration of an LDAP server (Web Front-End)

To check the configuration of an LDAP server:

1. Access LDAP server management.

See "Accessing LDAP server management".

2. In the edit area, select the LDAP server and click LDAP Check.

Importing persons from an LDAP server

The import of persons from an LDAP directory enables initialization of attributes (of the person or login created in MEGA) corresponding to parameters with values stored in the LDAP directory.

See "Configuring an LDAP parameter".

Example: the "E-mail address" MetaAttribute of the person is initialized with the "mail" LDAP parameter of the person in the LDAP file (if mapping has been carried out).

To import persons from an LDAP directory:

1. Open the user management window.

See "Accessing the User Management Pages (Web Front-End)" or "Opening the user management window (Windows Front-End)".

2. In the Persons tab, click Import From LDAP.

3. The LDAP Import Wizard appears.

4. In the LDAP Server field, select via the drop-down menu the server from which you want to import persons.

The LDAP server must be created, see"Creating an LDAP server".

5. In the Queried Element field, enter the queried character string.

Example: Support service.

6. Names resulting from the query are listed.

7. Select the persons you want to import.

8. Click OK.

Associating a MEGA user group with an LDAP user group

An LDAP group defines a group or organization in the LDAP directory or Active Directory. It contains a list of users that can potentially connect to the application.

Having configured the LDAP server (see "Configuring the LDAP server"), you must specify a user group authenticated with the LDAP directory.

If a default person group is defined (example "Guests") and no LDAP group is specified, a person authenticated in LDAP (with the Belongs to a person group option selected, see "Person Properties") automatically belongs to the group defined by default (example: "Guests").

To specify a user group authenticated with the LDAP directory:

1. Access LDAP server management.

See "Accessing LDAP server management".

2. Select the LDAP server you wish to configure and click Properties

3. In the LDAP server properties dialog box, select the LDAP Groups tab.

4. Click Connect

to connect the existing LDAP user group.

The LDAP Group query wizard appears.

5. (Optional) In the query field, enter the character string to be queried.

6. Click Find

To execute an advanced query, click Open Query Tool

Query results are displayed.

7. Select the LDAP user group and click Connect.

Use the [Ctrl] key to select several LDAP user groups at the same time.

The LDAP user group appears in the list.

8. Connect the MEGA user group to the LDAP user group.

See "Defining a dynamic person group with LDAP".

Authentication and a user created on the fly (RDBMS repository)

Creation of a person on the fly concerns only RDBMS repositories.

Users created on the fly concern cases of connection to MEGA via the Web in read-only mode (example: HOPEX Explorer). Creation of a user on the fly is not available for connection to MEGA (Windows Front-End).

When a user has been created on the fly, the LDAP parameters can be used as indexing identifier (Index on Person attribute, see "Configuring an LDAP parameter") to check that a person with an attribute with the same value as the LDAP directory already exists in MEGA.

Example of use:

Anne, responsible for sending questionnaires, wishes to send a questionnaire. If one of the addressees does not exist:

• Anne can create the person (example: "Thomas KOCH" with e-mail "tkoch@mega.com")

• Anne cannot create the login of Thomas Koch since she is not an administrator.

When Thomas KOCH connects to the Web application (HOPEX Explorer), with tkh:

1. The authentication service authenticates tkh with the LDAP directory: the "mail" parameter exists and is indexing identifier type (Index on Person is selected),

2. The authentication service checks if a person already has this e-mail.

Answer: Yes.

3. The authentication service creates the login associated with the person.

If Thomas KOCH has assignments to complete the questionnaire, he can connect to the application to complete this questionnaire.