In this article
The LDAP Logon add-on allows user’s in companies with the On-Premise license to re-use their local logon credentials when logging on to Forsta Plus. This will reduce the company’s total maintenance of user credentials for their applications. Access to the component is controlled in the Forsta Plus license file.
The add-on functions as follows:
- An employee clicks the link to the company’s internal installation of Forsta Plus.
- Forsta Plus displays a login page asking for the user’s UserName and Password.
- The employee enters his/her internal “company” UserName and Password.
- Based on the information provided, Forsta Plus uses LDAP to perform a directory lookup in the company’s Directory. A successful lookup will log the user into Forsta Plus.
- On the first login attempt a Forsta Plus user will automatically be created.
Configuration
After the functionality has been installed and enabled, it must be configured using the System Configuration interface available for system administrators, as displayed in the figure below.
Figure 1 - The System Configuration interface
The table below describes the site-wide settings and their use:
Configname | Type | Description |
LdapLogOnEnabled | Bool | If enabled, LDAP directory authentication will be used when logging on to Forsta Plus. If disabled, normal Forsta Plus authentication will be used. |
LdapSyncPassword | Bool | If enabled, the Forsta Plus user will be given the same password as the LDAP directory user, and this will be kept in sync by performing a synchronization when the user logs on to Forsta Plus. If disabled, the user will be given a random, strong password when created. |
LdapSyncUserSettings | Bool | If enabled, the user settings (first name, last name, email) will be kept in sync with the values found in the LDAP directory by performing a synchronization every time the user logs on to Forsta Plus. If disabled, the user settings will not be synchronized, but remain the same as when the user was created. |
LdapPath | Text | Path to LDAP directory. |
LdapAuthenticationType | Int | Authentication type. 1 = Anonymous 2 = Delegation 3 = Encryption 4 = FastBind 5 = None 6 = ReadonlyServer 7 = Sealing 8 = Secure 9 = SecureSocketsLayer 10 = ServerBind 11 = Signing |
LdapServerType | Int | Directory server type. 1 = MS Active Directory 2 = OpenLDAP |
LdapUserDomain | Text | Specifies the domain of the directory user. Not always required depending on server type. |
LdapBypassUser | Text | Specifies the Forsta Plus user that can be used to bypass LDAP logon. |
LdapUserIdAttribute | Text | Specifies the directory attribute that is used when searching for user in directory. |
LdapUserFirstNameAttribute | Text | Specifies the directory attribute that is used to provide the first name of the Forsta Plus user that is created during LDAP logon. |
LdapUserLastNameAttribute | Text | Specifies the directory attribute that is used to provide the last name of the Forsta Plus user that is created during LDAP logon. |
LdapUserEmailAttribute | Text | Specifies the directory attribute that is used to provide the email address of the Forsta Plus user that is created during LDAP logon. |
LdapNewUserCompany | Text | Specifies the company name of the Forsta Plus user that is created during LDAP logon. Must be a company that has already been defined in Forsta Plus. |
LdapNewUserLanguage | Int | Specifies language code of the Forsta Plus user that is created during LDAP logon. Must be a valid language code. |
LdapNewUserLevel | Int | Specifies “level” of the Forsta Plus user that is created during LDAP logon. Must be a valid level code. 0 = None 100 = NoAccess 105 = Express 110 = Translator 200 = Professional |
LdapNewUserRole | Text | Specifies “role” of the Forsta Plus user that is created during LDAP logon. Must be a role that has already been defined in Forsta Plus, if specified. |
LdapNewUserType | Int | Specifies “type” of Forsta Plus user that is created during LDAP logon. Must be a valid type code. 0 = Normal 1 = Test 2 = Training 3 = Trial 4 = ExpressConnect |
New Forsta Plus User
If the module has been activated, enabled and configured correctly, authentication will be performed using the LDAP directory for every user (except for the username specified in the LdapBypassUser config setting). If the user has never logged on before, a new Forsta Plus user will be created if the directory authentication is successful. The user will be configured according to the values entered in the config settings (company, language, level etc.).
Fallback
If LdapSyncPassword is enabled, this new user will be given the same password as the directory user. This will enable to user to log on successfully in the future in the event of an LDAP failure (service unavailable etc.), or if the module is disabled. If LdapSyncPassword is disabled, the new user will be given a random (but strong) password, so it will be impossible to log on with the user if LDAP Logon isn’t operational.
User Settings
When a new Forsta Plus user is created, the user will be given the same first name, last name and email address as found in the directory attributes specified in the config settings for the directory user. If LdapSyncUserSettings is enabled, these values will be kept in sync (synchronized when user logs on) and it will not be possible for the user to change these values in Forsta Plus.
Troubleshooting
Errors related to LDAP Logon will be written to the Activity Log. It is possible to search through this log using the System Activities interface that is available for system administrators, as shown in the figure below.
Figure 2 - Example of the System Activities page
The search results will display events that occurred during the specified interval, and can be exported to a tab delimited text file for further investigation.