IBM Datacap, Version 8.1

LLLDAP group authentication

In the Taskmaster Server Manager, you can select LLLDAP as your group authentication system. When you select LLLDAP as your group authentication system, you must set up the Authentication path template with customized directory configuration properties.

LLLDAP authentication path template with customized directory configuration properties

The Authentication path template for LLLDAP group authentication must start with the host:port parameters, where host is the LDAP server name and port is the port number.

Restriction: You must not enter a port number that is configured for SSL. An error message is returned if you enter a port number that is configured for SSL because SSL is not supported.

The Bind User and Bind Password can be encrypted by setting custom values the Application Manager. Values that are specified in the Advanced values field in the Custom values tab are encrypted. You must specify the application and the Value name in the Taskmaster Server Manager Authentication path template. For example, a password that is stored with the Value name, MyBindPassword, in the APT application Advanced values field, can be retrieved by the LLLDAP authenticator by specifying APT,MyBindPassword in the Authentication path template.

List of LLLDAP Directory Configuration Properties

Table 1. List of Directory Configuration Properties
Property Name	Description
`GroupBaseDn`	Group Base Domain Name The base domain name for searching for groups in the directory server.
`GroupSearchFilter`	Group Search Filter Specifies the search filter for groups, such as `(&(objectclass=group)(cn=<%user%>))`, where `cn` serves as the short name. `GroupSearchFilter` and `GroupDisplayNameAttribute` must use the same LDAP attribute
`GroupShortNameAtr`	Group Short Name Attribute Defines the directory server attribute to be used as the short name for a group.
`GroupDisplayNameAttr`	Group Display Name Attribute Specifies the display name for a Group object that is generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.
`GroupMembershipSearchFilter`	Group Membership Search Filter The search filter for group membership queries.
`GroupNestedSearch`	Group Nested Search Filter Include nested groups for discovering group membership. Valid values are On and Off. The default value is Off.
`UserBaseDn`	User Base Domain Name The base domain name for searching for users in the directory server.
`UserSearchFilter`	User Search Filter Specifies search filter for users, such as `(&(objectclass=user)(samAccountName=<%user%>))`, where `samAccountName` serves as the short name.
`UserShortNameAttr`	User Short Name Attribute Defines the directory server attribute to be used as the short name for a user.
`UserDisplayNameAttr`	User Display Name Attribute Specifies the display name for a User object that is generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.
`BindUser`	Bind User The user name for authenticating the users. This user must have permission to search the area of LDAP where users are located. This user must have permission to search outside of the user’s groups and authorization. The login fails if the application user cannot bind. The bind user can be specified in plain text or can be encrypted by using the Advanced values field in the Custom values tab of the Application Manager. When the bind user is stored in the Application Manager, you must specify the application name and the Value name as `Application,<value name>`. For example, enter `APT,MyBindUserValue`, where `APT` is the Taskmaster application name and `MyBindUser` is the Value name in the Custom values field. You must specify only the Value name. Do not specify the complete @APPVAR path in the Advanced values field
`BindPw`	Bind Password The password for the `Bind User`. The bind password can be specified in plain text or can be encrypted by using the Advanced values field in the Custom values tab of the Application Manager. When the bind password is stored in the Application Manager, you must specify the application name and Value name as `Application,<value name>`. For example, enter `APT,MyPasswordValue` where `APT` is the Taskmasterapplication name and `MyBindPassword` is the Value name in the Advanced values field. You must specify only the value name. Do not specify the complete @APPVAR path in the Advanced values field
`AuthAttribute`	Authorization Attribute The `AuthAttribute` value tells Taskmaster server to authenticate a user with an additional attribute value, such as `AuthAttribute:carLicense=1234`. This value is optional.

Example 1 - LLLDAP group authentication path template

The following is an example of an Authentication path template with customized directory configuration properties.

MyServer:389/
BindUser:cn=admin,dc=mydomain,dc=com?BindPw:APT,MyBindPassword? 
UserBaseDn:ou=people, dc=mydomain,dc=com?UserSearchFilter:(
&(objectClass=inetOrgPerson)(cn=<%user 
%>))?UserShortNameAttr:cn?UserDisplayNameAttr:uid?GroupBaseDn:
ou=groups,dc=mydomain,dc=com? 
GroupSearchFilter:(
&(objectClass=groupOfNames))?GroupShortNameAttr:cn?GroupNestedSearch:on? 
GroupDisplayNameAttr:cn?GroupMembershipSearchFilter:(
&(objectClass=groupOfNames)(member=<%user %>))

Example 2 - LLLDAP group authentication path template

The following is an example of an Authentication path template to authenticate a user with the sAMAccountName attribute.

Server:389/
BindUser:cn=admin,dc=mydomain,dc=com?BindPw:BindPw:APT,MyBindPassword? 
UserBaseDn:DC=mycomain,DC=com?UserSearchFilter:(
&(objectClass=user)(sAMAccountName=<%user%>))? 
UserShortNameAttr:cn?UserDisplayNameAttr:uid?GroupBaseDn:
DC=mydomain,DC=com?GroupSearchFilter: (&(objectClass=group))?
GroupShortNameAttr:cn?GroupNestedSearch:on?GroupDisplayNameAttr:cn? 
GroupMembershipSearchFilter:(&(objectClass=group)(member=<%user%>))

Feedback