Enable Connection Pooling

Either ‘true’ (default) or ‘false’. When ‘true’, connections are allowed to be shared and re-used. This can improve performance.

Connection URL

URL of your LDAP (Active Directory) server, usually in the form: ldap://your.domain.net

If the server uses a “non-standard” port, include in the URL, e.g. ldap://your.domain.net:999 (note standard LDAP ports are 389, or else 636 if SSL).

Note the scheme ldaps://your.domain.net is not supported in Connection URL.

SSL

Either ‘false’ (default) or ‘true’. If ‘true’, the station uses SSL to communicate with the LDAP server.

If true, be sure to enable SSL in the station’s NiagaraNetwork’s FoxService (for Workbench-to-station access) and also station’s WebService (for browser-to-station access).

User Login Attr

The specific attribute in the LDAP directory for the desired user login name.

For Active Directory, the default sAMAccountName value is always used.

User Base

Sub-tree of the LDAP server in which users who can access this station can be found. At the very least, it must contain the domain components of the server’s domain, e.g. DC=domain, DC=net

Attr Email

The specific attribute in the LDAP directory to store user’s email address, the value of which populates the Niagara user’s Email property. The Active Directory default value is: email

Attr Full Name

The specific attribute in the LDAP directory to store user’s full name, the value of which populates the Niagara user’s Full Name property. The Active Directory default value is: name

Attr Language

The specific attribute in the LDAP directory to store user’s language, the value of which populates the Niagara user’s Language property. There is no default value (is blank).

Attr Cell Phone Number

The specific attribute in the LDAP directory to store user’s cell phone number, the value of which populates the Niagara user’s Cell Phone Number property. The default value is: mobile

Attr Prototype

The specific attribute in the LDAP directory to use for mapping a User Prototype (under the user service’s UserPrototypes container) to users. The Active Directory default value is: memberOf

This mechanism uses an “attribute value”-to-“component name” matching method of selection, where if no “name-matching” User Prototype is found, the frozen DefaultPrototype is used (when making the User component for the LDAP user, upon initial station login).

For related details, see Configure User Prototypes.

Cache Expiration

Specifies how long a user’s password is effective in the station, before being set to expired. Set to some differential time in the future, this is used in case the LDAP server is unavailable, so that users can still login with active credentials. Note if using Kerberos authentication, this feature is still applicable even though the station never receives user passwords. Instead, the station verifies the corresponding Kerberos user ticket and uses the cached user.

Bind Format

(ActiveDirectoryConfig under LdapV3ADUserService only) If not using Kerberos, but instead the SimpleAuthenticator, it may be necessary to specify the exact format of the login name to send to the LDAP server. This can differ according to the LDAP server, and may be required more often when the “Authentication Choice” in the SimpleAuthenticator is DIGEST MD5. In some cases, just the user base and login name may be sufficient to find a user in the LDAP directory.

Bind Format processes “BFormat” (Baja Format) syntax, with a default value of %userName%.

This default value may handle most cases, especially with an ActiveDirectory. However, if in the SimpleAuthenticator you choose DIGEST MD5 for authentication, this may need to be changed. For example, in one Active Directory (AD) 2000, a change was necessary to: username@domain.com

In another (non-Active Directory) example using an OpenLDAP server, this property under the LdapConfig container of an LdapV3UserService (using SimpleAuthenticator and DIGEST MD5) required being set to: %userLoginAttr%=%userName%,%userBase%

For server-specific details, consult with the onsite LDAP administrator for assistance if this property value needs to be changed.

authenticator

Container for properties that define how the station authenticates with the AD server, with choices being either the default KerberosAuthenticator or a SimpleAuthenticator. See Configure the LDAP authenticator (LdapV3 only).

Add and configure the LDAP user service

Configure User Prototypes

Configuring the ActiveDirectoryConfig component