The ldap module’s palette in AX-3.8 includes four different user services and two “authenticators”, as shown in Figure 20 with all items expanded. This differs from the palette in AX-3.7 and earlier releases.
The top two user services (ActiveDirectoryUserService and LdapUserService) are the same components provided in AX-3.7 and earlier releases, and support LDAPv2 only. In AX-3.8, the lower two user services (LdapV3UserService and LdapV3ADUserService) and authenticators are new, and apply to systems using LDAPv3—either with or without Kerberos authentication.
Both the LdapV3UserService and LdapV3ADUserService are also backwards-compatible with an LdapV2 system. Each of these components is briefly described as follows:
Any of these user services is intended to replace a station’s standard UserService component. Note either LdapV3 user service is a licensed feature, and Kerberos authentication
(if used) is also a licensed feature.
-
ActiveDirectoryUserService
(and children) The NiagaraAX station user service to support a Windows Active Directory (AD) service that uses LDAP version 2 (LDAPv2). The child ActiveDirectoryConfig component holds all properties needed to configure connection to the AD domain controller. For reference details, see ActiveDirectoryUserService.
-
LdapUserService
(and children) The NiagaraAX station user service to support an LDAP version 2-based LDAP server. The child LdapConfig component holds all properties needed to configure connection and authentication to the LDAP server. For reference details, see LdapUserService.
-
LdapV3UserService
(and children) The NiagaraAX station user service to support an LDAP version 3-based LDAP server (as well as an LDAP version 2-based server). The child LdapConfig component holds all properties needed to configure connection to the LDAP server, including an “authenticator” container for properties used to authenticate to it.
By default, Kerberos authentication is used, applicable to LDAPv3 systems configured to use Kerberos authentication. If needed, after copying this user service in the station you can replace the default authenticator with the “SimpleAuthenticator” copied from the
ldappalette. For reference details, see LdapV3UserService. -
LdapV3ADUserService
(and children) The NiagaraAX station user service to support a Windows Active Directory (AD) service that uses LDAP version 3 (LDAPv3), as well one using LDAPv2. The child ActiveDirectoryConfig component holds all properties needed to configure connection to the AD domain controller, including an “authenticator” container for properties used to authenticate to that AD domain controller.
By default, Kerberos authentication is used, applicable to LDAPv3 systems configured to use Kerberos authentication. If needed, after copying this user service in the station you can replace the default authenticator with the “SimpleAuthenticator” copied from the
ldappalette. For reference details, see LdapV3ADUserService. -
Authenticators
(Apply to LdapV3UserService and LdapV3ADUserService only) Seperately available authentication containers for these two user services. The KerberosAuthenicator is used as default “authenticator”.
-
SimpleAuthenticator
Use this to replace the standard (Kerberos) “authenticator” in either LdapV3 user service if the system is not configured for Kerberos, or if the station is on a JACE-2/4/5 series platform, or it is for an LDAPv2 system. Properties for a connection user and password are used, and authentication mechanism choices are none, simple, CRAM-MD5, and DIGEST-MD5. For quick start details, see Configuring the SimpleAuthenticator component.
-
KerberosAuthenticator
Identical to the default “authenticator” in either LdapV3 user service as copied from the palette. Properties include the Kerberos realm name, key distribution center URL, station (service) name previously defined, and path to locally-stored keytab file or password for the service. Kerberos is a “ticket” based client-server “mutual authentication” method using symmetric key cryptography. NiagaraAX station host configuration is more involved, and system users must also configure PCs (Workbench and/or client web browsers) with Kerberos-specific settings. For quick start details, see Configuring the Kerberos Authenticator component.
Kerberos is not supported on a “J9 Java VM” (JACE-2/4/5) series platform. On a station running on such a platform, use the
SimpleAuthenticator in place of the KerberosAuthenticator for either LdapV3 user service.
-
All the different user services in the ldap module have the same default view: Ldap User Manager. This view is virtually identical to the User Manager view for the standard (baja) UserService, and functions in the same way for all local users. See Ldap User Manager view difference.