ldap-KerberosConfig

Enables (true) and disables (false) the use of a connection pool. To speed processing, LDAP servers maintain a pool of connections. A request from the system that uses an existing connection saves valuable processing time, which improves system performance. Do not change the default (true = enabled) setting unless you know what you are doing.

Identifies the URL (your.domain.net) for the LDAP server. Standard LDAP ports are 389, or 636 (if using SSL). If the server uses a non-standard port, include the port (your.domain.net:nnn) in the URL, for example, ldap://your.domain.net.999.

Enables (true) and disables (false) secure communication. If set to true, make sure that SSL (3.8) or TLS (4.0) is enabled in the station’s FoxService (for Workbench-to-station access) and WebService (for browser-to-station access). Note that in FoxService and WebService TLS must be enabled whether SSL is true here or not.

Identifies the specific attribute in the LDAP directory to store the LDAP user login name. For AD servers, this is always sAMAccountName. For OpenLDAP servers, it would be uid.

Identifies the sub-tree of the LDAP server in which users who can access this station are found. At the very least it must contain the domain components of the server’s domain, for example: DC=domain, CD=net.

Identifies the specific attribute in the LDAP directory to store the user’s LDAP email address. This value populates the Niagara user’s Email property.

Identifies the specific attribute in the LDAP directory to store the user’s full name. This value populates the Niagara user’s Full Name property.

Identifies the specific attribute in the LDAP directory to store the user’s language. This value populates the Niagara user’s Language property.

Identifies the attribute in the LDAP directory that stores the user’s mobile phone number. This value populates the Niagara user’s Cell Phone Number property.

Identifies the User Prototype with which the system populates a new user’s local properties.

If this property is blank or the name does not match any user prototype, the system uses the Default Prototype to populate local user properties.

If a user belongs to multiple user groups (user prototypes), the top-to-bottom order of prototypes determines which prototype the system uses. If the value of a user prototype property changes, the system dynamically updates user properties accordingly.

Defines a future date after which the system no longer stores a user’s password in cache. When an LDAP server is unavailable a user can still log on with the cached credentials until this date and time.

This property applies to Kerberos authentication even though the station never receives the user’s password. Instead, the station verifies the corresponding Kerberos user ticket against the cached user information.

Determines the length of time the station attempts to connect to the LDAP server before the connection fails.

The station will not fail over to the next LDAP server until the first connection attempt is unresponsive for the amount of time specified in the connection timeout. This time should not be too short to cause false connection failures, but not so long as to cause excessive delays when a server is down.

Identifies the system on which the LDAP server resides. You get this information from your Kerberos administrator.

Specifies the name of the Kerberos Key Distribution Center that the system contacts to get a ticket, which, like a key, is used to authenticate the user to the Niagara system. You get this information from your Kerberos administrator.

As part of securely delegating Kerberos tickets, this property represents the station as a user in the Kerberos database. If logging in only via Workbench, this user can be any user or service in the Kerberos directory.

However, if the user logs in via a browser, the user must be a service in the form: HTTP/service-Name.domain.com, where serviceName.domain.com is how the station is to be accessed in the browser, (for example, http://stationkerb1.mydomain.com).

The service name for the station Kerberos name typically omits a bit of the normal http URL syntax, for example: http/stationkerb1.mydomain.net instead of http://stationkerb1.mydomain.net. You may need to ask the Kerberos administrator to create the service for you in the Kerberos database.

Specifies the password for the Kerberos station user identified by the Station Kerberos Name property. If you are using a keytab file, you can leave this property blank.

Defines the keytab file that contains a key table.

Kerberos services usually do not use a password to authenticate. Instead, they use a file. To authenticate from a web browser you must specify an associated service in the Station Kerberos Name property and reference a keytab file supplied by the Kerberos administrator.

You must copy that keytab file to this secure location on the Niagara 4 platform: protected_station_home/ldap. You need to create the ldap directory manually. For the KeyTab File property, select the keytab file from the drop-down. Again, if you are using a keytab, you can leave the Station Kerberos Password property blank (default).