Lightweight Directory Access Protocol (LDAP)
Redwood Server can use an LDAP directory for authentication.
The following directories are supported:
- Microsoft Active Directory
- Open LDAP
- Oracle Internet Directory
- IBM Tivoli Directory Server
- Novell eDirectory
- ApacheDS
The LDAP server type and connection details for the central Redwood Server are configured using the administration server. The administration server has default profiles for the different supported LDAP systems. If your LDAP server flavor is not in the above list, please contact Redwood Support Services as various solutions are available.
Login process
When the user enters their username, the following process is used to determine if they are allowed access, and what their roles are:
- The username is converted to an LDAP Distinguished Name. This will either perform a simple string substitution, or perform an LDAP search (recommended).
- The distinguished name and password are used to open a connection to the LDAP server. If this succeeds then the password is considered to be correct. If not, the connection error is returned as an error message that is shown in the login dialog.
- A list of roles/groups is retrieved. A check is performed to ensure that the user has at least the equivalent of a scheduler-user or redwood-login role. If not, they are not allowed access to Redwood Server.
- If the provided credentials were valid (regardless of which roles the user has) and the user does not exist in the database, it is created in the database.
- The user's roles are synchronized between LDAP and the database.
All searches are performed as the username and password specified in the LDAP configuration. The only time that this username and password are not used is when verifying the distinguished name and password of the user logging in, at step 2.
See Also
- External Security Systems
- Configuring Redwood Server for LDAP Authentication
- Configuring LDAP
- Database Authentication
onsiteTopic