Configuring LDAP for Connect Authentication

Configuring LDAP Authentication for an Existing Self Serve User Category

What is LDAP?

LDAP (Lightweight Directory Access Protocol) was developed as a system for distributing information such as a list of users. Initially developed at the University of Michigan, USA, LDAP is now an internet standard for directory services that run over TCP/IP.

Open the Callista form SSFF1700 (Maintain Self Serve User Category). Query the Self Serve User Category you want to add LDAPBASIC to.

Click on the Self Serve Mapping Method button. Select LDAPBASIC in the System User Mapping Type. Save.

Click on the Authentication Method button. Go to Self Serve Authentication Method (second block). Select LDAPBASIC from the System Authentication Type.

Go to Self Serve Authentication Configuration (third block). Add items for LDAPBASIC.

Note: The SERVER and BASEDN configuration items are both compulsory. The SERVERPORT will default to the LDAP server port of 389. The 'SERVER' is the IP address or hostname of the machine that has the LDAP server. The 'BASEDN' represents the Base Distinguished Name of the LDAP directory, where the authentication records are located. For example: o=Callista Software Services, c=AU.

For anonymous users, the BASEDN tells the IDAP BASIC authentication plugin where to start the search on the IDAP server
For authenticated users, the BASEDN is expanded to form the complete Distinguished Name (DN) of the logon user. This DN is used along with the logon PASSWORD to authenticate against the LDAP server, and if successful, to obtain the Callista PERSON_ID PERSONATTR attribute (if applicable).

To configure authenticated LDAP (as opposed to anonymous LDAP), include the CN=$USERID attribute in the configuration for BASEDN in SSFF1700 as shown below.

How Do We Get the PERSON_ID Mapping for the Userid Authenticated Against LDAPBASIC?

There are two Person ID Mapping Methods, use one or the other.

The Callista PERSON_ID is contained in an attribute of the LDAP directory entry found for the LDAP UID.

To enable this method, the PERSONATTR needs to be set in the Self Serve Authentication Configuration form to the attribute name contained in the LDAP directory entry for the USERID. This attribute name is usually case-insensitive.

If there is no PERSONATTR element in the table for the authentication instance being validated, then an attempt will be made to use method 2. (Explained next)

There is an alternate_person_id entry in Callista mapping to the LDAP UID.

Alternate Person ID’s need to be set up to map to LDAP USERID’s. The setup of an Alternate PersonID (S_PERSON_ID_TYPE: USERNAME) is explained in the next section.

Alternate Person ID Setup

Insert a System Person ID Type of USERNAME into the database, so that it can configure an LDAP Person ID type in the Callista Forms.

Insert into s_person_id_type(s_person_id_type, description)

Values('USERNAME','AUTHENTIATION ALTERNATE ID')

Run ENRF01B0 (Maintain Person ID Type) to add to LDAP Person ID Type, with a System Person ID Type of USERNAME.
Go to ADMF1213 (Maintain Person Details form), and select the Alternate ID button to navigate to ENRF3010 (Maintain Alternate Person Identifier) to add LDAP to Alternate Person ID (lower block).
Configure an LDAP to Alternate Person ID (Refer to SSFF1700 Self Server Mapping).

Note: Be aware that owing to a constraint for the Alternate Person ID table, as any Alternate Person ID must be entered in UPPERCASE if they are not numeric. Because the SSFK_VAL_SECURE. ssfp_get_map_pe function does a CHK_COL_UPPER to see if the USERID should be UPPERCASED before attempting the person_id mapping this should not be a problem. (Unless you intend to support case sensitive userid.) LDAP does support case-sensitive USERID’s..

Last Modified on 27 January, 2004