LDAP/AD Authentication: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
(306160)
No edit summary
 
(36 intermediate revisions by 3 users not shown)
Line 1: Line 1:
QPR ProcessAnalyzer uses three methods for authenticating users:
== Overview ==
*The built-in authentication method in which the user is authenticated against the user id/password combination in QPR ProcessAnalyzer database.
*The LDAP (Lightweight Directory Access Protocol) authentication method in which the user is authenticated by validating the username against a corporate LDAP server.
*The combination of the built-in and the LDAP authentication method: if the LDAP method fails, the built-in method is used.


== Configuring the Authentication Settings ==
Lightweight Directory Access Protocol/Active Directory (LDAP) is a method where users are authenticated by validating the username against an external LDAP/AD server. Note that user accounts with corresponding names need to be created to the QPR ProcessAnalyzer database before user can login (using the [[Manage_Users_and_Groups|Manage Users]] dialog). Also the combination of the built-in and the LDAP authentication can be used. It works in a way that if the LDAP method fails, the built-in method is used.


The authentication method options can be configured in the PA_CONFIGURATION table in the QPR ProcessAnalyzer database. The options relevant for authentication are listed in the following table:
== Configuring Authentication Settings ==
<!-- Begin nested table -->
Authentication related settings are configured in the [[PA_Configuration_database_table|PA_CONFIGURATION]] table in the QPR ProcessAnalyzer database. The settings are as follows:
{|
|
{| class="wikitable" style="text-align: left"
{| class="wikitable" style="text-align: left"
!Name !!Description!!Value
!Name
!Description
|-
|-
|AuthenticationMethod ||Indicates which authentication method is used.
|AuthenticationMethod ||Indicates which authentication method is used. Options:
||
*'''1''': Users are authenticated using the passwords in QPR ProcessAnalyzer database (Built-in authentication). Default value.
*1 (the default value) = The user is authenticated against the passwords in QPR ProcessAnalyzer database.<br>
*'''2''': Users are authenticated using the LDAP method by validating the username against the LDAP server.
*2 = The user is authenticated using the LDAP method by validating the username against a corporate LDAP server.<br>
*'''3''': Users are authenticated using both methods: if LDAP authentication fails, then logging in will be done using the built-in authentication method.
*3 = The user is authenticated using both methods: if LDAP authentication fails, then logging in will be done using the built-in authentication method.<br>
If the value has not been defined (or if you try to define any other value than 1, 2, or 3), the login will fail and an error message is given.
|-
|-
|LDAPConnectionString
|LDAPConnectionString
||The IP address for establishing the connection to the LDAP server. || "xx.x.xx.xxx"
||The IP address for establishing the connection to the LDAP server. Append ''':3268''' to the end of the address if you want to use Global Catalog by default. Format: '''xx.x.xx.xxx'''
 
|-
|-
|LDAPUserFilter
|LDAPUserFilter
||This string is used by the LDAP library to locate and search the user from corporate LDAP server.
||Additional LDAP filter expression for the query to find the user. For example '''(&(objectclass=person))'''. Note that some special characters in literals of the filter expression need to be escaped (more information: https://ldapwiki.com/wiki/DN%20Escape%20Values).
|| For example, "(&(objectclass=person))"
 
|-
|-
|LDAPUserSearchBase
|LDAPUserSearchBase
||The distinguished name of the object at which to start the search.|| For example,  "dc=local"
||Distinguished name of the object at which to start the search. For example '''dc=local'''. Note that some special characters in the distinguished names need to be escaped (more information: https://ldapwiki.com/wiki/DN%20Escape%20Values).
 
|-
|-
|LDAPUserIdAttributeName
|LDAPUserIdAttributeName
||The user id attribute name. || For example, "sAMAccountName" or "uid"
||User id attribute name. For example '''sAMAccountName''' or '''uid'''.
 
|-
|-
|LDAPServerUserName
|LDAPServerUserName
|| LDAP server credentials: the distinguished name of the user.
||Distinguished name of the user to login to the AD/LDAP server.
||<username>
 
|-
|-
|LDAPServerPassword
|LDAPServerPassword
|| LDAP server credentials: the password of the user.
||Password of the user to login to the AD/LDAP server.
|| <password>
 
|}
|}
|} <!-- End nested table -->


All values except for AuthenticationMethod are empty by default.
== Creating Users for LDAP Authentication==
The LDAP authentication can be used in QPR ProcessAnalyzer Server (Pro).


The authentication method that is currently used is shown in Session Information dialog.
1. Edit the LDAP authentication options of the '''PA_CONFIGURATION''' table in the QPR ProcessAnalyzer database, or run the following query to the QPR ProcessAnalyzer database:
<pre>
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='AuthenticationMethod';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPConnectionString';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserFilter';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserSearchBase';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserIdAttributeName';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerUserName';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerPassword';
</pre>
:Replace '''<value>''' in the script with your own specific LDAP settings. Note that you need to allow built-in authentication at this point, so define the value of '''AuthenticationMethod''' to be '''1'''. For more information on the values, see the table above.


== Creating a New LDAP User ==
2. Log in to QPR ProcessAnalyzer as a user that has '''All''' and '''Administrator''' rights.<br>
 
3. Create a new user account in the [[Manage_Users_and_Groups|Manage Users]] dialog. The username in QPR ProcessAnalyzer must match the LDAP username.<br>
The LDAP authentication method can be used in QPR ProcessAnalyzer Pro and QPR ProcessAnalyzer Database. However, the LDAP settings have no effect in QPR ProcessAnalyzer Xpress as it does not use named user authentication.
4. To allow users to authenticate using the LDAP method, change the value of '''AuthenticationMethod''' in '''PA_CONFIGURATION''' table to either '''2''' (to allow only LDAP authentication) or '''3''' (to allow also built-in authentication in case the LDAP authentication fails).
 
# Open the PA_CONFIGURATION table from QPR ProcessAnalyzer database and manually configure the LDAP options as described in the table above. Allow built-in authentication.
# Log in to QPR ProcessAnalyzer as a user that has "All" and "Administrator" rights.
# Create a new user account. If the user is meant to be a user authenticated using the LDAP method, then leave the password empty. The username in QPR ProcessAnalyzer must match the LDAP username.


Note that if the user (other than an Administrator) has successfully been authenticated using the LDAP method, this user is not able to change his or her own password in QPR ProcessAnalyzer.
Note that if the user (other than an Administrator) has successfully been authenticated using the LDAP method, this user is not able to change his or her own password in QPR ProcessAnalyzer.
<br>
{{About Version}}

Latest revision as of 15:08, 10 February 2024

Overview

Lightweight Directory Access Protocol/Active Directory (LDAP) is a method where users are authenticated by validating the username against an external LDAP/AD server. Note that user accounts with corresponding names need to be created to the QPR ProcessAnalyzer database before user can login (using the Manage Users dialog). Also the combination of the built-in and the LDAP authentication can be used. It works in a way that if the LDAP method fails, the built-in method is used.

Configuring Authentication Settings

Authentication related settings are configured in the PA_CONFIGURATION table in the QPR ProcessAnalyzer database. The settings are as follows:

Name Description
AuthenticationMethod Indicates which authentication method is used. Options:
  • 1: Users are authenticated using the passwords in QPR ProcessAnalyzer database (Built-in authentication). Default value.
  • 2: Users are authenticated using the LDAP method by validating the username against the LDAP server.
  • 3: Users are authenticated using both methods: if LDAP authentication fails, then logging in will be done using the built-in authentication method.
LDAPConnectionString The IP address for establishing the connection to the LDAP server. Append :3268 to the end of the address if you want to use Global Catalog by default. Format: xx.x.xx.xxx
LDAPUserFilter Additional LDAP filter expression for the query to find the user. For example (&(objectclass=person)). Note that some special characters in literals of the filter expression need to be escaped (more information: https://ldapwiki.com/wiki/DN%20Escape%20Values).
LDAPUserSearchBase Distinguished name of the object at which to start the search. For example dc=local. Note that some special characters in the distinguished names need to be escaped (more information: https://ldapwiki.com/wiki/DN%20Escape%20Values).
LDAPUserIdAttributeName User id attribute name. For example sAMAccountName or uid.
LDAPServerUserName Distinguished name of the user to login to the AD/LDAP server.
LDAPServerPassword Password of the user to login to the AD/LDAP server.

Creating Users for LDAP Authentication

The LDAP authentication can be used in QPR ProcessAnalyzer Server (Pro).

1. Edit the LDAP authentication options of the PA_CONFIGURATION table in the QPR ProcessAnalyzer database, or run the following query to the QPR ProcessAnalyzer database:

UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='AuthenticationMethod';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPConnectionString';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserFilter';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserSearchBase';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserIdAttributeName';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerUserName';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerPassword';
Replace <value> in the script with your own specific LDAP settings. Note that you need to allow built-in authentication at this point, so define the value of AuthenticationMethod to be 1. For more information on the values, see the table above.

2. Log in to QPR ProcessAnalyzer as a user that has All and Administrator rights.
3. Create a new user account in the Manage Users dialog. The username in QPR ProcessAnalyzer must match the LDAP username.
4. To allow users to authenticate using the LDAP method, change the value of AuthenticationMethod in PA_CONFIGURATION table to either 2 (to allow only LDAP authentication) or 3 (to allow also built-in authentication in case the LDAP authentication fails).

Note that if the user (other than an Administrator) has successfully been authenticated using the LDAP method, this user is not able to change his or her own password in QPR ProcessAnalyzer.