LDAP/AD Authentication: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
QPR ProcessAnalyzer uses these methods for authenticating users:
QPR ProcessAnalyzer has the following methods for authenticating users:
*The built-in authentication method in which the user is authenticated against the user id/password combination in QPR ProcessAnalyzer database.
* '''Built-in authentication''' in which users are authenticated using the username and password in stored in the QPR ProcessAnalyzer database (using the [[Manage Users in QPR ProcessAnalyzer Excel Client|Manage Users]] dialog).
*The LDAP (Lightweight Directory Access Protocol) authentication method in which the user is authenticated by validating the username against a corporate LDAP server.
* '''LDAP/AD authentication''' (Lightweight Directory Access Protocol/Active Directory) in which users are authenticated by validating the username against a corporate LDAP or AD server. Note that corresponding users need to be created to the QPR PRocessAnalyzer database before user can login (using the [[Manage Users in QPR ProcessAnalyzer Excel Client|Manage Users]] dialog).
*The combination of the built-in and the LDAP authentication method: if the LDAP method fails, the built-in method is used.  
* Combination of the built-in and the LDAP authentication, in which, if the LDAP method fails, the built-in method is used.  


In addition, it is possible to use [[Common QPR Authentication|common QPR authentication]] between different QPR product web clients.
In addition, it is possible to use [[Common QPR Authentication|common QPR authentication]] between different QPR product web clients.


== Configuring the Authentication Settings ==
== Configuring Authentication Settings ==
 
The authentication method options can be configured in the PA_CONFIGURATION table in the QPR ProcessAnalyzer database. The options relevant for authentication are listed in the following table:
The authentication method options can be configured in the PA_CONFIGURATION table in the QPR ProcessAnalyzer database. The options relevant for authentication are listed in the following table:
<!-- Begin nested table -->
<!-- Begin nested table -->
Line 16: Line 15:
|-
|-
|AuthenticationMethod ||Indicates which authentication method is used.
|AuthenticationMethod ||Indicates which authentication method is used.
||
||
*1 (the default value) = The user is authenticated against the passwords in QPR ProcessAnalyzer database.<br>
*1 (the default value) = The user is authenticated against the passwords in QPR ProcessAnalyzer database.<br>
*2 = The user is authenticated using the LDAP method by validating the username against a corporate LDAP server.<br>
*2 = The user is authenticated using the LDAP method by validating the username against a corporate LDAP server.<br>
Line 23: Line 22:
|-
|-
|LDAPConnectionString
|LDAPConnectionString
||The IP address for establishing the connection to the LDAP server. Append ":3268" to the end of the address if you want to use Global Catalog by default. || "xx.x.xx.xxx"
||The IP address for establishing the connection to the LDAP server. Append ''':3268''' to the end of the address if you want to use Global Catalog by default. ||'''xx.x.xx.xxx'''
 
|-
|-
|LDAPUserFilter
|LDAPUserFilter
||This string is used by the LDAP library to locate and search the user from corporate LDAP server.
||This string is used by the LDAP library to locate and search the user from corporate LDAP server.
|| For example, "(&(objectclass=person))"
|| For example '''(&(objectclass=person))'''
 
|-
|-
|LDAPUserSearchBase
|LDAPUserSearchBase
||The distinguished name of the object at which to start the search.|| For example,  "dc=local"
||The distinguished name of the object at which to start the search.|| For example,  '''dc=local'''
 
|-
|-
|LDAPUserIdAttributeName
|LDAPUserIdAttributeName
||The user id attribute name. || For example, "sAMAccountName" or "uid"
||The user id attribute name. || For example, '''sAMAccountName''' or '''uid'''
 
|-
|-
|LDAPServerUserName
|LDAPServerUserName
|| LDAP server credentials: the distinguished name of the user.
|| LDAP server credentials: the distinguished name of the user.
||<username>
||<username>
 
|-
|-
|LDAPServerPassword
|LDAPServerPassword
|| LDAP server credentials: the password of the user.
|| LDAP server credentials: the password of the user.
|| <password>
|| <password>


|}
|}
Line 59: Line 53:
The LDAP authentication method can be used in QPR ProcessAnalyzer Pro and QPR ProcessAnalyzer Database. However, the LDAP settings have no effect in QPR ProcessAnalyzer Xpress as it does not use named user authentication.
The LDAP authentication method can be used in QPR ProcessAnalyzer Pro and QPR ProcessAnalyzer Database. However, the LDAP settings have no effect in QPR ProcessAnalyzer Xpress as it does not use named user authentication.


1. Edit the LDAP authentication options of the PA_CONFIGURATION table in the QPR ProcessAnalyzer database, or run the following query to the QPR ProcessAnalyzer database:<br>
1. Edit the LDAP authentication options of the '''PA_CONFIGURATION''' table in the QPR ProcessAnalyzer database, or run the following query to the QPR ProcessAnalyzer database:
 
<pre>
<pre>
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='AuthenticationMethod';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='AuthenticationMethod';
Line 69: Line 64:
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerPassword';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerPassword';
</pre>
</pre>
:Replace '<value>' in the script with your own specific LDAP settings. Note that you need to allow built-in authentication at this point, so define the value of 'AuthenticationMethod' to be '1'. For more information on the values, see the table above.
:Replace '''<value>''' in the script with your own specific LDAP settings. Note that you need to allow built-in authentication at this point, so define the value of '''AuthenticationMethod''' to be '''1'''. For more information on the values, see the table above.
2. Log in to QPR ProcessAnalyzer as a user that has "All" and "Administrator" rights.<br>
2. Log in to QPR ProcessAnalyzer as a user that has '''All''' and '''Administrator''' rights.<br>
3. Create a new user account in the [[Manage Users|Manage Users dialog]]. The username in QPR ProcessAnalyzer must match the LDAP username.<br>
3. Create a new user account in the [[Manage Users in QPR ProcessAnalyzer Excel Client|Manage Users]] dialog. The username in QPR ProcessAnalyzer must match the LDAP username.<br>
4. To allow users to authenticate using the LDAP method, change the value of 'AuthenticationMethod' in PA_CONFIGURATION table to either '2' (to allow only LDAP authentication) or '3' (to allow also built-in authentication in case the LDAP authentication fails).
4. To allow users to authenticate using the LDAP method, change the value of 'AuthenticationMethod' in PA_CONFIGURATION table to either '2' (to allow only LDAP authentication) or '3' (to allow also built-in authentication in case the LDAP authentication fails).


Note that if the user (other than an Administrator) has successfully been authenticated using the LDAP method, this user is not able to change his or her own password in QPR ProcessAnalyzer.
Note that if the user (other than an Administrator) has successfully been authenticated using the LDAP method, this user is not able to change his or her own password in QPR ProcessAnalyzer.
{{About Version}}

Revision as of 22:39, 3 February 2018

QPR ProcessAnalyzer has the following methods for authenticating users:

  • Built-in authentication in which users are authenticated using the username and password in stored in the QPR ProcessAnalyzer database (using the Manage Users dialog).
  • LDAP/AD authentication (Lightweight Directory Access Protocol/Active Directory) in which users are authenticated by validating the username against a corporate LDAP or AD server. Note that corresponding users need to be created to the QPR PRocessAnalyzer database before user can login (using the Manage Users dialog).
  • Combination of the built-in and the LDAP authentication, in which, if the LDAP method fails, the built-in method is used.

In addition, it is possible to use common QPR authentication between different QPR product web clients.

Configuring Authentication Settings

The authentication method options can be configured in the PA_CONFIGURATION table in the QPR ProcessAnalyzer database. The options relevant for authentication are listed in the following table:

Name Description Value
AuthenticationMethod Indicates which authentication method is used.
  • 1 (the default value) = The user is authenticated against the passwords in QPR ProcessAnalyzer database.
  • 2 = The user is authenticated using the LDAP method by validating the username against a corporate LDAP server.
  • 3 = The user is authenticated using both methods: if LDAP authentication fails, then logging in will be done using the built-in authentication method.

If no value has been defined, then the built-in method (that is, value 1) is used. If you try to define any other value than 1, 2, or 3, the login will fail and an error message is given.

LDAPConnectionString The IP address for establishing the connection to the LDAP server. Append :3268 to the end of the address if you want to use Global Catalog by default. xx.x.xx.xxx
LDAPUserFilter This string is used by the LDAP library to locate and search the user from corporate LDAP server. For example (&(objectclass=person))
LDAPUserSearchBase The distinguished name of the object at which to start the search. For example, dc=local
LDAPUserIdAttributeName The user id attribute name. For example, sAMAccountName or uid
LDAPServerUserName LDAP server credentials: the distinguished name of the user. <username>
LDAPServerPassword LDAP server credentials: the password of the user. <password>

All values except for AuthenticationMethod are empty by default.

The authentication method that is currently used is shown in Session Information dialog.

Creating a User That Is Authenticated via LDAP

The LDAP authentication method can be used in QPR ProcessAnalyzer Pro and QPR ProcessAnalyzer Database. However, the LDAP settings have no effect in QPR ProcessAnalyzer Xpress as it does not use named user authentication.

1. Edit the LDAP authentication options of the PA_CONFIGURATION table in the QPR ProcessAnalyzer database, or run the following query to the QPR ProcessAnalyzer database: 

UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='AuthenticationMethod';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPConnectionString';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserFilter';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserSearchBase';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPUserIdAttributeName';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerUserName';
UPDATE PA_CONFIGURATION SET CFG_VALUE='<value>' WHERE CFG_KEY='LDAPServerPassword';
Replace <value> in the script with your own specific LDAP settings. Note that you need to allow built-in authentication at this point, so define the value of AuthenticationMethod to be 1. For more information on the values, see the table above.

2. Log in to QPR ProcessAnalyzer as a user that has All and Administrator rights.
3. Create a new user account in the Manage Users dialog. The username in QPR ProcessAnalyzer must match the LDAP username.
4. To allow users to authenticate using the LDAP method, change the value of 'AuthenticationMethod' in PA_CONFIGURATION table to either '2' (to allow only LDAP authentication) or '3' (to allow also built-in authentication in case the LDAP authentication fails).

Note that if the user (other than an Administrator) has successfully been authenticated using the LDAP method, this user is not able to change his or her own password in QPR ProcessAnalyzer.

Retrieved from "https://wiki.onqpr.com/pa/index.php?title=LDAP/AD_Authentication&oldid=8295"