TrackStudio 3.0 Documentation
LDAP Authentication

Many organizations use the LDAP directory to store user accounts. TrackStudio can be configured to authorize users by their accounts on the LDAP server.

The LDAP settings are stored in the trackstudio.ldap.properties file and are also available via the Server Manager on the LDAP Authorization tab. You can use the following configuration parameters:

Property 
Description 
trackstudio.useLDAP 
Specifies whether the authorization on the LDAP server is used. Possible values: yes, no. If the parameter is set to yes, the user authorization on the LDAP server will be performed alongside the usual authorization in the TrackStudio system. 
ldap.host 
Specifies the LDAP server address (e.g. 192.168.22.10). 
ldap.port 
Specifies the server port (e.g. 389). 
ldap.baseDN 
Specifies the base DN (cn=users,dc=ldap-server,dc=my-company,dc=com). TrackStudio uses the specified DN for the user authentication. 
ldap.userDN 
Specifies the user DN, which is connected to the LDAP server (e.g., cn=TrackStudio,cn=users,dc=ldap-server,dc=my-company,dc=com). Objects (users, groups, computers) in the LDAP directory are referred to by the cn attribute -- the Common Name. Containers, which may contain many objects, are also referred to by the cn attribute. LDAP supports special containers -- Organizational Units and Domain Components. Part of the binding string composed of Domain Component elements is the DNS domain name. For example, the cn=TrackStudio user above is in the cn=users container, which is in the dc=ldap-server,dc=my-company,dc=com DNS domain (sometimes referred to as ldap-server.my-company.com). 
ldap.userDNpass 
Specifies the password for the user detailed in ldap.userDN. 
ldap.loginAttrTS 
Specifies which user parameters are used for authorization on the server. They can be one of two values: name or login. It shows which of the TrackStudio user parameters is authorizes on the LDAP server. 
ldap.loginAttrLDAP 
Specifies the property which should be used to search the user on the LDAP server. For example, if the ldap.loginAttrLDAP is cn, the common name is used to search the user. 

Even if you use LDAP authorization, you will have to register a new user in TrackStudio first. 

A user can log into the system if his/her password matches the one stored in the DB or the one specified in LDAP. To avoid authorization via the local database, you should remove gran.app.adapter.auth.SimpleAuthAdapter from the pipeline in the trackstudio.adapter.properties file. 

If trackstudio.useLDAP is set to yes, TrackStudio is connected to the specified LDAP server during login and performs authentication using the login and password specified in ldap.userDN and ldap.userDNpass. TrackStudio performs DB query and finds the user in the local DB by specified login and password. After that TrackStudio searches in the LDAP server of the object, the ldap.loginAttrLDAP parameter which is equal to the name or the login (depending on ldap.loginAttrTS value) of the found user. Then the authentication of the found user is performed using the password specified in the login window.

When you change the password under the Change Password tab, the password is changed in the database, but not the LDAP.

Let us have a look at how to configure the user authentication via the MS Active Directory Service

1) Login into Windows as Administrator 

2) Export LDAP context to the file.

ldifde –f ldap.txt

3) Open the result ldap.txt file. The first line of the file must look like

dn: DC=ldap-server,DC=my-company,DC=com

As ldap.baseDN in trackstudio.ldap.properties use cn=users in specified DN, e.g. DN, for example cn=users,dc=ldap-server,dc=my-company,dc=com

4) Specify the user name which will be used to login to the server. For example, in case you want to use an Administrator specify

CN=Administrator,DC=Users,DC=ldap-server,DC=my-company,DC=com

Make certain that CN contains Windows Common Name in the Active Directory Service. If you want to use the login specify loginAttrLDAP=sAMAccountName. Set the password and test the connection by clicking the Test Connection button. 

5) The user's name or login in TrackStudio and in the Active Directory Service must also coincide. 

 

  • If you want to use authorization by name, specify
ldap.loginAttrTS name
ldap.loginAttrLDAP cn
  • If you want to use authorization by login, specify
ldap.loginAttrTS login
ldap.loginAttrLDAP sAMAccountName

You should always use TrackStudio user login name in the login window. TrackStudio will check the user existence in the local DB by the entered user login and will use it as the login or name to authorize via LDAP.

Copyright (c) 2002-2004. TrackStudio, Ltd. All rights reserved.