LDAP Authentication on Windows Server

 Starting in 3.6, ProVision supports LDAP authentication (including Windows Server!). To setup an LDAP server for authentication, you must perform the following three procedures:

• Configure the LDAP Server (Extend the Schema, Adding an Attribute/Schema Object)
• Test the LDAP Server
• Configure ProVision for LDAP Authentication

Configuring the LDAP functions on your Windows Server

You should confirm these steps with your LDAP admin - the purpose of this walkthrough is to provide some level of detail on how to extend LDAP functionality to support integration with an application like ProVision.

Step 1: Prepare to extend the Schema (http://technet.microsoft.com/en-us/library/cc961754.aspx)

This is not a minor operation and requires interaction with various control modification areas of Windows Server:

• If you have not modified the schema before, you will need to use the Active Directory Schema console on a DC (Domain Controller) to permit write access to the DC schema.
• Since the schema object has dedicated permissions, admins must be a member of the Schema Administrator group (Schema Admins).
• Note that the DC that is holding the Schema Master Role is the only one allowed to write to it.

Step 2: Decide on method for Installing/executing Schema Extensions (http://technet.microsoft.com/en-us/library/cc961742.aspx)

If you have already used other AD integrations, this should be straightforward. We recommend using the LDIF script method

Step 3: Add and Modify a Schema Object (http://technet.microsoft.com/en-us/library/cc961575.aspx)

To add a new attribute to the schema, you first have to create a attribute object. The you will need to complete the following steps:

• Select a name for the attribute (ProVision assumes that the name will be 'sixConnGroup')
• Get a valid Object Identifier (OID) from an issuing authority (http://msdn.microsoft.com/en-us/library/ms677620.aspx)

  • Info
    title Generate an Object Identifier
    Microsoft has released a script that can generate an Object Identifier (OID): https://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06

• Document the attribute syntax
• Confirm that the attribute should be single-value
• Confirm the attribute indexing behavior
• Decide if the attribute needs to be distributed to the Global Catalog

LDAP Schema - Example

attributetype (1.3.6.1.4.1.5023215.2.3.21 NAME 'sixConnGroup'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

objectclass ( 1.3.6.1.4.1.5023215.2.4.2 NAME 'sixConnectPermissionsV2'
        DESC '6Connect Permissions Object v2'
        SUP top AUXILIARY
        MUST ( sixConnGroup ) )

...

LDAP User Example

SSH into your openLDAP server and create a new 'ldif' file.  Example:

...

The user will now be active in openLDAP and can be used to login to ProVision.

Test the LDAP Server

To query the LDAP server, run the following command on any server which has openLDAP enabled:

...