Set up LDAP support for User Authentication

A user in N4 can be authenticated externally via a Lightweight Directory Access Protocol (LDAP).

To set up LDAP support for user authentication:

Set the FRMSECURITY023 (SYSTEM_AUTHENTICATION_METHOD) (on page 1) configuration setting as DEPENDS_ON_USER_SETTING to allow external authentication.
Create an XML file specifying the external authentication provider's configuration. The XML file should implement the ExternalAuthConfig.dtd schema.
Import the XML file into N4 using the FRMSECURITY025 (EXTERNAL_AUTHENTICATION_PROVIDERS_CONFIG_XML) (on page 1) configuration setting. Once you have loaded a configuration, you can edit it at a later time.
Use an SNX script to create the LDAP users or manually add the users to N4. For the new fields, refer to the SNX ARGO User Importer Exporter section below.
In N4, a user record is always required for any user, regardless of the Authentication Method specified for the user, to enable User Authorization and User Login auditing.

Configuration settings

The following configuration settings are added to support external authentication:

FRMSECURITY023 (SYSTEM_AUTHENTICATION_METHOD) (on page 1)
FRMSECURITY024 (USER_AUTHENTICATION_METHOD_DEFAULT) (on page 1)
FRMSECURITY025 (EXTERNAL_AUTHENTICATION_PROVIDERS_CONFIG_XML) (on page 1)

Since the FRMSECURITY023, FRMSECURITY024, and FRMSECURITY025 settings are GLOBAL settings, the Override button is enabled only when you select the Global scope level in the left pane in the Edit Configuration form (on page 1), as shown below:

Authentication Method field in the User form

Added the Authentication Method field to the User form (on page 1). You can select any of the following options for this field:

Application authentication: Represents INTERNAL authentication. The user is always authenticated by N4.
External authentication such as LDAP: Represents EXTERNAL authentication. The user can be authenticated only by an external provider.
Configurable Setting User Authentication Method Default: Depends on the value specified for the FRMSECURITY024 (on page 1) configuration setting.

If the Authentication Method for a user is set as External authentication such as LDAP or as Configurable Setting User Authentication Method Default and the FRMSECURITY024 (on page 1) configuration setting is set as EXTERNAL, N4 generates a password for the user account based on the following format:

<user_id>P!ssw0rd

Users with external authentication cannot use N4 to change/update their passwords. Users with internal authentication can use N4 to change/update their passwords.

For users with external authentication, N4:

Displays the following fields in the User form as view-only:

User Account Password
Password Expiry Override Days
Logon Expiry Date

Does not display the Security tab in the Edit My User Preferences form (on page 1).
Does not display the File Edit Password option.

SNX ARGO User Importer Exporter

Added the following fields to the SNX ARGO User Importer Exporter:

max-table-rows
my-list-choice
sleep-delay
list-view-auto-refresh
authentication-method
logon-expiry-date

Sample LDAP Provider Configuration

The following XML file represents a sample configuration for an LDAP provider:

<?xml version="1.0"?>

<!DOCTYPE ldapProviders PUBLIC "" "ExternalAuthConfig.dtd" >

<dn>CN=user1,CN=Users,DC=ldaptest,DC=lan</dn>

</manager>

</context>

<base>OU=ApplUsers,DC=ldaptest,DC=lan</base>

<filter>(sAMAccountName={0})</filter>

</userSearch>

</ldapProvider>

<serverURL>ldap://111.111.111.111:389/OU=ApplContractors,DC=ldaptest,DC=lan </serverURL>

<dn>CN=user1,CN=Users,DC=ldaptest,DC=lan</dn>

</manager>

</context>

<base/>

<filter>(sAMAccountName={0})</filter>

</userSearch>

</ldapProvider>

</externalProviders>

Each ldapProvider element represents one LDAP domain controller. For more information about the various elements, refer to the LDAP Support for User Authentication section in the N4 SDK on the customer portal.