Appendix A: LDAP Implementation Details
131
NX-Series Controllers - WebConsole & Programming Guide
Assumptions and Prerequisites
Assumptions made about the LDAP implementation or environment in which the AMX client will participate include:
1. Must support simple authentication (for example, NetLinx Masters do not support Kerberos or SASL).
2. The account setup for a bind DN must have search capability along with the necessary permissions to read the 'uid', 'cn',
'member' and 'objectclass' attributes.
3. When a search is performed to find a DN with the specified user ID, a search must return one and only one object if the user
exists. No object will be returned if an account does not exist for that user ID.
4. An account is considered valid if a user can authenticate/bind. No other attributes are considered during the authentication
process.
5. AMX LDAP implementation supports both encrypted and un-encrypted connections using SSL.
6. When a person authenticates, that account must have access to all the attributes defined by RFC 2798 with the following
exception:
User passwords are not necessarily accessible for anything except to perform a bind to the directory (for example, this
attribute may not be directly available to the user).
7. The bind DN must have the ability to search for group membership. (This ability is similar to RMS requirements.)
8. When a person authenticates, that account must have access to "cn" attributes for all groups of which it is a member.
9. Group membership for users is defined by the Role assigned to the user. Use GroupOfNames as the objectClass for group
mapping. GroupOfUniqueNames is not supported due to ambiguities associated with implementations which use unique IDs
appended to membership DNs.
10. When performing searches for group membership, no restrictions exist which would the restrict returning the full list of
objects for which the user is a member with the possible exception of reasonable response timeouts. AMX LDAP
implementation does not support paged search results.
11. AMX LDAP implementation does not support following referrals.
IMPORTANT: For the NX-series Masters to work with LDAP over SSL (LDAPS), you must upload a CA server certificate in .pem format
to the Master’s FTP server. The certificate’s file name must be "ldap_ad.pem". You can attach the file to your NetLinx Studio project
and upload the file to the ../8021x directory (the default directory for .pem files.) Once the file is uploaded, you must reboot the
Master for the certificate file to be read and employed by the system. LDAPS requires Master Firmware version 1.3.78 or greater.
To Next Page
Loading...
Need help?
General
