Difference between revisions of "Authentication Service"
(→The User Search Filter) |
(→The User Search Filter) |
||
| Line 30: | Line 30: | ||
This states that the search filter is looking for objects in Active Directory of class "user" and where the User Principal Name of those objects is the value as specified by {0}. {0} is a placeholder for the value the user types in to FMR in order to become authenticated, however there are some subtleties. In the User Search field there are two placeholder values: | This states that the search filter is looking for objects in Active Directory of class "user" and where the User Principal Name of those objects is the value as specified by {0}. {0} is a placeholder for the value the user types in to FMR in order to become authenticated, however there are some subtleties. In the User Search field there are two placeholder values: | ||
| − | * {0} - is the "bind principal". This is the username that the user types into the login dialog (when attempting to login). However if this value does NOT contain an "@", then the domain name is appended to it. For example, if the user attempts to log in as "Alice", on the domain | + | * {0} - is the "bind principal". This is the username that the user types into the login dialog (when attempting to login). However if this value does NOT contain an "@", then the domain name is appended to it. For example, if the user attempts to log in as "Alice", on the domain "bisorg.external", then the value that replaces {0} will be Alice@bisorg.external |
| − | * {1} - is the "username" only. This corresponds exactly to the username | + | * {1} - is the "username" only. This corresponds exactly to the username. If the user attempts to log in as "Alice", then the value that replaces {1} will be simply "Alice". |
| + | ====Testing the Active Directory Settings==== | ||
| + | Since it can be difficult to set the Active Directory settings correctly, since version 11.16.1 of FMR, there is also the ability from this page for an Admin user of FMR to test how Active Directory would respond with an attempted log-on for a particular user. This feature allows for quicker investigation and resolution of the Active Directory settings that you will require for your environment. | ||
| − | + | ||
| + | |||
| + | Other tools you may want to use are the Windows Powershell commands "Get-ADUser" and "dnslookup". | ||
Revision as of 05:13, 10 May 2024
Contents
Overview
The administration page to set the Authentication Service of FMR has controls for the different security services. Use the drop-down at the top of the page to select the service you require. The current options are:
- None
- Active Directory
- LDAP
- Fusion Security
Configuring Active Directory
When Active Directory has been chosen as the Authentication Mechanism, the following information needs to be provided
- The protocol type: either ldap or ldaps
- The IP address or name of the server hosting the Active Directory instance
- The Active Directory Domain
- The Base Group Domain Name (optional) - if this is left blank, the root of the Active Directory instance will be used to locate users
- The User Search Filter (optional)
Most of these settings are fairly self-explanatory
The User Search Filter
If this field is left blank, the following value will be used:
(&(objectClass=user)(userPrincipalName={0}))
This states that the search filter is looking for objects in Active Directory of class "user" and where the User Principal Name of those objects is the value as specified by {0}. {0} is a placeholder for the value the user types in to FMR in order to become authenticated, however there are some subtleties. In the User Search field there are two placeholder values:
- {0} - is the "bind principal". This is the username that the user types into the login dialog (when attempting to login). However if this value does NOT contain an "@", then the domain name is appended to it. For example, if the user attempts to log in as "Alice", on the domain "bisorg.external", then the value that replaces {0} will be Alice@bisorg.external
- {1} - is the "username" only. This corresponds exactly to the username. If the user attempts to log in as "Alice", then the value that replaces {1} will be simply "Alice".
Testing the Active Directory Settings
Since it can be difficult to set the Active Directory settings correctly, since version 11.16.1 of FMR, there is also the ability from this page for an Admin user of FMR to test how Active Directory would respond with an attempted log-on for a particular user. This feature allows for quicker investigation and resolution of the Active Directory settings that you will require for your environment.
Other tools you may want to use are the Windows Powershell commands "Get-ADUser" and "dnslookup".
