TcHmiLdap
Type Definitions
|
Name |
Description |
|---|
General Properties
|
Symbol name |
Text |
Description |
|---|---|---|
|
Host |
A hostname, a domain name or an IP address. IPv6 is currently not supported. | |
|
Port |
The most common ports are 636 for TLS and 389 for unencrypted connections. | |
|
Use TLS |
Strongly recommended, especially when using the 'Simple' authentication mechanism. | |
|
Trust all certificates |
If 'false', check whether the server certificate was issued by a certificate authority trusted by the operating system. | |
|
Timeout |
This timeout is used for all LDAP requests, including search requests. | |
|
Base DN |
Entry point for LDAP search requests. If empty, the domain components of the host are used. | |
|
Follow referrals |
Specifies whether to automatically follow referrals returned by the LDAP server. | |
|
Case-sensitive comparison of attribute values |
DNs and attributes are case-insensitive by default. It is possible to define an attribute as case-sensitive in the schema, but this is rare. |
HMI Authentication
|
Symbol name |
Text |
Description |
|---|---|---|
|
Authentication mechanism |
The most common mechanism is 'Simple'. 'Digest-MD5' is recommended when TLS is unavailable. | |
|
User filter |
Used to search for the user entry. {input} is a placeholder replaced by what the user inputs in the login form. {username_attribute} is a placeholder replaced by the configured username attribute. | |
|
Username attribute |
Attribute used to identify the user. | |
|
Ignore the domain suffix during login |
Ignore everything after the first @ in the username submitted by the user. If you are for example using 'userPrincipalName' on ActiveDirectory you need to disable this setting, because the userPrincipalName contains an @. | |
|
Append the domain during login |
For example, if the 'email' or 'userPrincipalName' is used for login, this setting can be used to automatically add the domain suffix so that it does not need to be specified at login. The extension does a case-insensitive check to find out if the domain suffix is already present. | |
|
Use LDAP search for ListUsers |
Depending on the size of the directory, the search might take too long or return too many results. If disabled, the usernames are collected from the TcHmiSrv configuration. |
LDAP Authentication
|
Symbol name |
Text |
Description |
|---|---|---|
|
Authentication mechanism for bind user |
'None' means that there is no bind user, in which case, the bind request is done with what the user inputs in the login form. | |
|
Bind user DN |
The full DN of the admin user that is used to search for the DN of the user that is trying to sign in. This setting is ignored if the authentication mechanism is 'Anonymous', 'Kerberos-Credential-Cache' or 'None'. | |
|
Bind user password |
Stored as plaintext in the configuration database. |
Group mappings
|
Symbol name |
Text |
Description |
|---|---|---|
|
Group mappings |
Set HMI user groups based on an LDAP user's attributes. | |
|
Block specific users |
Blocked users are not able to log in, even if they logged in successfully in the past. |