TcHmiLdap
General properties
|
Symbol name |
Text |
Description |
|---|---|---|
|
Host |
A host name, a domain name or an IP address. IPv6 is currently not supported. | |
|
Port |
The most common ports are 636 for TLS and 389 for unencrypted connections. | |
|
Use TLS |
Strongly recommended, especially when using the 'Simple' authentication mechanism. | |
|
Trust all certificates |
If 'false', the system checks whether the server certificate was issued by a certification authority that the operating system trusts. | |
|
Timeout |
This timeout is used for all LDAP requests, including search requests. | |
|
Base DN |
Entry point for LDAP search queries. If empty, the domain components of the host are used. | |
|
Follow referrals |
Specifies whether the referrals returned by the LDAP server should be followed automatically. | |
|
Attribute values compared taking upper/lower case into account |
DNs and attributes are not case-sensitive by default. It is possible to change this setting in the LDAP schema of the attribute, but this is rare. |
HMI authentication
|
Symbol name |
Text |
Description |
|---|---|---|
|
Authentication mechanism |
The most common mechanism is 'Simple'. 'Digest-MD5' is recommended if TLS is not available. | |
|
User filter |
Is used to search for user entries. {input} which is replaced by what the user enters in the registration form. {username_attribute} is a placeholder that is replaced by the configured username attribute. | |
|
User name attribute |
Attribute used to identify the user. | |
|
Ignore the domain during login |
Ignore anything after the first @ in the name you enter during login. For example, if the 'userPrincipalName' is used on ActiveDirectory, this setting must be disabled as the 'userPrincipalName' contains an @. | |
|
Append the domain during login |
If, for example, the 'email' or 'userPrincipalName' is used for login, the domain suffix can be added automatically with this setting so that it does not have to be entered during login. A case-insensitive check is carried out to find out whether the domain already exists. | |
|
Use LDAP search request for ListUsers |
Depending on the size of the directory, the search may take too long or return too many results. If disabled, the user names from the TcHmiSrv configuration are collected. |
LDAP authentication
|
Symbol name |
Text |
Description |
|---|---|---|
|
Authentication mechanism for the bind user. 'None' indicates that there is no bind user. |
'None' means that there is no bind user. In this case, the bind request is made with what the user enters in the registration form. | |
|
Bind user DN |
The full DN of the bind user, which is used to search for the DN of the user attempting to log in. This setting is ignored if the authentication mechanism is 'Anonymous', 'Kerberos Credential Cache' or 'None'. | |
|
Bind user password |
Is saved as plain text in the configuration database. |
Group mappings
|
Symbol name |
Text |
Description |
|---|---|---|
|
Group mappings |
Set HMI user groups based on the attributes of an LDAP user. | |
|
Block specific users |
Blocked users cannot log in, even if they have logged in successfully in the past. |