LDAP

The Lightweight Directory Access Protocol (LDAP) is a network protocol for querying user information (e.g. user names, groups) from a directory service. The directory service (e.g. Active Directory from Microsoft) is often used in larger companies to centrally manage users and groups.

Application scenario

The TwinCAT HMI LDAP extension enables access to an LDAP server so that the user groups in the TwinCAT HMI server are available for user management.

Advantages

• Central user management: The TwinCAT HMI server uses the TwinCAT HMI user management extension by default, from which only a local HMI server can access. The TwinCAT HMI LDAP extension can be used by several HMI servers locally or in the network (LAN and WAN).
• User management without HMI admin rights: Users and groups can be managed centrally by the company’s IT department. If a new employee joins or leaves the company, the rights can be adjusted without HMI engineering. It is also not necessary to restart the server.
• Access to all directory information: In addition to the user groups, all directory information can be queried.
• No additional license required: The TwinCAT HMI LDAP extension is included in the TF2000 HMI server license.

Architecture

The LDAP server extension runs in the .NET extension container (1) in an independent process and connects to the server (2) via LDAP. The HMI server and LDAP extension communicate as usual via Websocket (3).

Within the HMI project, authorizations cannot be configured directly with the LDAP groups. HMI groups are created and configured in the usual way. In the LDAP extension, the HMI and LDAP groups can be connected via group mappings (1, 2). The HMI server creates the LDAP users as HMI users at the first login (3).