Configuration

General

The basic settings for the server extension are specified in the General tab.

Host

• The domain name or IP address of the device on which the LDAP server is running.

Port

• Normally 389 for insecure connections and 636 for connections that use TLS.

Use TLS

• TLS should be used: this is highly recommended, especially when using "Simple" authentication.

Trust all certificates

• If disabled, the certificate of the LDAP Server is compared with the certificate store of the device on which the TwinCAT HMI Server is running. If enabled, the server certificate is not checked. It should only be used for test purposes. Even when self-signed certificates are used, this setting should be deactivated and the self-signed certificate should be added to the certificate store.

Base DN

• The distinguished name of the LDAP entry in which users can be searched for. Normally this only consists of domain components, e.g. "DC=Beckhoff,DC=com". For more information, see Distinguished Names.

Synchronization interval

• The user groups and the blocking status of active users are periodically synchronized with the LDAP directory server. The group memberships are adjusted and sessions of blocked users are terminated. An interval of PT0S means that synchronization only takes place during the login process.

Timeout (advanced settings)

• Network timeout for the connection to the LDAP server

Follow Referrals (advanced settings)

• Specifies whether the referrals returned by the LDAP server should be followed automatically. LDAP servers can return referrals to other LDAP servers, which may contain further search results.

Compare attribute values taking into account upper/lower case (advanced settings)

• Normally, LDAP attributes and DNs are not case-sensitive. However, there are a few cases in which it is useful to take upper/lower case into account.

LDAP authentication

Depending on the configuration of the LDAP server, the user profiles may not be public. In these cases, it is necessary to configure an administrative user account that is used for the directory search.

Authentication mechanism for the bind user

• If the user profiles are completely public, you do not need a bind user and you can select “None”. If the information is public, but anonymous binding is required to perform searches, you can select "Anonymous". If the user profiles are not public, you should enable TLS and use "Simple" authentication, or you can equally use the "Digest-MD5" mechanism. The "Kerberos credentials file" setting is also supported. If you select this setting, the user account that is currently logged in on the device that TwinCAT HMI Server is running on is used.

Bind user DN

• Normally the full Distinguished Name (DN) of the administrative user. If the LDAP server allows direct binding with a unique name attribute, such as the "userPrincipalName", you can also use this attribute here. For more information, see Distinguished Names.

Bind user password

• The password of the administrative user.

HMI authentication

Authentication mechanism

• Typically, the user wants to enable TLS and use the "simple" authentication mechanism. The "Digest-MD5" mechanism prevents the simple password being sent over the network, but is based on cryptographic algorithms that are no longer considered secure.

User filter

• The user filter is used in search queries to find the user profile based on the entries in the registration form. "{input}" is a placeholder that is replaced by the user's input in the registration form. "{username_attribute}" is a placeholder that is replaced by the configured attribute 'username', see format specification.
  The recommended settings are as follows:
  Microsoft Active Directory:
  (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
  OpenLDAP:
  (&({username_attribute}={input})(objectClass=person))' or '(&({username_attribute}={input})(objectClass=inetOrgPerson))

User name attribute

• LDAP attribute that is used in the USER_FILTER. Microsoft Active Directory servers usually use the "userPrincipalName", while OpenLDAP servers usually use the "uid" attribute. Useful documentation of the naming attributes supported by Microsoft Active Directory, see User Naming Attributes.

Ignore the domain during login

• Ignores everything after the first @ in the user name entered by the user. For example, if you use "userPrincipalName" on ActiveDirectory, you must deactivate this setting as the userPrincipalName contains an @.

Append the domain during login

• For example, if “email” or “userPrincipalName” is used for login, this setting can be used to automatically add the domain suffix so that it does not have to be specified during login. The extension checks the upper and lower case to determine whether the domain suffix already exists.

Use LDAP search request for ListUsers

• Depending on the size of the directory, the search may take too long or return too many results. If this setting is deactivated, the user names from the TcHmiSrv configuration are collected. This setting should be deactivated to improve performance.

Group mappings

Group mappings

• The LDAP group must be assigned to a TwinCAT HMI group so that the LDAP user can log on to the HMI. By default, the SystemUser rights are granted, and these should not normally be deleted.

Block specific users

• By default, all LDAP users can log in to the HMI and are assigned to the HMI user groups based on the groups. If you want to completely prevent authentication for certain users, you can block users based on LDAP attributes using the blacklist or whitelist.

Visible attributes

• The names of the LDAP attributes that users can query from the LDAP directory entry linked to their account (e.g. user picture, room, telephone number).

Cache for automatically added user groups (Advanced settings)

• This cache is required to be able to correctly remove user groups that are configured based on group mappings.