Configuration

General

• Host: The domain name or IP address of the device that the LDAP server is running on.
• Port: Normally 389 for insecure connections and 636 for connections that use TLS.
• Use TLS: Are you trying to establish a secure connection to the LDAP server? TLS should be used: this is highly recommended, especially when using "Simple" authentication.
• Trust all certificates: If disabled, the certificate of the LDAP server is compared with the certificate store of the device that the TwinCAT HMI server is running on. If activated, the server certificate is not checked. It should only be used for test purposes. Even when self-signed certificates are used, this setting should be deactivated and the self-signed certificate should be added to the certificate store.
• Base DN: The distinguished name of the LDAP entry that you can search for users in. Normally this only consists of domain components, e.g. "DC=Beckhoff,DC=com". For more information, see Distinguished Names.
• Sync interval: The user groups and the lock status of active users are periodically synchronized with the LDAP directory server. The group memberships are adjusted and sessions of blocked users are terminated. An interval of PT0S means that synchronization only takes place during the login process.

Advanced settings

• Timeout: Network timeout for the connection to the LDAP server
• LDAP opt referrals: Specifies whether the referrals returned by the LDAP server should be tracked automatically. LDAP servers can return references to other LDAP servers, which may contain further search results.
• Compare attribute values, taking upper/lower case into account: Normally, LDAP attributes and DNs are not case-sensitive. However, there are a few cases in which it is useful to take upper/lower case into account.

LDAP authentication

• Depending on the configuration of the LDAP server, the user profiles may not be public. In these cases, it is necessary to configure an administrative user account that is used for the directory search.
• Bind user authentication mechanism: If the user profiles are completely public, you do not need a bind user and you can select "None". If the information is public, but anonymous binding is required to perform searches, you can select "Anonymous". If the user profiles are not public, you should enable TLS and use "Simple" authentication, or you can equally use the "Digest-MD5" mechanism. The "Kerberos credentials file" setting is also supported. If you select this setting, the user account that is currently logged in on the device that TwinCAT HMI Server is running on is used.
• Bind user DN: Normally the full Distinguished Name (DN) of the administrative user. If the LDAP server allows direct binding with a unique name attribute, such as the "userPrincipalName", you can also use this attribute here. For more information, see Distinguished Names.
• Bind user password: The password of the administrative user.

HMI authentication

• Authentication mechanism: As a rule, the user should activate TLS and use "Simple" authentication. The "Digest-MD5" mechanism prevents the simple password being sent over the network, but is based on cryptographic algorithms that are no longer considered secure.
• User filter: The user filter is used in search queries to find the user profile based on the entries in the registration form. "{input}" is a placeholder that is replaced by the user's input in the registration form. "{username_attribute}" is a placeholder that is replaced by the configured attribute 'username', see format specification.
  The recommended settings are as follows:
• Microsoft Active Directory:
  (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
• OpenLDAP:
  (&({username_attribute}={input})(objectClass=person))' or '(&({username_attribute}={input})(objectClass=inetOrgPerson))
• Username attribute: LDAP attribute that is used in the USER_FILTER. Microsoft Active Directory servers usually use the "userPrincipalName", while OpenLDAP servers usually use the "uid" attribute. Useful documentation of the naming attributes supported by Microsoft Active Directory, see User Naming Attributes.
• Ignore domain during login: Ignores everything after the first @ in the username entered by the user. For example, if you use "userPrincipalName" on ActiveDirectory, you must deactivate this setting as the userPrincipalName contains an @.
• Append domain during login: For example, if "email" or "userPrincipalName" is used for login, this setting can be used to automatically add the domain suffix so that it does not need to be specified during login. The extension checks the upper and lower case to determine whether the domain suffix already exists.
• Use LDAP search query for ListUsers: Depending on the size of the directory, the search may take too long or return too many results. If this setting is deactivated, the user names from the TcHmiSrv configuration are collected. This setting should be deactivated to improve performance.

Group mappings

• Group mappings: For the LDAP user to be able to log on to the human-machine interface, the LDAP group must be assigned to a TwinCAT HMI group. By default, the SystemUser rights are granted, and these should not be deleted (generally speaking).
• LDAP attribute name: Name of the LDAP attribute
• LDAP attribute value: Value of the LDAP attribute
• HMI user group: Name of the human-machine interface group
• Block certain users: By default, all LDAP users can log into the HMI and are assigned to the HMI user groups based on the employee groups. If you want to completely prevent authentication for certain users, you can block users based on LDAP attributes using the blacklist or whitelist.
• Use whitelisting: If deactivated, blacklisting is used.
• Add accounts affected by group mappings to the whitelist: Treat each group mapping as a whitelist entry.
• Visible attributes: The names of the LDAP attributes that users can query from the LDAP directory entry linked to their account (e.g. user picture, room, phone no.).

Advanced settings

• Cache for automatically added user groups: This cache is required in order to be able to correctly remove user groups that are configured based on group mappings.