CatDV Server supports authentication of users against an LDAP server – either Active Directory (Windows) or Open Directory (Mac). Once configured users can log into CatDV Server (either using the desktop client application or Web Client) using their domain/workgroup account.
Configuring LDAP Authentication
To configure CatDV Server to use an LDAP authentication server go to the CatDV Server Control panel and click on the Server Config button, which will display the Edit Server Config screen. In this screen click on the LDAP tab as shown below:
You need to provide the following information:
- LDAP Server Address – This can be either an IP address or domain name of the LDAP server. This will typically be the Windows Domain Controller or Mac OS Server.
- Port – The TCP port used to connect to the LDAP service. This should not need changing from its default value of 389.
- Server Type – Specify whether your LDAP server is Active Directory (Windows) or Open Directory (Mac OS). Currently these are the only two supported options.
- Required Group – If this field is filled in then only users that are member of the specified user group will be able to connect to CatDV.
- Group Mappings – This table contains a list of mappings that map one or more user groups (defined in the LDAP directory) to CatDV roles. When a user logs in to CatDV using their Active Directory/Open Directory account the role that they are assigned will depend on the groups that they are a member of. Mappings are applied in the order they appear in this list. The first matching mapping determines the user’s role.
LDAP Group Mappings
The list of mappings can be managed using the + and – buttons to add and delete entries and by double-clicking on an entry to edit it.
The edit screen is shown below:
The LDAP groups field is a simple text field where each group is entered on a separate line. A user must, either directly or indirectly (through an intermediate group), be a member of all the listed groups before they are assigned to the CatDV Role given in the CatDV Role field.
Logging On using LDAP
To authenticate using Active Directory or Open Directory the user must enter an account name using the format username@domain. For example firstname.lastname@example.org (the older Active Directory DOMAINusername format is not supported).
CatDV uses the presence of the ‘@’ symbol to denote that an LDAP account is being used. Other than that the process is identical to connecting with a regular CatDV user account.
When the user logs in for the first time CatDV will create a CatDV user account that is linked to the LDAP account. This is used for auditing purposes only. The password and roles on this linked account are not used – they come from the LDAP directory.
The LDAP screen in the CatDV Control Panel includes a simple LDAP Browser function that can be useful to confirm that you can connect to you LDAP Server and also to check the exact names of the Groups as they appear to the CatDV.
To launch the LDAP browser click on the Browse button on the LDAP screen. You will be prompted for your Windows credentials and you should then see the screen above. You may need specific permissions to browse the LDAP catalog depending on how your server is configured.
When connecting to Active Directory CatDV uses the userPrincipalName property of the LDAP User record to identify users. Usually this will contain the user’s email address, but that is not mandatory, so you may need to check what value userPrincipalName is actually set to and that will determine what name the user’s need to enter to log on.