Changing the Directory Service Settings

www.altova.com Print this Topic Previous Page Up One Level Next page

Home >  Configuring the Server >

Changing the Directory Service Settings

If your organization uses Microsoft Active Directory or an LDAP-compliant directory service provider such as Apache Active Directory, OpenLDAP Server, Oracle Unified Directory, and others, you can integrate it with FlowForce Server. From the FlowForce Server perspective, integration with a Directory Service provider means the following:

 

Users can log on to FlowForce Server with their domain user name and password.
Administrators can either allow existing domain users to log on to FlowForce Server with their domain credentials (that is, an implicit user import takes place), or they can explicitly import domain users and groups into FlowForce Server (see Importing Domain Users and Roles). In either case, the imported accounts are visible in the user administration pages of FlowForce Server. This enables administrators to add or revoke privileges and permissions to groups or user accounts, in the same way as for the built-in FlowForce Server accounts (see How Privileges Work and How Permissions Work). Administrators can also assign FlowForce Server roles to groups or user accounts (see Assigning Roles to Users).
Administrators cannot rename or change the password of domain users imported into FlowForce Server.
Administrators cannot rename or change the membership of domain groups imported into FlowForce Server.
Administrators can delete imported domain accounts from FlowForce Server. This does not remove the accounts from the domain and does not change in any way their associated domain privileges.
If the imported domain accounts have FlowForce Server privileges and permissions assigned to them, they are displayed in privilege reports (see Viewing Privilege Reports).

 

To change the Directory Service settings, click Administration, and then click Settings.

ff_directory_service_settings

The available settings are as follows:

 

Enable

Select this check box to enable users to log on to FlowForce Server with their domain user name and password.

 

If this option is enabled, and if the machine is member of a Directory Service domain, an additional drop-down list becomes visible in the FlowForce Server login page, called Login.

 

The Login drop-down list enables users to select the authentication option and contains the following items:

 

Directly. This is the default FlowForce Server authentication option.
[A specific domain], as applicable for the machine on which FlowForce Server runs.

 

See also Logging on to FlowForce Server.

Connect using

Select Active Directory to enable direct integration with Active Directory. This is applicable if FlowForce Server runs on Windows.

 

Select Lightweight Directory Access Protocol (LDAP) to enable integration with an LDAP-compliant Directory Service. Fill in the details as follows:

 

Host — Enter the host name, domain name, or IP address of the LDAP server. To add a port number, append a colon character, followed by the port number. For example, somehost:10389
User — Enter a user name which has administrative rights to query the directory service. The user name can either be in the form of a "Distinguished-Name" (for example cn=name,dc=domain,dc=com) or a "User-Principal-Name" (for example, user@some.domain.com). Note: The "User-Principal-Name" format applies for Active Directory only; for other LDAP servers, use the "Distinguished-Name" format.
Password — The user's password. Note: If you mistype the password several times, the LDAP server may lock the account. In that case, make sure that the account is not locked out before proceeding.

 

In some cases, LDAP servers can have arbitrary schemas that do not fit into a particular standard. If FlowForce Server cannot detect the schema of your LDAP provider, an error similar to "Directory Service detected an invalid LDAP schema" is displayed. In this case, copy the directoryservice.cfg file to the same directory as the FlowForce Server executable. When this file is present, FlowForce Server will not attempt to detect the schema of the LDAP provider automatically.

Allow any domain users to log in

Select this check box if a user's domain account should be imported into the FlowForce user database first time when users log on to FlowForce with their domain credentials.

 

If this option is disabled, domain users can log on to FlowForce Server only if their account has already been imported into FlowForce Server by an administrator, see Importing Domain Users and Roles.

Default login domain

This option is visible after the Enable check box is selected and the settings have been saved.

 

The drop-down list displays all domains that this machine is member of. The same list of domains will be visible to users in the FlowForce login page, if Directory Service authentication is enabled (see the first option above).

 

Select the Set domain login as default check box if the domain should be selected as the default choice in the Login drop-down list of the FlowForce Server authentication page.

 

If you clear the Set domain login as default check box, the built-in FlowForce Server authentication ("Directly") is the default choice.


© 2019 Altova GmbH