Ldap Server view
Figure 398. Ldap Server view and tab
To access this view, click, double-click your LDAP network device driver row row in the Remote Drivers view, click the LdapServers tab, and double-click the server row in the table or select the server row and click the Hyperlink button (
).
The view title, LdapServer in this example (this name may be different in your system), displays in the top left corner above the buttons and link.
- Save updates the server record in the database.
- Ping initiates communication with the server to verify the connection.
- Import opens the Import Preferences window.
- LdapNetwork returns the focus to the LdapNetwork view.
Properties
In addition to the standard properties (Status, Enabled, Fault Cause, Health, and Alarm Source Info), these properties support the Ldap server.
| Property | Value | Description |
|---|---|---|
| Ldap Connection | additional properties | Refer to LDAP Connection properties. |
| Vendor Name | read-only | Identifies the name of the LDAP server vendor. |
| Vendor Version | read-only | Reports the software version of the LDAP server. |
| Supported L D A P Version | read-only | Reports the supported version number. |
| User SearchBase | text |
Defines where to start searching for personnel in the LDAP server hierarchy.
ou stands for organizational unit. dc stands for domain controller. dn stands for distinguished name. This name both uniquely identifies an entry in the LDAP database and describes its position in the hierarchy. |
| User SearchFilter | text |
Defines where to start searching for personnel in the LDAP server hierarchy.
ou stands for organizational unit. dc stands for domain controller. dn stands for distinguished name. This name both uniquely identifies an entry in the LDAP database and describes its position in the hierarchy. |
| Search Scope | drop-down list |
Defines how much of the User Search Base to actually search.
|
| Polling Interval | plus or minus hours minutes and seconds |
Defines how frequently to poll the LDAP server.
|
| Periodic purge schedule | read-only | When a personnel record is deleted from the system database, it needs to deleted from the LDAP server. The system removes
deleted records from the LDAP server on a regular schedule, which is documented here. This schedule can be changed using
|
| Ldap Import Config | additional properties | Refer to Ldap Import Config. |
LDAP Connection properties
These properties configure the physical connection between the Supervisor PC and the LDAP server.
Figure 399. Ldap Connection properties
You access these properties by navigating to . Then you double-click the LDAP network driver row in the table, click the LdapServers tab, double-click the LDAP server name in the table, and expand the Ldap Connection property group.
| Property | Value | Description |
|---|---|---|
| Connection Host | URL or IP Address |
Defines the URL or IP address of the platform on which the Ldap Server is running. The location may be on the same computer
or elsewhere available on an intranet or the Internet.
|
| Connection Port | number |
Defines the port over which the computer communicates with the server.
|
| Enable TLS | true or false (default)
|
Configures secure communication between the station and network devices. By default, the system uses TLS secure communication.
You would change this network property to
false only if a legacy device (camera) cannot support TLS.
If some devices on your network support TLS and others do not, you may add two networks of the same type: one for the secure devices, and the other for those that do not support security. |
| Authentication Mechanism | drop-down list; defaults to None |
Identifies the method used to verify the identity of the LDAP server to its client, the system database.:
For information about these options, refer go the Niagara Station Security Guide |
| Connection User | name |
Defines the LDAP server attributes for the system administrator.
uid=admin is an example of the distinguished name for this user. dc=com is the user parent class. |
| Connection Password | password |
Defines the password for the user specified in property
Connection User. When used, requires a valid password in the LDAP server. The system uses this password to connect to the server for authentication.
|
| Enable Connection Pooling | true (default) or false |
Enables (
true) and disables (false) the use of a connection pool. To speed processing, LDAP servers maintain a pool of connections. A request from the system
that uses an existing connection saves valuable processing time, which improves system performance. Do not change the default
(true = enabled) setting unless you know what you are doing.
|
| Initial Size | number (defaults to 0) |
Defines the number of pooling connections.
|
| Max Size | number (defaults to 10) |
Defines the maximum number of connections to the LDAP server that the system supports concurrently.
|
| Pref Size | number (defaults to 0) |
Defines the preferred number of connections to the LDAP server that the system supports concurrently.
|
User Search Base string chooser
User Search Base, User Search Filter or Search Scope), and then purge records from the system, the purge deletes all existing personnel records in the database. If this happens,
personnel will not have access to your facility.
Defines where to start searching for personnel in the LDAP server hierarchy.
ou stands for organizational unit.dc stands for domain controller.
dn stands for distinguished name. this name both uniquely identifies an entry in the LDAP database and describes its position in the hierarchy.
You would change this property to access the personnel records for a specific tenant or other group.
Rather than requiring you to type the LDAP server attribute equivalents, this window provides a list from which to choose.
Figure 400. User Search Base string chooser
You access this window by clicking the chevron to the right of User Search Base on the Ldap Server tab.
User Search Filter string chooser
User Search Base, User Search Filter or Search Scope), and then purge records from the system, the purge deletes all existing personnel records in the database. If this happens,
personnel will not have access to your facility.
Defines the objectClass (metadata) associated with each personnel record. This objectClass identifies the record as a personnel record versus a system or other record type in the server database.
This chooser adds metadata (text strings), which the system uses to search the LDAP server.
Figure 401. User Search Filter string chooser
You access these properties by clicking the chevron next to User Search Filter property on the Ldap Server tab.
The three control buttons (Add, Edit and Delete) perform standard functions.
Ldap Import Config
These properties configure the import action from the LDAP server to the station database. By default, the system imports data from the LDAP server once every hour. The maximum number of personnel records the system can import at one time is 5000. This number is not likely to be reached within the space of one hour.
Figure 402. Ldap Import properties
| Property | Value | Description |
|---|---|---|
| Import Frequency | drop-down menu | Selects how frequently to import users: Hourly, Daily, Weekly or Instant (instantly).
|
| Last Import Time | read-only | Displays the date and time of last successful import. |
| Group Attribute | text |
Defines the LDAP server group attribute that provides the LDAP group Distinguished Name. Each LDAP user belongs to a group.
Specify the group attribute. Specify the attribute that holds the group and associated with an access right in the ldap server.
|
| Allow New Inactive Users | true (default) or false |
Indicates that users may be added before they are activated in the system.
|
| Status Attribute | read-only |
Reports LDAP user status: active or inactive. Inactive status could possibly be marked for deletion from the database. For
example, it could be a person that no longer works at the owning company.
|
| Active Status Values (Comma Separated) | text values, comma separated |
Defines a list of values, which indicate a valid user status. This list is specific to your organization’s personnel policies.
|
| Account Expiry Date Time Attribute | text | Specifies the name of the account expiry attribute in the LDAP server. Some LDAP servers configure user accounts to expire
on a specific date, at a specific time. This name identifies the attribute that contains this information.
The security system’s import job ignores data from any user account that has expired. |