Before you can configure your hosts for LDAP authentication your stations need to be licensed, you need to collect information
from your LDAP and Kerberos administrators, as well as provide information to your LDAP administrator.
Licensing
Each
Niagara platform (Supervisor and
JACE) must be licensed for LDAP user services.
LDAP environment and properties
Each
Niagara host (Supervisor and controller) must be on a network with an existing LDAP server. The server must support LDAPv2 or later.
You need at least the following information from your LDAP system administrator:
- URL for the LDAP server (ldap://your.domain.net:nnn where your.domain.net:nnn is the URL for the LDAP server, and nnn is any port other than the standard, default LDAP port. To use a standard port (389, or 636 if you are using SSL/TLS), you
do not need to include the port in the URL.
- User names for logging in to each station as they appear in the LDAP directory.
Information your LDAP system administrator may need from you
- The name of the user prototype (group) to associate with each user (such as, manager, operator, etc.).
- Your name for each station.
Kerberos prerequisites
You need the following information from your Kerberos administrator:
- Kerberos realm name (should be in UPPERCASE).
- Key Distribution Center URL.
- A service name (based on the station name you provided) for each station. This URL-style name must be set up by your Kerberos
administrator on the LDAP server. This name should be in the form:
http/somename.domain.com
where somename is the name by which you will access your station via a browser, and domain.com is your realm.
This name must be trusted for delegation. If you are not planning for Kerberos authentication via the browser, you can use
a regular user name (not a service).
- A keytab file or a password for each service name (station). Services typically require a keytab file, whereas users typically
use a password.