Corporate or campus installations that already use Windows Active Directory or other LDAP-based “directory services” to manage user access across distributed networked resources can benefit from configuring NiagaraAX stations to use an LDAP user service. Benefits include:
-
Automatic creation of station user accounts upon LDAP user login, with pre-determined permissions (set by UserPrototypes, as configured under the station’s LDAP user service). LDAP-sourced users automatically reflect existing User property data like email address, full name, and language.
-
Starting in AX-3.8, the ability to use Kerberos authentication for access of NiagaraAX stations by LDAP users, available for LDAPv3-based systems (Active Directory or other LDAP systems). Kerberos offers a high-level of security, albeit with some required client setup of hosts and browsers.
Station login for Kerberos authenticated systems (either from Workbench or a client browser) offer choices for LDAP users to “log in as current user”—without any need to enter credentials, or alternatively to log in as a different user, providing credentials. This simplifies access for most users.
Kerberos is not supported on any “J9 Java VM” (JACE-2/4/5 series) platform.
-
Bypass of any necessary NiagaraAX “network user” configuration, which is incompatible for any station configured with an LDAP user service. Thus, most central management of station users remains coordinated by of the installation’s existing LDAP (AD) server.
There is no “hybrid” support for both LDAP users and the “network users” feature of a NiagaraNetwork. Therefore, all stations
(both Supervisors and JACEs) on an LDAP-served installation require the “standard” UserService replaced by an LDAP user service.