LDAP User Authentication

You can configure user authentication to use an LDAP server to perform user name and password authentication. When user name and password authentication is used with LDAP and a security domain requestor first tries to connect to a metaspace, TIBCO ActiveSpaces prompts the user to enter their:

Login user name

Login password

The logon information entered is passed to the security domain controller, which tries to connect to the LDAP server configured in the security policy file and use the LDAP server to authenticate the user.
Note: Remember that LDAP authentication is supported only with Java agents or the Java API.

To configure the security policy file to perform user name and password authentication with an LDAP server using an unsecure connection to the LDAP server, the authentication setting uses the following format: 

authentication=userpwd;source=ldap;name=<LDAP object name>;
host=<LDAP server name>;plainPort=<port number>;
baseDN=<DN of parent>;hint=<message displayed to user>

where the unsecure LDAP connection parameters are:

name
  Name of the object to query LDAP for (for example, cn for common name, uid for unique ID).
host
  The fully qualified domain name of the LDAP server (for example, ldapsrvr.com).
plainPort
  The port on which the LDAP server listens for clear text TCP/IP connections (default: 389).
baseDN
  The distinguished name of the parent of the LDAP subtree (for example: dc=users,dc=com).
hint
  A message to be displayed to the user as a hint of what they should enter.

If connecting to the LDAP server requires a secure connection using SSL/TLS, the authentication setting uses the following format: 

authentication=userpwd;source=ldap;name=<LDAP object name>;
host=<LDAP server name>;securePort=<port number>;trustStore=<LDAP keystore>;
baseDN=<DN of parent>;hint=<message displayed to user>

where the secure LDAP connection parameters are:

name
  Name of the object to query LDAP for (for example, cn for common name, uid for unique ID).
host
  The fully qualified domain name of the LDAP server (for example, ldapsrvr.com).
securePort
 The port on which LDAP clients should connect to the LDAP server using SSL/TLS (default: 636)
truststore
 A file that contains the secure LDAP server's certificate chain
baseDN
  The distinguished name of the parent of the LDAP subtree (for example: dc=users,dc=com).
hint
  A message to be displayed to the user as a hint of what they should enter.

The security domain controller uses the contents of the truststore to authenticate the LDAP server when establishing a connection to the LDAP server. The truststore format can be a p7b file containing only certificates and certificate chains. If the LDAP server certificate is self-signed, the truststore can be a .pem certificate file or a binary DER format file.