Configuring LDAP authentication in IAG
Applies To: Intelligent Application Gateway (IAG)
Lightweight Directory Access Protocol (LDAP) is a protocol for accessing online directory services. The LDAP authentication server keeps information about users, including authentication information such as user properties and authentication scripts, in Directories, which are special-purpose databases. When a connection request arrives at a Whale Communications Intelligent Application Gateway (IAG) 2007 server, the user name and password are authenticated against the LDAP Directory.
IAG implements the following LDAP authentication schemes:
Netscape Directory Server (V. 4.1)
Notes Directory Server
Novell Directory Server
Active Directory directory service for Windows Server 2003 or Windows 2000 Server.
The supported LDAP authentication schemes are capable of the following:
Operating with two LDAP authentication servers—If the primary LDAP server fails, IAG User Manager accesses the alternate LDAP server.
Supporting a secure port—If the authentication server uses a secure port, IAG uses a secure connection, even if this was not configured when the scheme was defined.
In the Novell Directory Server, unique users do not need to enter their context when entering the user name. A unique user appears only in one context in the tree, or, if a "Base" is defined, the user appears only in one context under the Base.
LDAP authentication flow
The following figure illustrates the authentication process users go through when the LDAP authentication scheme is implemented with one authentication server.
Note
The flow allows for three login attempts, after which login failure is final. The actual number of login attempts users are allowed is determined in the Authentication tab, in Permitted Authentication Attempts.
LDAP Authentication Flow
.gif "a99be779-4ee6-41b5-bc01-5048c5bf661f")
Configuring the LDAP authentication server or servers
The system administrator has to configure the LDAP server or servers used in the scheme in order to determine how the User Name text box will appear in the login page:
- If the User Name box appears empty, the user has to enter the complete distinguished name, including the hierarchical address.
It is possible to configure the login page so that the hierarchical address is automatically displayed in the text box, and the user has to enter only the user name. The system administrator has to see to it that during the authentication process the complete distinguished name is passed on to the validation page.