Skip to Content
Niagara 4How to setup LDAP integration in a Niagara Station

How to setup LDAP integration in a Niagara Station

LDAP (Lightweight Directory Access Protocol) integration allows Niagara 4 Stations to authenticate users against centralised directory services such as Active Directory, OpenLDAP, or other LDAP-compliant directories. This enables single sign-on capabilities and centralised user management.

Overview

LDAP integration provides:

  • Centralised Authentication: Users authenticate against central directory
  • Single Sign-On: Users can access multiple systems with one login
  • User Management: Centralised user account management
  • Group-Based Access: Leverage LDAP groups for access control
  • Reduced Administration: Less user management overhead

Prerequisites

Before configuring LDAP integration, ensure you have:

  • Administrative access to the Niagara Station
  • LDAP server details (hostname, port, base DN)
  • LDAP service account credentials (for binding)
  • Network connectivity to LDAP server
  • Understanding of your organisation's LDAP structure

Understanding LDAP Integration

How It Works

  1. User Login: User attempts to log into Niagara Station
  2. LDAP Query: Station queries LDAP server for user credentials
  3. Authentication: LDAP server verifies user credentials
  4. User Mapping: Station maps LDAP user to Station user account
  5. Access Grant: Station grants access based on mapped permissions

LDAP Components

  • LDAP Server: Directory server (e.g., Active Directory, OpenLDAP)
  • Base DN: Base distinguished name for searches
  • Bind DN: Service account for LDAP queries
  • User DN: Distinguished name pattern for users
  • Group DN: Distinguished name pattern for groups

Step-by-Step Configuration

Step 1: Gather LDAP Server Information

Collect the following information:

  • LDAP Server Host: Hostname or IP address
  • LDAP Port: Typically 389 (LDAP) or 636 (LDAPS)
  • Base DN: Base distinguished name (e.g., dc=example,dc=com)
  • Bind DN: Service account DN (e.g., cn=niagara,ou=services,dc=example,dc=com)
  • Bind Password: Service account password
  • User Search Base: Base DN for user searches
  • User Search Filter: LDAP filter for finding users (e.g., (sAMAccountName={0}))
  • Group Search Base: Base DN for group searches
  • Group Search Filter: LDAP filter for finding groups

Step 2: Access LDAP Service Configuration

  1. Open Niagara Workbench
  2. Connect to your target Station
  3. Navigate to Services in the Station tree
  4. Locate or create the LDAP Service

If the service doesn't exist:

  1. Right-click on Services
  2. Select NewServiceLDAP Service
  3. Enter a name (e.g., "LDAP Authentication Service")
  4. Click OK

Step 3: Configure LDAP Server Connection

  1. Right-click on the LDAP Service
  2. Select Properties
  3. Navigate to Connection or Server tab

Configure server settings:

  • LDAP Server: Enter LDAP server hostname or IP
  • Port: Enter LDAP port (389 for LDAP, 636 for LDAPS)
  • Use SSL/TLS: Enable for secure connections (LDAPS)
  • Connection Timeout: Set timeout value (typically 30 seconds)
  • Base DN: Enter base distinguished name

Step 4: Configure Authentication

Navigate to Authentication tab:

  • Bind DN: Enter service account distinguished name
  • Bind Password: Enter service account password
  • Authentication Method: Select authentication method (Simple, SASL, etc.)

Navigate to User Search section:

  • User Search Base: Base DN for user searches (e.g., ou=users,dc=example,dc=com)
  • User Search Filter: LDAP filter for users
    • Active Directory: (sAMAccountName={0})
    • OpenLDAP: (uid={0})
    • Custom: Configure based on your LDAP schema
  • User DN Pattern: Pattern for user distinguished names
  • Username Attribute: Attribute containing username (e.g., sAMAccountName, uid)

Step 6: Configure Group Search (Optional)

If using LDAP groups for access control:

  1. Navigate to Group Search section

  2. Configure group settings:

    • Group Search Base: Base DN for group searches
    • Group Search Filter: LDAP filter for groups
    • Group Membership Attribute: Attribute indicating group membership
    • Group Name Attribute: Attribute containing group name

Step 7: Configure User Mapping

Set up how LDAP users map to Station users:

  • Auto-Create Users: Automatically create Station users for LDAP users
  • User Template: Template for creating new users
  • Default Roles: Default roles assigned to LDAP users
  • Group Mapping: Map LDAP groups to Station roles

Step 8: Test LDAP Connection

  1. In LDAP Service properties, locate Test Connection button
  2. Click Test Connection
  3. Review test results:
    • Connection Test: Verifies server connectivity
    • Bind Test: Verifies authentication credentials
    • User Search Test: Tests user search functionality
    • Group Search Test: Tests group search functionality

Step 9: Enable LDAP Service

  1. Ensure Enabled checkbox is selected
  2. Click OK to save configuration
  3. Service will start automatically

Step 10: Configure Station Authentication

  1. Navigate to StationProperties
  2. Go to Security or Authentication tab
  3. Enable LDAP Authentication
  4. Select the configured LDAP Service
  5. Configure authentication order (LDAP first, then local, or vice versa)

Step 11: Test User Authentication

  1. Logout: Log out of current session
  2. Login Test: Attempt to log in with LDAP credentials
  3. Verify Access: Verify user has appropriate access
  4. Check Mapping: Verify user mapping and roles

Configuration Examples

Active Directory Configuration

LDAP Server: ad.example.com
Port: 389 (or 636 for LDAPS)
Base DN: dc=example,dc=com
Bind DN: cn=niagara,ou=services,dc=example,dc=com
User Search Base: ou=users,dc=example,dc=com
User Search Filter: (sAMAccountName={0})
Username Attribute: sAMAccountName
Group Search Base: ou=groups,dc=example,dc=com
Group Search Filter: (member={0})

OpenLDAP Configuration

LDAP Server: ldap.example.com
Port: 389 (or 636 for LDAPS)
Base DN: dc=example,dc=com
Bind DN: cn=niagara,ou=services,dc=example,dc=com
User Search Base: ou=people,dc=example,dc=com
User Search Filter: (uid={0})
Username Attribute: uid
Group Search Base: ou=groups,dc=example,dc=com
Group Search Filter: (memberUid={0})

Troubleshooting

Connection Failures

If unable to connect to LDAP server:

  1. Network Connectivity: Verify network connectivity to LDAP server
  2. Firewall Rules: Ensure LDAP ports are not blocked
  3. Server Address: Verify LDAP server hostname/IP is correct
  4. Port Configuration: Verify port number is correct (389/636)
  5. SSL/TLS: Check SSL/TLS configuration matches server requirements

Authentication Failures

If authentication fails:

  1. Bind Credentials: Verify Bind DN and password are correct
  2. Service Account: Ensure service account has necessary permissions
  3. User Search Filter: Verify user search filter matches LDAP schema
  4. User DN: Check user distinguished name format
  5. LDAP Logs: Review LDAP service logs for detailed error messages

User Not Found

If users cannot be found:

  1. Search Base: Verify user search base DN is correct
  2. Search Filter: Check search filter syntax and attributes
  3. User Location: Verify users exist in specified search base
  4. Permissions: Ensure service account can search user locations
  5. Test Search: Use LDAP browser to test search manually

Group Mapping Issues

If group mapping doesn't work:

  1. Group Search: Verify group search base and filter
  2. Membership Attribute: Check group membership attribute name
  3. Group Structure: Verify LDAP group structure matches configuration
  4. Permissions: Ensure service account can read group information
  5. Mapping Configuration: Review group-to-role mapping settings

Security Best Practices

Connection Security

  • Use LDAPS: Always use LDAPS (port 636) or TLS for production
  • Certificate Validation: Enable certificate validation for LDAPS
  • Network Security: Use VPN or secure network for LDAP connections
  • Firewall Rules: Restrict LDAP access to authorised networks

Credential Management

  • Service Account: Use dedicated service account with minimal permissions
  • Password Security: Store service account password securely
  • Regular Rotation: Periodically rotate service account passwords
  • Access Control: Limit access to LDAP service configuration

User Management

  • Principle of Least Privilege: Grant users minimum necessary permissions
  • Group-Based Access: Use LDAP groups for access control
  • Regular Audits: Periodically audit user access and permissions
  • Account Management: Coordinate with LDAP administrators for account changes

Advanced Configuration

Multiple LDAP Servers

Configure failover for high availability:

  1. Primary Server: Configure primary LDAP server
  2. Secondary Server: Configure secondary LDAP server
  3. Failover: Enable automatic failover
  4. Load Balancing: Configure load balancing if supported

Custom Attribute Mapping

Map custom LDAP attributes:

  1. Attribute Mapping: Configure custom attribute mappings
  2. User Properties: Map LDAP attributes to Station user properties
  3. Group Attributes: Map group attributes for access control
  4. Custom Filters: Create custom search filters for specific requirements

Integration with Other Services

LDAP can integrate with:

  • Two-Factor Authentication: Combine LDAP with 2FA
  • Email Service: Use LDAP email attributes
  • Single Sign-On: Integrate with SSO solutions
  • Custom Applications: Extend with custom authentication modules

Additional Resources

  • LDAP Protocol Specification (RFC 4511)
  • Active Directory Integration Guide
  • OpenLDAP Administration Guide
  • Niagara 4 Security Best Practices
How to setup an Email Service in a Niagara Station (Gmail)How does the Poll Scheduler work in any given Niagara Driver