Document toolboxDocument toolbox

Settings - Active Directory

Owned by Pavel Novák
Last updated: Sept 22, 2020
3 min read

Here an administrator can setup an interconnection with the Active Directory for authentication of application users. The following form is used for configuration:

Meaning of each item in the form is as follows:

Enable connection to Active Directory

This switch activates the integration with the Active Directory. Then the rest of the form needs to be filled, the configuration tested and saved.

Title

This field is used to name the connection. It has no effect on the function, but should multiple AD connections be supported in the future, this will enable the administrator to differentiate between them.

Address

IP or DNS address of the server running the AD service. It is necessary to allow connections from the SOFiE server to this AD server.

SSL

This switch specifies whether to use SSL encryption for connections to the AD or not.

User

Username of the service account used to authenticate on the AD server and perform reads in the AD tree (check for users and groups existence, etc.).

Password

The password of the above mentioned account used for AD access.

User tree

The path to the node in the Active Directory tree, under which all the users, who should have access to the application are located. This set of users can be further filtered by specifying a group, see below.

Allowed group

If we need to further narrow the users from the above specified AD sub-tree, a membership in a specific AD group can be requested. In that case only users, who are members of this group will be able to login, others will not. The group membership may be nested, so a group may contain a group which may contain another group… until at the end there must be the user as a member.

Username attribute

Selects between authenticating usernames in form of “User Principal Name (UPN)” or “sAMAccountName“. The Active Directory must support the selected form of usernames and the users logging in must then use the appropriate format of usernames. The Active Directory administrator should know the details about these forms of usernames.

Default domain

If the default domain name is specified here, the users do not need to enter their fully qualified usernames including the domain when logging in and this default domain is added to their usernames automatically.

Store password hashes

If this is enabled, then after each successful login of a user authenticated in the Active Directory, the hash of his password is saved in the local database of SOFiE application users. This allow login for such users in case of emergency, when (connection to) AD server does not work and users cannot authenticate against it. The password hash is of course saved securely in form of a cryptographic hash designed for this purpose and cannot be used to retrieve the original password in any way, only for verification if it matches.

The Test button at the end of the settings form performs a test, if logon to AD using the entered credentials works. If the test fails, authentication of users during login will most likely also fail.