LDAP EC-Net4 - UG
LDAP EC-Net4 - UG
User Guide
LDAP Guide
Distech Controls, Inc.
Brossard, Quebec,
Canada
Legal Notice
©, Distech Controls Inc., 2020. All rights reserved. While all efforts have been made to verify the accuracy of in-
formation in this manual, Distech Controls is not responsible for damages or claims arising from the use of this
manual. Persons using this manual are assumed to be trained HVAC professionals and are responsible for us-
ing the correct wiring procedures, correct override methods for equipment control and maintaining safe working
conditions in fail-safe environments. Distech Controls reserves the right to change, delete or add to the informa-
tion in this manual at any time without notice.
Distech Controls, the Distech Controls logo, EC-Net, and Innovative Solutions for Greener Buildings are regis-
tered trademarks of Distech Controls, Inc. LON, LonMark, LonWorks, LNS, and Neuron are registered trade-
marks of Echelon Corporation registered in the United States and other countries. NiagaraAX and NiagaraAX
Framework are registered trademarks of Tridium, Inc. BACnet is a registered trademark of ASHRAE. Windows,
Windows XP, Windows Vista, Windows 7, Visual Basic.Net, Visual Basic.Net are registered trademarks of Mi-
crosoft Corporation. Intel and Pentium are registered trademark of Intel Corporation in the U.S. and/or other
countries. AMD is a registered trademark of Advanced Micro Devices, Inc. EnOcean is a registered trademark
of EnOcean GmbH. All other trademarks are property of their respective owners.
Contents
About this guide .................................................................................................5
Document change log .................................................................................5
Related documentation ...............................................................................5
Index.................................................................................................................39
Related documentation
This topic lists the other documents that relate to the information contained in this guide.
• User authentication, FoxService, and WebService are documented in the Station Security Guide.
The AuthenticationService manages all LDAP authentication requests. The types of authentication a station
supports, in this case LDAP, are determined solely by this service. The most important element in LDAP au-
thentication is the LDAP authentication scheme. A station supports multiple schemes, with each user account
tied to a specific scheme.
Use this checklist to guide the setup and configuration process:
• All prerequisites fulfilled. See Prerequisites, page 7.
• LDAP authentication scheme selected and properties configured. See Setting up the authentication
scheme, page 9.
• User prototypes set up. See Setting up user prototypes, page 10.
• Local super user and service users set up. See Setting up local users, page 10.
• If you are using the KerberosScheme, PC client configured for Kerberos. See Setting up a client PC for
Kerberos, page 11.
• Each host configured to access the Key Distribution Center. See Setting up access to the Key Distribution
Center, page 13.
• Connection using a browser confirmed. See Making sure you can connect using a browser, page 13.
• Browser configured for LDAP support.
Prerequisites
Before you can configure your hosts for LDAP authentication your stations need to be licensed, you need to col-
lect information from your LDAP and Kerberos administrators, as well as provide information to your LDAP
administrator.
Licensing
Each EC-Net platform (Supervisor and EC-BOS) must be licensed for LDAP user services.
• The LDAPv2-compatible authentication scheme does not require host licensing. This is effectively the same
LDAP authentication scheme provided since EC-Net 4. They do not offer Kerberos as an authentication
choice.
• To use Kerberos authentication, your host platform must be licensed for LDAPv3. The following is an exam-
ple of the license line:
<feature name=”ldapv3” expiration=”never” kerberos=”true” parts=”LDAPV3_PART”/>
FAQs
Use these questions and answers to broaden your understanding of LDAP and EC-Net.
Q: Can I use SSL/TLS with LDAP?
A: Yes, in fact, you should configure all platforms and stations for TLS (Transport Layer Security). Refer to the
Station Security Guide.
Q: Can a system use a combination of LDAP or Active Directory along with the network user feature in
a NiagaraNetwork?
A: No. the EC-Net network-user feature is incompatible with LDAP (and no hybrid system is supported). All cen-
tralized user management is provided by the LDAP server. Local station users, which are unique to each sta-
tion, are supported.
Q: Is Kerberos always associated with LDAP in EC-Net?
A: Kerberos is an available authentication scheme for LDAPv3.
Q: Can a station support an older LDAPv2 level server or Active Directory using the newer LDAPv3–
compatible LDAP schemes?
Yes. These schemes are backwards-compatible with LDAPv2-based systems. However, Kerberos authentica-
tion is not available.
Q: Can I configure my stations to run in FIPS mode (FIPS 140-2) and also use LDAPv3 with Kerberos
authentication?
A: No. When running in FIPS mode, the set of permitted cryptographic algorithms is smaller—only algorithms
that are FIPS-approved may be used. Due to this restriction, Kerberos cannot be used when running in FIPS
mode, as the algorithms it requires are not supported by the FIPS cryptographic provider.
The following is an example of the attribute properties returned from an LDAP server.
Step 6 Configure the other properties based on the type of scheme and click Save.
NOTE: If your Kerberos setup requires a more advanced krb5.conf configuration, you can man-
ually configure the file using the Advanced Krb5 Conf Editor view, located under the View dropdown
list, as shown here.
Step 3 If your PC is running Windows XP SP2 or later, and you would like to access your native Kerberos
ticket, you must set a registry key to allow Java to access the ticket.
a. Before setting a registry key, back up your Windows registry.
b. To set the key, start the registry editor (Start→Run... and enter regedit) and add or edit the fol-
lowing key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
Kerberos\Parameters
NOTE: If necessary, you can return to the default Windows security setting by changing the value of
this registry key to zero (0).
On completion of this procedure, you have successfully updated the Kerberos configuration file (krb5.conf)
and set up a registery key in the PC.
Configuring Firefox
Using Firefox for browser access (as a Kerberos authenticated LDAP user) to a station requires that you add to
the browser’s security configuration the stations to which you wish the browser to connect .
NOTE: The following instructions are subject to change due to browser updates. Refer to the browsers' docu-
mentation for the latest instructions.
Google Chrome is now configured for Kerberos authentication. You should be able to log in to stations without
being prompted for a user name and password.
Step 5 Select and enter values for the Kdc Timeout and Kdc Max Retries properties.
For more detailed information on these properties see, ldap-BasicKrb5ConfEditor, page 29.
Step 6 For any EC-Net 4 Pro client that will authenticate to the station with Kerberos, navigate to Tool-
s→Kerberos Configuration Tool and set the Kdc Timeout and Kdc Max Retries properties to the
same values that you configured for the station, and set the Forwardable property to true.
LDAP (Lightweight Directory Access Protocol) uses a separate server to provide an IP-network-accessible, hi-
erarchical, and distributed database for storing information about authorized system users and their access
privileges. Many network hosts can use the LDAP services, which are administered from a central location.
LDAP implementations
LDAP is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distrib-
uted directory information services for an IP network. A common usage of LDAP is to provide a single sign on
where a single user logs in to multiple network services using but one password.
EC-Net supports two LDAP server implementations:
• Windows AD (Active Directory)
This widely-implemented type of LDAP server is a Microsoft-supplied service used on Windows domain net-
works, and is included in most Windows Server operating systems. AD provides an interface for these proto-
cols: LDAP (LDAPv2 or LDAPv3) and Kerberos (for authentication). With AD, users can access resources
anywhere on the network with a single login.
The Windows AD is structured as a hierarchical tree of objects.
To integrate a Windows AD system with a network of EC-Net stations, in the Services container and under
the AuthenticationService, add one of the authentication schemes:
– LdapScheme is for ADs versions LDAPv2, and LDAPv3.
– KerberosScheme is for ADs that support Kerberos authentication. The host EC-Net platform must be li-
censed for LDAPv3. If Kerberos authentication is used, the LDAPv3 requires the attribute: Kerberos=
”true”.
• Open source implementations
These implementations, including Apache Directory Server and OpenLDAP, support both LDAPv2 and
LDAPv3 (with the possibility of Kerberos authentication).
Each of these implementations is structured as a hierarchical tree of objects. Each object has a set of
attributes.
Several key configuration properties in each of the LDAP authentication schemes correspond directly to the
names of attributes in the LDAP directory.
The property names for these LDAP properties begin with Attr (attribute). The system pulls the values for
these properties from the LDAP directory on the LDAP server and uses them to fill out information about the
user.
In the example above, the station user is jdoe. To populate the Full Name property value, you enter dis-
playName in the Attr Full Name field.
The user properties that are not maintained by the LDAP server appear in the UserService property sheet for
each user.
Components include services, folders and other model building blocks associated with a module. You may drag
them to a property or wire sheet from a palette.
Descriptions included in the following topics appear as context-sensitive help topics when accessed by:
• Right-clicking on the object and selecting Views→Guide Help
• Clicking Help→Guide On Target
baja-AuthenticationService
This component manages how users verify their identity to the station, using authentication schemes. Some
schemes require password configuration, others do not. The AuthenticationService node is located in the
Services container.
The New Station wizard installs two default authentication schemes:
• DigestScheme provides SCRAM-SHA256 (Salted Challenge Response Authentication Mechanism) tech-
nology for connecting EC-Net 4 entities. Several messages are passed back and forth to prove the client
knows the password.
• AXDigestScheme provides compatibility with stations running a previous software version.
Schemes available in the ldap palette include:
• LdapScheme
• KerberosScheme
Additional schemes may reside in other palettes. Developers may also create authentication schemes for spe-
cial circumstances. You pick the one or two schemes you wish to use, drag them from the palette and drop
them directly under the AuthenticationService in the Nav tree.
baja-UserPrototype
The baja-UserPrototype (an alternative to the legacy User Prototype workflow) was created to provide better
control over how LDAP users are created and where their properties come from.
To add an LDAP user:
1. Click and drag a User Prototype from either the baja or ldap palette to the User Prototypes folder under
the User Service, as shown.
2. Rename this User Prototype to a name that matches the desired attrPrototype value, just as you would with
a legacy User Prototype.
When you open the User Prototype, you will see that it has the following properties:
• Full Name
• Enabled
• Expiration
• Language
• Email
• Facets
• Nav File
• Cell Phone Number
• Roles
• Allow Concurrent Sessions
• Web_WebProfileConfig
• Web_MobileProfileConfig
Each of these properties have two sub-properties, as shown:
Usage Notes
Each time an LDAP user logs in, a prototype will be selected for the user based on the attrPrototype, just as
with legacy prototypes.
The user will have any attribute properties (email, full name, language, cell phone number) set from the LDAP
server attributes based on the values in the Ldap Scheme. If any of these attributes are missing, the property
will be set from the User Prototype. Every other property will be set from the User Prototype.
Any property on the user whose matching User Prototype property is not set to Overridable will be set to read
only. Any changes made to these properties will be overwritten the next time the user logs in.
If a User Prototype’s property is set to Overridable, any users created from that prototype will be writable. If they
are modified, that property will never be updated from LDAP attributes or the User Prototype again unless the
user is deleted and recreated at next login, or the User Prototype’s property is set back to non-Overridable.
It may be desirable to use a baja-UserPrototype as the default prototype instead of using the legacy default pro-
totype. To accomplish this, the Alternate Default Prototype property on the User Prototypes folder can be set to
the desired prototype, as shown here.
NOTE: This will only apply to Ldap and any future authentication schemes/features that support the new baja-
UserPrototype. The NiagaraNetwork and User Manager will still use the legacy default prototype.
baja-UserService
This service manages all system users: human and machine. You access it by right-clicking UserService and
clicking Views→Property Sheet.
The User Manager is the primary view of this service. By default, the UserService is included when you create
a new station using the New Station wizard. The UserService component is available in the baja module.
User Prototypes
UserPrototypes is a frozen slot on a station’s UserService. It contains a frozen Default Prototype (proper-
ties shown in the following figure) to support centralized users in the station’s NiagaraNetwork, as well as a fro-
zen Alternate Default Prototype for any additional user prototypes needed to support remote authentication
schemes such as LDAP, Kerberos, and SAML.
Default Prototype
The User Service and EC-Net Network still use the existing default user prototype functionality and there are no
current plans to migrate them to the new UserPrototype. Also, LDAP and Kerberos will continue to support the
default user prototypes.
Alternate Default Prototype
This property allows you to specify an alternate user prototype to start with when creating a new user (instead
of only using defaultPrototype). For example, you would use this to select a prototype (other than default proto-
type) specifically created to support a remote authentication scheme, such as SAML.
Authenticator—Password Config
Property Value Description
Force Reset at true or false Requests that the user create a new password the next time
Next Login (default) they log in.
Expiration radio button Configures a password change for a specific date and time.
ldap-BasicKrb5ConfEditor
In EC-Net 4 v4.3 and later, an added editor view available under the Tools menu, Basic Krb5 Conf Editor, al-
lows you to configure certain properties of an existing Kerberos configuration file (krb5.conf).
Kerberos authentication requires the ability to acquire Kerberos tickets that can be forwarded. The editor allows
you to enable/disable the Forwardable property.
For more details see the setup and configuration procedures for Kerberos in the LDAP Guide.
Properties
Property Value Description
Forwardable true (default), Enables and disables forwarding of Kerberos tickets.
false
Kdc Timeouts 30 (default) Required for redundant server support, specifies the length of
time the station attempts to connect to the key distribution center
before failing the connection attempt.
Kdc Max Retries 3 (default) Required for redundant server support, specifies the maximum
number of times the station attempts to connect to one key distri-
bution center before to the next one.
NOTE: Values entered for the Kdc Timeouts and Kdc Max Retries properties should be tailored to your specific
scenario based on how long successful kdc connections generally take and when the cut off time should be to
consider the connection failed. As with the connection timeout above, this time needs to be not too short to
cause false connection failures, but not so long as to cause excessive delays when a server is down.
ldap-AdvancedKrb5ConfEditor
In EC-Net 4 v4.3 and later, an added editor view available in the EC-Net 4 Pro. Located under Tools→Ker-
beros Configuration Tool and the views dropdown list, the Advanced Krb5 Conf Editor provides a simple
text editor which you can use to manually edit an existing Kerberos configuration file (krb5.conf) or to create
a new one.
The file requires only the two lines contained in this view.
On a Windows host the primary location for the file is: NIAGARA_HOME/security/krb5.conf. Only if this file
is missing would you fall back to the Java krb.conf or operating system specific krb.conf/ini.
ldap-LdapScheme
Adding the LdapScheme manages EC-Net 4 user authentication using an LDAP (Lightweight Directory Access
Protocol) server. This allows you to connect to a previously existing database of users—a huge advantage
when setting up new users (you don’t have to manually create new users in each station). The LDAP server al-
so keeps passwords centralized and in sync.
One common example of an LDAP server is ActiveDirectory, which is used by Windows to manage users.
NOTE: TLS is required for LDAP authentication. If an LDAP user attempts to login over a nonsecure connec-
tion, a login failure occurs with a message stating "Secure connection required". Enable TLS secure communi-
cation in the FoxService (Foxs enabled) and WebService (Https enabled). Additionally, if the
LdapScheme is not set to Ldap V3 with either the CRAM-MD5 or DIGEST-MD5 authentication mechanism, the
system sends the username and password to the LDAP server in plain text. Again, ensure that TLS is enabled
in the LdapScheme. This may require you to configure the LDAP server to support communication security
(SSL/TLS).
Common properties
Property Value Description
Type drop-down list of The system supports sets of configuration properties:
configuration types
• Active Directory Config
• Ldap V2 Config
• Ldap V3 Config
Each type supports slightly different properties. Choose the type
that best fits your Ldap server’s requirements.
Enable Connection true or false Setting this property to true allows connections to be shared
Pooling and reused. This can improve performance.
Connection URL ldap://your.do- Identifies the URL (your.domain.net) for the LDAP server.
main.net Standard LDAP ports are 389, or 636 (if using SSL). If the server
or uses a non-standard port, include the port (your.domain.
ldap://your.do- net:nnn) in the URL, for example, ldap://your.domain.
main.net:nnn net.999..
SSL true or false Enables and disables secure communication. If set to true,
make sure that SSL (3.8) or TLS (4.0) is enabled in the station’s
FoxService (for EC-Net 4 Pro-to-station access) and Web-
Service (for browser-to-station access). Note that in FoxSer-
vice and WebService TLS must be enabled whether SSL is
true here or not.
User Login Attr text
For AD this value Identifies the specific attribute in the LDAP directory to store the
defaults to sAMAc- LDAP user login name. For AD servers, this is always sAMAc-
countName. countName. For OpenLDAP servers, it would be uid.
User Base domain Identifies the sub-tree of the LDAP server in which users who
components can access this station are found. At the very least it must con-
tain the domain components of the server’s domain, for exam-
ple: DC=domain, CD=net
Attr Email Email address Identifies the specific attribute in the LDAP directory to store the
The AD default val- user’s LDAP email address. This value populates the EC-Net
ue is: mail. user’s Email property.
Attr Full Name Text Identifies the specific attribute in the LDAP directory to store the
The AD default val- user’s full name. This value populates the EC-Net user’s Full
ue is: name. Name property.
Attr Language Two-letter language Identifies the specific attribute in the LDAP directory to store the
code user’s language. This value populates the EC-Net user’s Lan-
The AD default is guage property.
blank.
Cell Phone Number telephone number Identifies a user’s smart phone.
format
Attr Prototype Text Identifies the User Prototype with which the system popu-
The AD default is lates a new user’s local properties.
memberOf.
If this property is blank or the name does not match any user
prototype, the system uses the Default Prototype to popu-
late local user properties.
LDAP V2 Config
These properties are unique to LDAP V2 Config.
LDAP V3 Config
These properties are unique to LDAP V3 Config.
ldap-KerberosAuthenticationScheme
This component provides Kerberos authentication for logging in users to a station.
Kerberos is a network authentication protocol that allows nodes communicating over a network that is not se-
cure to prove their identity to one another in a secure manner. Aimed primarily at a client–server model, it pro-
vides mutual authentication—both the user and the server verify each other's identity.
User Base domain Identifies the sub-tree of the LDAP server in which users who
components can access this station are found. At the very least it must con-
tain the domain components of the server’s domain, for exam-
ple: DC=domain, CD=net
Attr Email Email address Identifies the specific attribute in the LDAP directory to store the
The AD default val- user’s LDAP email address. This value populates the EC-Net
ue is: mail. user’s Email property.
Attr Full Name Text Identifies the specific attribute in the LDAP directory to store the
The AD default val- user’s full name. This value populates the EC-Net user’s Full
ue is: name. Name property.
G R
related documentation ...........................................5
Google Chrome
configuring ......................................................15
S
H scheme
configuring ........................................................9
HTTPBasicScheme.............................................21
setup and configuration .........................................7
single sign on................................................ 19–20
SSO ............................................................. 19–20
I
Internet Explorer
configuring ......................................................14 T
tickets used in Kerberos authentication .................13
U
user groups ........................................................19
user prototypes ...................................................19
users
admin .............................................................18
LDAP ..............................................................18
local................................................................18
prototype.........................................................10