LDAP Support in mxWeb

LDAP authentication allows mxWeb to perform credential checks against an LDAP directory rather than its own internal database. This authentication does not create the users.

Configuration

To enable LDAP logins, the following information must be provided to Media-X:

LDAP Host(s)

This is the domain name for your LDAP directory server which the mxWeb system will be calling. If you operate multiple servers that would need to be polled when checking for users, provide each one.

LDAP Port

For LDAPS, the port is typically 636. Non-SSL LDAP is typically 389.

Distinguished name

An example of the full DN for a user is needed to determine the DN prefix and suffix. An example is:

'cn=John Doe,dc=example,dc=com'

Admin User

In cases where users can not be directly authenticated, a master account is needed which can search the directory for them and perform the authentication against the found entry. If users can be directly authenticated, do not provide this information.

Provide the full distinguish name (DN) of the admin user and the password. If this multiple domains are in use and this account differs for each, provide these separate accounts and identify to which host they pertain.

At present, this search looks for a match with the sAMAccountName field. Note that this account does not need to be in the same scope as the users being authenticated.

Authentication Requirements

Once the LDAP settings are configured for an mxWeb system, all user logins will authenticate against the specified LDAP servers. Any existing passwords specified in the internal mxWeb database will be ignored.

An mxWeb user account is still required to exist before it will successfully authenticate. Ensure the usernames in mxWeb exactly match those used in the associated LDAP system. If you synchronise your users via an automated import, there are import settings available that will allow that process to modify user account names to match the submitted data file. Please ask for assistance with this to ensure these imports are properly configured once switching to LDAP.

Dedicated Support Account

In order for Media-X to properly support and test the LDAP connection with your database, it is recommended to create a user in your LDAP system that Media-X support staff can use to test authentication. It will only be used to test authentication and thus would not need access to any other resources after connecting.

Firewalls

When setting up LDAP, we will provide your IT team with our mxWeb IP range so you can whitelist our servers. We will do the same for your specified LDAP hosts.