Map LDAPS (LDAP via SSL) Groups with Historian Proficy Authentication
Before you begin
- Ensure that you have set up an LDAP server. For Historian, it is a Windows domain controller or an Active Directory server.
- Ensure that the LDAP server receives LDAPS communication.
- On your domain (or Active Directory), create users and groups. For the Historian
Proficy Authentication server to allow users to log in, you must identify an attribute in the LDAP
schema that you can use as the username for Historian. This attribute is used to
uniquely identify each user. In addition, since Historian usernames do not
contain a space, values of this attribute must not contain a space either. Tip: Typically, the
sAMAccountName
anduserPrincipalName
attributes in LDAP meet these conditions, supported by Windows Active Directory. By default, thesAMAccountName
attribute is used in the search filter, but you can change it while installing Historian.
About this task
If you want LDAP users to use Web-based Clients, you must map the corresponding Proficy Authentication groups with a Historian Proficy Authentication group, which is created using Web-based Clients installation. If you want to use LDAP without SSL, refer to Map LDAP Groups with Historian Proficy Authentication.
Even if you have mapped LDAP groups in an older version of Historian, you must map the groups again as described in this topic.
To log in to Trend Client or the Web Admin console, you must enter a username and password. Historian sends these credentials to the LDAP server, which verifies these credentials. If you want these credentials to be sent securely and to the intended LDAP server, you must use LDAPS (that is, LDAP via SSL).
Each LDAP server has a unique certificate containing its name and public key. When the Proficy Authentication server connects to an LDAP client, it receives a certificate to connect to the LDAP server via SSL.
- Install the certificate: Use this method if you have the certificate to access the LDAP server. This method is more secure than the next one.
- Skip the certificate verification: Use this method if you do not have the certificate to access the LDAP server. It still encrypts the messages, but you must ensure that you have connected to the intended LDAP server. If the connection is redirected, it can lead to security issues. To avoid this issue, you must compare the certificate that you have received with the expected certificate.
Procedure
-
Double-click the Proficy Authentication IdP Configuration tool icon (), and log in the Proficy Authentication
client ID and secret.
Tip: By default, this icon appears on the desktop after you install Web-based Clients.The Identity Providers page appears.
- Select the Map Existing LDAP Groups check box.
-
In the Proficy Authentication Connection section, provide values as specified
in the following table.
Box Description URL Enter the authorization server URL that you have specified in the Proficy Authentication Base URL box during installation (for example: https://localhost/). For an external or a shared Proficy Authentication instance, enter: https://<Proficy Authentication server name> If using Historian 7.x UAA, enter a value in the following format: https://<Historian 7.x UAA server name>:8443. If you have changed the default port number, provide the correct one. If using Historian 8.x UAA, enter a value in the following format: https://<Historian 8.x UAA server name> (no port number required).
Client ID Enter the Proficy Authentication server client ID. The default value is admin. Client Secret Enter the client secret value that you provided in the User Account and Authentication Service page while installing Web-based Clients. If you use an external Proficy Authentication, enter the client secret of the external Proficy Authentication. - Select Test.
- After the connection is successful, select Continue.
-
In the LDAP Connection section, provide values as
specified in the following table.
Box Description Base URL Enter the base URL of the LDAP server (for example, ldaps://localhost:636/). Use localhost if you have installed Web-based Clients in the domain controller machine. Otherwise, enter: ldaps://<domain server>:636 - If you have a valid certificate, select (or https), and then upload the SSL certificate.
- If you do not have a valid certificate, select the Skip SSL Verification check box.
Bind User DN Enter the distinguished name of the bind user (for example, cn=admin,ou=Users,dc=test,dc=com). Password Enter the password of the cn user mentioned in the Bind User DN field. For example, if you have entered cn=admin, provide the administrative password. User Search Base Enter the starting point for the LDAP user search in the directory tree (for example, dc=developers,dc=com). User Search Filter Enter the subdirectories to include in the search filter (for example, cn={0}). Group Search Base Enter the subdirectories to include in the search filter (for example, member={0}). Group Search Filter Enter the starting point for the LDAP group search in the directory tree (for example, ou=scopes,dc=developers,dc=com). - Select Test.
-
After the connection is successful, select
Continue.
In the Proficy Authentication Mapping section, the Proficy Authentication Group field contains a list of groups in Historian Proficy Authentication.Tip: You can search for an LDAP group by entering a value in the LDAP Group Search Filter box. The default value is (objectclass=*). When you select Search, a list of groups based on the values in the User Search Base and Group Search Base fields appear. If you have a large number of groups, we recommend that you narrow down the search criteria. For example, if you have an LDAP group cn=visadmins,cn=users,dc=test,dc=com, you can use (cn=visaadmins*) to retrieve a list of groups that begin with cn=visaadmins. Ensure that you enclose the value in parentheses.
- In the drop-down list box, select the Historian Visualization Proficy Authentication group to which you want to map LDAP groups.
-
In the Filter box, select the check boxes corresponding
to the LDAP groups that you want to map.
Note: If a group is already mapped with the Historian Proficy Authentication group that you have selected, the check box is already selected. If you have mapped LDAP groups in an older version of Historian, you must clear the check boxes and select them again.
-
Select Map Members.
A message appears, confirming that the Historian Proficy Authentication group is mapped with the LDAP groups that you have selected.