Map LDAPS (LDAP via SSL) Groups with Historian UAA

Before you begin

  • Ensure that you have set up an LDAP server. For Historian, it is a Windows domain controller or an Active Directory server.
  • Ensure that the LDAP server receives LDAPS communication.
  • On your domain (or Active Directory), create users and groups. For the Historian UAA server to allow users to log in, you must identify an attribute in the LDAP schema that you can use as the username for Historian. This attribute is used to uniquely identify each user. In addition, since Historian usernames do not contain a space, values of this attribute must not contain a space either.
    Tip: Typically, the sAMAccountName and userPrincipalName attributes in LDAP meet these conditions, supported by Windows Active Directory. By default, the sAMAccountName attribute is used in the search filter, but you can change it while installing Historian.

About this task

If you want LDAP users to use Web-based Clients, you must map the corresponding UAA groups with a Historian UAA group, which is created using Web-based Clients installation. If you want to use LDAP without SSL, refer to Map LDAP Groups with Historian UAA.

Even if you have mapped LDAP groups in an older version of Historian, you must map the groups again as described in this topic.

To log in to Trend Client or the Web Admin console, you must enter a username and password. Historian sends these credentials to the LDAP server, which verifies these credentials. If you want these credentials to be sent securely and to the intended LDAP server, you must use LDAPS (that is, LDAP via SSL).

Each LDAP server has a unique certificate containing its name and public key. When the UAA server connects to an LDAP client, it receives a certificate to connect to the LDAP server via SSL.

This topic describes the following methods to achieve this:
  • Install the certificate: Use this method if you have the certificate to access the LDAP server. This method is more secure than the next one.
  • Skip the certificate verification: Use this method if you do not have the certificate to access the LDAP server. It still encrypts the messages, but you must ensure that you have connected to the intended LDAP server. If the connection is redirected, it can lead to security issues. To avoid this issue, you must compare the certificate that you have received with the expected certificate.
Tip: If you do not have an SSL certificate, refer to the following article to generate it: https://docs.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server

Procedure

  1. Double-click the UAA IdP Configuration tool icon (), and log in the UAA client ID and secret.
    Tip: By default, this icon appears on the desktop after you install Web-based Clients.
    The Identity Providers page appears.
  2. Select the Map Existing LDAP Groups check box.
  3. In the UAA Connection section, provide values as specified in the following table.
    Box Description
    URL Enter the authorization server URL that you have specified in the UAA Base URL box during installation (for example: https://localhost/). For an external or a shared UAA instance, enter: https://<UAA server name>

    If using Historian 7.x UAA, enter a value in the following format: https://<Historian 7.x UAA server name>:8443. If you have changed the default port number, provide the correct one. If using Historian 8.x UAA, enter a value in the following format: https://<Historian 8.x UAA server name> (no port number required).

    Client ID Enter the UAA server client ID. The default value is admin.
    Client Secret Enter the client secret value that you provided in the User Account and Authentication Service page while installing Web-based Clients. If you use an external UAA, enter the client secret of the external UAA.
  4. Select Test.
  5. After the connection is successful, select Continue.
  6. In the LDAP Connection section, provide values as specified in the following table.
    Box Description
    Base URL Enter the base URL of the LDAP server (for example, ldaps://localhost:636/). Use localhost if you have installed Web-based Clients in the domain controller machine. Otherwise, enter: ldaps://<domain server>:636
    • If you have a valid certificate, select (or https), and then upload the SSL certificate.
    • If you do not have a valid certificate, select the Skip SSL Verification check box.
    Bind User DN Enter the distinguished name of the bind user (for example, cn=admin,ou=Users,dc=test,dc=com).
    Password Enter the password of the cn user mentioned in the Bind User DN field. For example, if you have entered cn=admin, provide the administrative password.
    User Search Base Enter the starting point for the LDAP user search in the directory tree (for example, dc=developers,dc=com).
    User Search Filter Enter the subdirectories to include in the search filter (for example, cn={0}).
    Group Search Base Enter the subdirectories to include in the search filter (for example, member={0}).
    Group Search Filter Enter the starting point for the LDAP group search in the directory tree (for example, ou=scopes,dc=developers,dc=com).
  7. Select Test.
  8. After the connection is successful, select Continue.
    In the UAA Mapping section, the UAA Group field contains a list of groups in Historian UAA.
    Tip: You can search for an LDAP group by entering a value in the LDAP Group Search Filter box. The default value is (objectclass=*). When you select Search, a list of groups based on the values in the User Search Base and Group Search Base fields appear. If you have a large number of groups, we recommend that you narrow down the search criteria. For example, if you have an LDAP group cn=visadmins,cn=users,dc=test,dc=com, you can use (cn=visaadmins*) to retrieve a list of groups that begin with cn=visaadmins. Ensure that you enclose the value in parentheses.
  9. In the drop-down list box, select the Historian Visualization UAA group to which you want to map LDAP groups.
  10. In the Filter box, select the check boxes corresponding to the LDAP groups that you want to map.
    Note: If a group is already mapped with the Historian UAA group that you have selected, the check box is already selected. If you have mapped LDAP groups in an older version of Historian, you must clear the check boxes and select them again.
  11. Select Map Members.
    A message appears, confirming that the Historian UAA group is mapped with the LDAP groups that you have selected.

Results

The LDAP groups are mapped with the Historian UAA groups.

What to do next

Restart the GE Operations Hub UAA Tomcat Web Server service.