Map LDAP Groups with Historian UAA

Before you begin

  • Ensure that you have set up an LDAP server. For Historian, it is a Windows domain controller or an Active Directory server.
  • On your domain (or Active Directory), create users and groups. For the Historian UAA server to allow users to log in, you must identify an attribute in the LDAP schema that you can use as the username for Historian. This attribute is used to uniquely identify each user. In addition, since Historian usernames do not contain a space, values of this attribute must not contain a space either.
    Tip: Typically, the sAMAccountName and userPrincipalName attributes in LDAP meet these conditions, supported by Windows Active Directory. By default, the sAMAccountName attribute is used in the search filter, but you can change it while installing Historian.

About this task

If you want LDAP users to use web-based clients, you must map the corresponding UAA groups with a Historian UAA group, which is created using web-based clients installation. If you want to use LDAP via SSL, refer to Map LDAPS (LDAP via SSL) Groups with Historian UAA.

Even if you have mapped LDAP groups in an older version of Historian, you must map the groups again as described in this topic.

Procedure

  1. Double-click the UAA LDAP Tool icon on the Desktop.
    Tip: By default, this icon appears on the desktop after you install web-based clients.
    The UAA/LDAP Connectivity Tool page appears.
  2. Select the Map Existing LDAP Groups check box.
  3. In the UAA Connection section, provide values as specified in the following table.
    Box Description
    URL Enter the authorization server URL that you have specified in the UAA Base URL box during installation (for example: https://localhost/). For an external or a shared UAA instance, enter: https://<UAA server name>

    If using Historian 7.x UAA, enter a value in the following format: https://<Historian 7.x UAA server name>:8443. If you have changed the default port number, provide the correct one. If using Historian 8.x UAA, enter a value in the following format: https://<Historian 8.x UAA server name> (no port number required).

    Client ID Enter the UAA server client ID. The default value is admin.
    Client Secret Enter the client secret value that you provided in the User Authentication and Authorization Service page while installing web-based clients. If you use an external UAA, enter the client secret of the external UAA.
  4. Select Test.
  5. After the connection is successful, select Continue.
  6. In the LDAP Connection section, provide values as specified in the following table.
    Box Description
    Base URL Enter the base URL of the LDAP server (for example, ldap://localhost:389/). Use localhost if you have installed Web Clients in the domain controller machine. Otherwise, enter: ldap://<domain server>:389
    Bind User DN Enter the distinguished name of the bind user (for example, cn=admin,ou=Users,dc=test,dc=com).
    Password Enter the password of cn user mentioned in the Bind User DN field. For example, if you have entered cn=admin, provide the administrative password.
    User Search Base Enter the starting point for the LDAP user search in the directory tree (for example, dc=developers,dc=com).
    User Search Filter Enter the subdirectories to include in the search (for example, cn={0}).
    Group Search Base Enter the subdirectories to include in the search (for example, member={0}).

    Group Search Filter

    Enter the starting point for the LDAP group search in the directory tree (for example, ou=scopes,dc=developers,dc=com).
  7. Select Test.
  8. After the connection is successful, select Continue.
    In the UAA Mapping section, the UAA Group field contains a list of groups in Historian UAA.
    Tip: You can search for an LDAP group by entering a value in the LDAP Group Search Filter box. The default value is (objectclass=*). When you select Search, a list of groups based on the values in the User Search Base and Group Search Base fields appear. If you have a large number of groups, we recommend that you narrow down the search criteria. For example, if you have an LDAP group cn=visadmins,cn=users,dc=test,dc=com, you can use (cn=visaadmins*) to retrieve a list of groups that begin with cn=visaadmins. Ensure that you enclose the value in parentheses.
  9. In the UAA Group field, select the Historian Visualization UAA group to which you want to map LDAP groups.
  10. In the Filter box, select the check boxes corresponding to the LDAP groups that you want to map.
    Note: If a group is already mapped to the Historian UAA group that you have selected, the check box is already selected. If you have mapped LDAP groups in an older version of Historian, you must clear the check boxes and select them again.
  11. Select Map Members.
    A message appears, confirming that the Historian UAA group is mapped to the LDAP groups that you have selected.

Results

The LDAP groups are mapped with the Historian UAA groups.