Map LDAPS (LDAP via SSL) Groups with Historian UAA
Before you begin
- Ensure that you have set up an LDAP server. For Historian, it is a Windows domain controller or an Active Directory server.
- Ensure that the LDAP server receives LDAPS communication.
- On your domain (or Active Directory), create users and groups. For the Historian UAA server to allow users to log in, you must identify an attribute in the LDAP schema that you can use as the username for Historian. This attribute is used to uniquely identify each user. In addition, since Historian usernames do not contain a space, values of this attribute must not contain a space either. Tip: Typically, the
sAMAccountName
anduserPrincipalName
attributes in LDAP meet these conditions, supported by Windows Active Directory. By default, thesAMAccountName
attribute is used in the search filter, but you can change it while installing Historian.
About this task
If you want LDAP users to use web-based clients, you must map the corresponding UAA groups with a Historian UAA group, which is created using web-based clients installation. If you want to use LDAP without SSL, refer to Map LDAP Groups with Historian UAA.
Even if you have mapped LDAP groups in an older version of Historian, you must map the groups again as described in this topic.
To log in to Trend Client or the Web Admin console, you must enter a username and password. Historian sends these credentials to the LDAP server, which verifies these credentials. If you want these credentials to be sent securely and to the intended LDAP server, you must use LDAPS (that is, LDAP via SSL).
Each LDAP server has a unique certificate containing its name and public key. When the UAA server connects to an LDAP client, it receives a certificate to connect to the LDAP server via SSL.
- Install the certificate: Use this method if you have the certificate to access the LDAP server. This method is more secure than the next one.
- Skip the certificate verification: Use this method if you do not have the certificate to access the LDAP server. It still encrypts the messages, but you must ensure that you have connected to the intended LDAP server. If the connection is redirected, it can lead to security issues. To avoid this issue, you must compare the certificate that you have received with the expected certificate.