I’m relatively new to Ignition, and this may be covered already in the forums, but I couldn’t find a search function in the forums… so
We will be moving to 2 factor authentication with PKI cards in the near future, and the passwords in AD will be changing -every day- to an unknown (to the user) value. If we turn on single sign on will that work in this scenario? (as long as they are logged into windows?) if not, is there a way to authenticate the users using a straight up LDAP server?
I’m very familiar with using ldap queries against Active directory. (I have extensive scripting experience) However, I know the schema’s between active directory, and say dirsrv-389 LDAP are very different, and the queries that are required are similar, but different enough to -not work-. hence the question.
edit: If you know of a way to use something like dirsrv-389 as a user source, I’d be happy to give it a go.
I guess it depends on how much of the heavy lifting you want to do.
You seemed to indicate that you were using Active Directory so perhaps that was a poor assumption on my part.
That said it is possible to tailor the Active Directory User source to connect to other LDAP servers, so long as you understand that it was intended to work with AD. Here are a couple of links where other people have been successful doing such things, they are a little dated.
I think I’ll start another thread for this.
Thanks for your responses. I was able to get the user authentication source working against our dirsrv-389 ldap instance with your help. Now I’m running into a different issue and I’m hoping there is a work around. all of our UID’s in ldap are numeric. So while I can authenticate successfully using the “Test authentication profile” it won’t let me use the numbers due to Ignitions limitation on user names starting with a number.
so my question is this. there are other attributes that are unique in ldap that I can use to find users. email or whatever. but I can’t seem to get the right stuff put together to authenticate successfully.
so what I want to do is use some other ldap attribute as the ignition username, and still be able to authenticate.
Has anyone been able to accomplish that?