Forum Discussion
Hi Kai,
It looks like the application would require read access to ldap. Here is some information the vendor has provided about the LDAP access:
The application allows system administrators to specify a base DN for authentication queries. Using this base DN, the username (sAMAccountName or userPrincipalName attribute) and hashed password, the application will issue a subtree LDAP query.
Does the application expect to read LDAP attributes from a user entry via LDAP? Yes: login disabled, expiration date, account locked (too many login attempts), password expired, account expired
What LDAP query is used after bind to authenticate the user? depends on the configuration set by system administrator. A basic example would be: (&(objectClass=user)(userPrincipalName={0}))
If "sam" (Active Directory sAMAccountName) is used, then the default query could look like: (&(objectClass=organizationalPerson)(sAMAccountName={0}))
System administrator can configure the IQX application to perform Ldap authentication either by trying an LDAP bind (using provided username and hashed password) or by using a bind user. When using a bind user, the username and password for bind user are stored in a property file. When using a bind user and "sam" attribute, system administrators can set extra filters for LDAP queries (for example to select only users in certain groups or OU).