Configuring authentication servers in the DCO web client provides access to DCO for remote usersprovided they have been authenticated by the configured authentication server.
About remote users, certificates, and authentication methods
When a remote user attempts to log on to the DCO server, the credentials are sent to the authentication server associated with that user. It is that server, and not the DCO server, that authenticates the logon attempt.
If you use SSL, ensure there’s at least one local user on the DCO server so you’ll be able to log in and accept new SSL certificates from authentication servers when the current ones expire.
This is necessary because when a certificate expires for an AD, LDAP, or DCE server used for authenticating remote users in DCO, the DCO server will no longer be able to verify that the logon attempts come from a trusted server, and therefore will not allow any of these users to log in.
Log in as a local user on the DCO server and trust the new certificate from the AD, LDAP, or DCE server to reenable authentication.
See more about working with SSL certificates here.
Configuring remote user authentication
In Administration>Authentication Servers, click to add an authentication server.
- Enter authentication server settings, starting with predefined authentication method from the drop-down list.
The name, email address, and password data is supplied by the authentication server.
When you are setting up a remote user, user information is stored on:
- Data Center Expert server as a remote repository with user information. The Data Center Operation server requires connection setup to the Data Center Expert server in order to obtain the user information.
- LDAP or Active Directory server. The Data Center Operation server requires connection setup to the server and logon information is required.
When a remote user attempts to log on to the Data Center Operation server, the user credentials (user name and password) are sent to the authentication server associated with that user. It is that server, and not the Data Center Operation server, that authenticates the logon attempt.
Indirect AD authentication (via DCE) is not recommended.
LDAP and Active Directory specifications
- Support for LDAPv3, both ldaps:// and ldap://
- DCO's Active Directory integration supports mutual trust between child and parent Domain Controllers (Active Directory servers)
- mutual trust allows the user which authenticates an Active Directory server to authenticate against a parent or child Domain controller of your Active Directory server.
- The username of a user that has access to reading users and groups from the authentication server can, because of mutual trust, be defined with the child domain name as part of the username. Example: username@child-domain or email@example.com
- How-to setup an Active Directory server: Set up AD server
- The operations done are only read operations on the following fields: cn, uid, mail
- You can import individual users or user groups from a remote authentication server.
Users in groups are automatically added to DCO and will appear in the user interface. Users are not automatically deleted, however, permissions are removed if a user is removed from a group.
- Tested and verified OS versions for Enterprise Active Directory:
- Windows OS: Windows Server 2008 R2 SP1 and 2012 SP1
- Forest function level: Windows Server 2008 and 2012
- Domain functional level: Windows Server 2008 and 2012
LDAP and Active Directory Limitations
- Active Directory has an LDAP query limit of 1000 objects, to prevent excessive load and Denial of Service attacks
- The default method to get around this limitation, is to break up the query to return at most 1000 objects at a time. For example, query only for objects starting with the letter a, then query for objects starting with the letter b and so forth.
- The more efficient method for large environments is to enable paging. Paging automatically splits the results into multiple result sets so the integration does not have to split up the query into multiple requests.
- A more comprehensive list of limitations and work-arounds can be found here: LDAP policy in Active Directory