Impact can be configured to also authenticate users against an LDAP server such as ActiveDirectory or eDirectory running in your domain. When enabled, you don't need to configure individual users within Impact as their users accounts will automatically be created if they are authorized to use Impact.
NOTE: LDAP is "Lightweight Directory Access Protocol", used to access information from directory services. Impact uses LDAP only to validate users.
To use this feature, use Enable LDAP Authentication and Authorization and configure the LDAP settings according to your company's domain.
Authentication
LDAP Authentication
There are two ways that users can be authenticated:
- Windows Domain Credentials - using this method, each user does not need to enter their network login name and password, because they were already authenticated when they logged onto the workstation. In the Impact Connect form, both User ID and Password may be left blank. (In fact in some cases the Connect form can be completely suppressed.)
- LDAP Credentials - using this method, the user must enter their network login name and password in the Connect form.
Depending on how your domain is configured, you may need to tell Impact where to locate the LDAP server and you may need to provide credentials for retrieving LDAP information.
Enter the following, if necessary:
- The LDAP Server address, with optional hostname and port
- A Username and Password are only required if the domain/LDAP authenticated user does not have the required permissions to read all users attributes from the LDAP server.
- The User's Group Membership, being the attribute that contains the list of groups to which the user belongs. This is usually memberOf for Active Directory or groupMembership for eDirectory.
- The Default User Domain, so that users belonging to this domain can omit it from the User ID when logging in.
Authorization
LDAP Authorization
The directory services administrator should create a group to which every Impact user is assigned. Additionally the administrator can create additional groups which correspond to Impact user groups.
Enter the distinguished name for the Security Group to which all users will belong. Choose the Default Impact User Group, to be used whenever there are no matching additional security groups for the user.
Optionally, add additional security groups using the Security Group Mapping form.
In order to verify that a user is authorized to use the product, Impact determines if they are a member of the configured Security Group. If so, the user's user group is chosen according to any additional security group mappings that you have specified, or the default user group if none match.
User Attributes
LDAP User Attributes (showing attribute names for Active Directory)
On the User Attributes page, you may set up mappings from LDAP attributes to fields in database fields (in the USERS, SITES and ADDRESS tables). Press Add to display the User Attribute Mapping form, allowing you to enter a mapping. Much of this data is optional (for example you might wish to display the user's email address or phone number on reports). By retrieving this data from the directory services via LDAP, you can ensure it is always up to date.
There are two required fields for which you must configure a mapping:
- USERS.U_LOG_NAME - This must be the unique user principal name attribute from the LDAP directory. This is the User Id entered when the user logs in.
- USERS.U_GUID - This must be the unique identifier for the user in the LDAP directory. Impact requires this because the user's principal name can potentially change.
Related topics: Overview Of Users, User Properties.