BACK-END – Active Directory (tab)
Use the BACK-END > Active Directory tab to configure Active Directory back-end server settings.
You need to set up and use SSL for connections between OneSpan Authentication Server and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work, unless you have a very old and specially configured version of Windows Server. OneSpan Authentication Server does not support unencrypted connections to Active Directory via LDAP!
Record changes (add, change, delete) will not take effect immediately on all OneSpan Authentication Server instances unless replication is used to synchronize the instances. If replication is not used, changes to records will take effect when each instance is restarted, once the change is available to it in its data store. Alternatively, if there is no restart, the record cache will refresh from the data store approximately every 15 minutes.
| Field name | Description |
|---|---|
| Enable SSL | Enable this check box to secure the connection to the back-end server using SSL. |
| Location |
The fully qualified domain name (FQDN), host name, or the IP address of the back-end server. If SSL is enabled, you need to provide the FQDN or the host name. |
| Port |
The port on which the back-end server receives and handles authentication requests. Possible values: 0–65535 |
| Timeout (seconds) |
The number of seconds to wait for a response from the server before either retrying or trying another server. Possible values: 1–999 |
| Search Base DN |
The distinguished name (DN) where the search for user accounts starts. |
| Security Principal DN |
The user ID of the user account used to access the back-end server and handle back-end authentication requests (security principal). Specify the ID of the account being used to log on to Active Directory. The format of the security principal ID will be the distinguished name (DN). The built-in Active Directory administrator account cannot be used as the security principal ID. An administrator must be created to be used as the security principal ID. |
| Security Principal Password |
The password of the user account used to access the back-end server and handle back-end authentication requests (security principal). |
| Attribute Mapping | |
| User Name Attribute Name | The LDAP attribute name to use as the user's display name. If user information synchronization is enabled, the user display name will be added to the user account during DUR user information synchronization. |
| Phone Attribute Name | The LDAP attribute name to use as the user's landline number. If user information synchronization is enabled, the user's landline number will be added to the user account during DUR user information synchronization. |
| Mobile Attribute Name | The LDAP attribute name to use as the user's mobile number. If user information synchronization is enabled, the user's mobile number will be added to the user account during DUR user information synchronization. |
| Email Attribute Name | The LDAP attribute name to use as the user's e-mail address. If user information synchronization is enabled, the user's e-mail address will be added to the user account during DUR user information synchronization. |
If the timeout is either not configured or set too low for LDAP back-end records, the LDAP query may time out. This will result in the denial of the login request. To verify if this occurred, verify the trace file to look for LDAP timeout messages.