LDAP security in DSI Platform
About using LDAP security
Mobile Enterprise Platform allows you to use an LDAP server to manage user security.
LDAP security requires an LDAP directory on an LDAP server. LDAP is an acronym for Lightweight Directory Access Protocol, a protocol used to communicate with directory services, such as Active Directory or Oracle Internet Directory. Among other functions, directories provide the identity infrastructure for controlling access and authentication. Although LDAP is the name of the protocol, it is also used to refer to the directory itself (LDAP directory).
Mobile Enterprise Platform supports integration with Azure Active Directory, Microsoft Active Directory, and Oracle Internet Directory.
You can set the security mode of the system to LDAP on the Security Settings page to enable LDAP security. This disables the Authentication tab on that page.
Beginning in 9.0 SP6, enabling LDAP security also enables the LDAP Configuration and LDAP Mapping tabs when you add or edit an organizational unit. These tabs were previously located on the security settings page. You can configure individual LDAP settings for each organizational unit. This allows you to use a different Domain Name (DN) for any of your organizational units. If you are using Azure Active Directory, you must manually define roles and organizational units within Mobile Enterprise Platform that correspond to the roles and organizational units within Azure Active Directory. If you are using Microsoft Active Directory, or Oracle Internet Directory, you must manually define roles and organizational units in your LDAP server. These roles and organizational units do not have to match the roles and organizational units within Mobile Enterprise Platform. For more information about organizational units and roles, refer to About organizational units and About roles.
Users are automatically created in the system from user data extracted from the LDAP directory. For more information, refer to About LDAP Extraction Agent. Users can log on to system components with the credentials specified in the LDAP directory. For more information about LDAP user profiles, refer to About LDAP User Profiles.
LDAP server types
Mobile Enterprise Platform supports integration with three different LDAP servers.
To configure LDAP settings in Mobile Enterprise Platform, you must have one of the following LDAP servers.
LDAP security settings
Settings are used to implement the LDAP security mode across your Mobile Enterprise Platform solution. With LDAP mode, users are automatically created in Mobile Enterprise Platform from user data extracted from the LDAP directory through the LDAP Extraction Agent.
Important:Beginning in 9.0 SP6, each organizational unit can have a unique LDAP configuration. This allows you to set up multiple LDAP servers, and to use a different domain for any of your organizational units. As part of this update, the LDAP Configuration and LDAP Mapping tabs are now located on the organizational units page. For more information, refer to Organizational unit settings.
System Configuration
Security mode
Specifies the type of security used by the system for user access. Security mode options are:
-
Standard: Requires a user profile with a unique user ID. Security parameters include complex password structure and password minimum length. Also, user accounts can be manually locked and unlocked from within the user profile.
-
Advanced: Requires a user profile with a unique user ID. In addition to the Standard security parameters, Advanced security parameters include account lockout after a specified number of failed logon attempts.
-
LDAP: Requires an LDAP directory on an LDAP server. Users are automatically created in the system from user data extracted from the LDAP directory through the LDAP Extraction Agent. Users log on to system components based on logon credentials specified in the LDAP directory.
Number of users to cache
Not available for Standard Security Mode. This sets the maximum number of users to be saved, or cached, on the smart device. The default setting is 1. The maximum setting is 50. If the value is set to 0 no user will be cached on the device and the Mobile Client user will have to be connected in order to log in.
Retrieve user credentials through email
When this box is enabled, a link will display on the Platform logon screen, and on the Mobile Client screen, for users who have forgotten their User ID or password to recover their logon credentials.
Server address for retrieval page
If the field for "Retrieve user credentials through email" box is "Retrieve user credentials through email", this field is available. Specifies the web server name or IP address to be accessible for password retrieval for Mobile Enterprise Platform users, especially those on an external network.
HTTP port for retrieval page
Specifies the website port to be accessible for password retrieval for Mobile Enterprise Platform users, especially those on an external network.
User IDs are automatically generated
When selected, populates the User ID for each new user with a randomly generated alphanumeric string. If this option is not selected, the User ID will be populated with the Login ID.
Important:This option is not selected by default. On a Advanced Inventory Cloud implementation, this option is usually selected during initial setup.
User Cache Configuration
Allow 'Remember Me'
When enabled, a Mobile Client user can select Remember Me when they log in. If a user selects Remember Me, and exits without logging out, they will not need to enter their credentials the next time they access Mobile Client. If a user logs out of Mobile Client, they will need to re-enter their credentials the next time they access the application.
This is a global setting.
'Remember Me' duration (days)
You can select this option if Allow 'Remember Me' is enabled. Mobile Client remembers the user for the number of days you specify.
Allow passcode
You can select this option if Allow 'Remember Me' is enabled. If a user selects Remember Me, they will be prompted to enter a 4 digit passcode. The user can log in with that passcode the next time they access Mobile Client.
Require passcode
You can select this option if Allow passcode is enabled. If a user selects Remember Me, they will be required to enter a 4 digit passcode. The user can log in with that passcode the next time they access Mobile Client.
Mobile Client Settings
Lock inactive devices
Specifies, when selected, that inactive devices are to become inaccessible until an authorized user logs on. When selecting this check box, also specify how long a device remains inactive until it becomes locked.
Lock time-out (min)
Specifies, in minutes, how long a device remains inactive until it becomes locked. You can enter up to 3 digits in this field. Valid values range from 1 to 999 minutes.
Log off inactive sessions
Specifies, when selected, that users are logged off a Mobile Client session after it has been inactive for a specified time. When selecting this check box, Logoff time-out becomes enabled in order to allow for specifying the time in minutes. The logoff is performed whether or not an application is executing, except during local database replication.
This option applies to all Mobile Client clients, including Mobile Client Telnet and Mobile Client Web.
Log off time-out (min)
Specifies, in minutes, how long a Mobile Client session remains inactive before the user is logged off. Entry in this numeric field can be up to 3 digits. Valid values range from 1 to 999 minutes.
This option applies to all Mobile Client clients, including Mobile Client Telnet and Mobile Client Web.
Allow users to exit Mobile Client
Specifies, when selected, that users can exit from the Mobile Client program.
This option overrides the exit permission defined for the MobileClientUser role.
This option does not apply to Mobile Client Telnet or Mobile Client Web.
Allow users to log off during Application execution
Specifies, when selected, that Mobile Client users are allowed to log off while an application is executing. If this option is not selected, users are prevented from logging off until an application has completed (if the application itself has no exit options defined).
This option does not apply to Mobile Client Telnet or Mobile Client Web.
Restrict full database replication for Mobile Client users
Specifies, when selected, that Mobile Client users are restricted from initiating a full database replication from the Mobile Client menu. These users are still able to do a full database replication via an application, if they are in a role allowing them to execute the application.
Disable SQL logging for local databases
Specifies that device local database SQL logging (which is in Tracing Options in Mobile Client) is disabled. This feature is used for debugging purposes. When this option is selected in Security Settings, the SQL operations option in the Tracing Options dialog box is disabled.
Encrypt device databases
When selected, enables encryption for a local database on an iOS or Android device.
Allow Multiple HTML5 tabs
When selected, allows a user to open Mobile Client for HTML5 in multiple tabs.
Loading...
There was a problem loading this topic