This article explains how BVMS can be configured to connect to an LDAP (or Microsoft Active Directory) and use it as a base for user authentication.
BVMS is able to function in a (Windows) domain-controlled environment.
The BVMS (and related) services run under the local system account. If another (domain-controlled) account is used to run these services, their permissions level should be the same as the local system account.
It is recommended to add the Windows server to the domain first (as a domain member), before installing the BVMS software. The BVMS configuration is independent from the domain configuration, however, crucial changes in the domain could break the connection between the BVMS system and the LDAP authentication mechanism.
1. AD Explorer
AD explorer is a tool created by Microsoft (previously sysinternals) which allows system administrators to browse an Active Directory environment.
Login to AD Explorer by using an administrator account.
3. Selecting the right DN
Select the organizational unit which contains the user-group which you want BVMS to associate with. Open its properties (right-click) and copy the Distinguished Name (DN) of the organizational unit.
The image below takes the general "Users" folder.
The Active Directory Users and Computers overview on the domain controller looks like shown below (this is the default configuration, no additional users or groups are added).
It is recommended to create a specific BVMS usergroup (the example below uses a group within the "Users" organizational unit: "BVMSgroup"). A user was added to the BVMSgroup, as shown below.
Experienced users could also use the command-line to retrieve the Distinguished Name of a specific user or group.
The LDAP basis for user and LDAP basis for group equal the Distinguished name of section 1.2. Section 3 of this document describe how to apply filters (this is especially convenient for bigger LDAP environments).
The username and password of the Proxy User should relate to an administrative account of the domain.
Writing filters (for user and for group members) is outside of the scope of this document. More information can be found in the Microsoft Windows Dev Center.
2. Test LDAP connection
The Test button within the Proxy User section tests the connection to the LDAP server. Check the username, password, LDAP Server (IP address or DNS name) settings if a connection errors appears.
Firewalls or other network components could block this connection as well.
3. Test user
Close the pop-up window and save the LDAP settings by closing the LDAP Server Settings dialogue with the OK button.
4. Associate LDAP group with BVMS group
Once the "Test User" has succeeded, the LDAP server can be searched for groups.
Once the groups are listed, the BVMS user group needs to be associated with the LDAP group.