Moving to an Enterprise Authentication Environment
Until enterprise authentication is enabled, all users are local users, meaning that they must have an eDiscovery Platform username and password to log in. Depending on the method of enterprise authentication that is used, the way newly created and converted enterprise users log on may change. When using LDAP, the login page will remain unchanged and users will continue to use a username and password.
Note: The superuser account will always be a local user and will require a password to log in.
Configuring User Authentication for LDAP
When the 's LDAP feature is enabled, all user authentication is performed via LDAP except Local accounts.
Note: Once Enterprise authentication is enabled, only system administrators can create new local users. Users created by the Case Admin will always be enterprise users.
To set up authentication via LDAP
The properties to enable LDAP authentication are set using the Property Browser Support Feature. All property changes related to enterprise authentication should be made using the Property Browser. The Property Browser automatically updates the appliance each time you add a new property.
- Using an account with System Management permissions, log onto the eDiscovery Platform web interface.
- From the System > Support Features, select the Property Browser.
- Using the Property Browser, configure the required set of properties to enable LDAP authentication. See the List of Required LDAP Configuration Properties.
- Verify the LDAP configuration properties are set correctly by running the LDAP Configuration Tester Support Feature without entering a username and password. This will list all currently set LDAP configuration properties and their values. You cannot test user authentication until LDAP is enabled and an enterprise user is added.
- Enable LDAP authentication by setting esa.ldap.enabled to true.
List of Required LDAP Configuration Properties
- esa.ldap.connectionName
- esa.ldap.connectionPassword
- esa.ldap.connectionURL
- esa.ldap.enabled
- esa.ldap.userBase
- esa.ldap.userSubtree
- esa.ldap.userSearch
- esa.ldap.referrals
LDAP Property Configuration Reference
LDAP integration is controlled by a set of configuration properties that are shared among all appliances in a cluster.
esa.ldap.enabled
Enable or disable LDAP authentication.
Default: false
Syntax: true/false
esa.ldap.connectionURL
URL and port of the LDAP directory server. Supplied by the network administrator.
Default: N/A
Syntax: ldap://<ldapserver>:<port>
Example: ldap://server1:company.com:389
esa.ldap.connectionAltURL
URL of failover LDAP directory server. Will only be used if first server is inaccessible.
Default: N/A
Syntax: ldap://<ldapserver>:<port>
Example: ldap://server1:company.com:389
esa.ldap.connectionName
User account used to connect to LDAP Directory Server. Password should not change. Using one of the service accounts is recommended.
Default: N/A
Syntax: <user>@<domainFQDN> or <domain\<user>
Example: company\administrator
esa.ldap.userBase
Base DN used to search for users. For best results, try to be as selective and specific as possible. Restrict the query to the minimally required branch of the tree or forest. Must be set in conjunction with esa.ldap.userSearch. Must be removed if using esa.ldap.userPattern.
Default: N/A
Example: ou=Clearwell, dc=foo, dc=com
esa.ldap.userSearch
Pattern used to search for users when using anonymous binding. Cannot be used in conjunction with esa.ldap.userBase. Must be removed if using esa.ldap.userPattern. Does not typically need to be changed.
Syntax: Standard LDAP query format.
Default: (&(objectClass=user) (sAMAccountName={0}))
esa.ldap.userPattern
DN Pattern to use for binding after an anonymous connection. Cannot be used in conjunction with esa.ldap.userSearch or esa.ldap.userBase. Must be removed if using esa.ldap.userPattern. Does not typically need to be changed.
Default: N/A
Example: cn={0}, ou=Clearwell, dc=foo, dc=com
esa.ldap.userSubtree
Determines if search for users is recursive to the esa.ldap.userBase DN.
Default: true
Syntax: true/false
esa.ldap.roleBase
Base DN used to identify roles.
Default: N/A
Example: ou=Clearwell, dc=foo, dc=com
esa.ldap.roleSearch
Search pattern used to identify roles.
Syntax: Standard LDAP query format.
Example: (member={0})
esa.ldap.roleName
Name of LDAP attribute used to determine role.
Syntax: attributeName
Default: N/A
Example: name
esa.ldap.roleSubtree
Determines if search for roles is recursive to esa.ldap.roleBase DN.
Syntax: true/false
Default: true
esa.ldap.createUnknownUsers
Enables automatic user creation if a successfully authenticated LDAP user does not have a user account in eDiscovery Platform. User will be assigned role and case access based on other properties.
Syntax: true/false
Default: false
esa.ldap.useLDAPRoles
Enables automatic user role change based on LDAP role.
Syntax: true/false
Default: false
esa.ldap.newUserCaseList
List of cases that automatically created users are assigned access to. Special value of ‘<all-cases>’ gives access to all cases. Empty gives access to none.
Syntax: Comma separated list of all case names.
Default: N/A
Example: Case1, Case2, Case3
esa.ldap.defaultRole
Default role that LDAP users will get, when no matching role is found when using automatic role assignment. Required to be set when using
esa.ldap.createUnknown
Syntax: RoleName
Default: N/A
Example: Case User
esa.ldap.newUserEmailDomain
Email domain appended to user name for automatically created users.
Syntax: Domain FQDN
Default: N/A
Example: company.com
esa.ldap.userComment
Comment applied to profile for automatically created users.
Default: LDAP User
esa.ldap.referrals
Determines method used when LDAP directory server gives a referral response. This is usually required when using an Active Directory domain controller as the LDAP directory server. In most instances the correct setting will be ‘follow’.
Syntax: follow/ignore/throw
Default: N/A
esa.ldap.user.distinguishedName
LDAP attribute used to populate user information when creating new users.
Syntax: Attribute Name
Default: distinguishedName
esa.ldap.user.email
LDAP attribute used to populate user information when creating new users.
Syntax: Attribute Name
Default: mail
esa.ldap.user.fullname
LDAP attribute used to populate user information when creating new users.
Syntax: Attribute Name
Default: displayName
esa.ldap.user.username
LDAP attribute used to populate user information when creating new users. Must match LDAP property used in esa.ldap.userSearch. Usually sAMAccountName in Active Directory implementations.
Syntax: Attribute Name
Default: sAMAccountName
esa.ldap.userPrefixSearch
Search pattern used when adding new users manually. Affects the Search field in the Add User screen. Usually does not need to be changed.
Syntax: Standard LDAP query
Default: (&(objectClass=user)(|(sAMAccountName={0}*)(displayName={0}*)(mail={0}*)))
Note: For additional information, please refer to the "System Administration Guide" for the currently installed eDP version