Introduction
In this article, configuration of remote authentication on a ctrlX OS device will be explained. Specifically, a cloud hosted Active Directory server will be queried over Lightweight Directory Access Protocol (LDAP), to retrieve and validate user and group information. This allows the integration of CtrlX OS devices into IT defined user management systems.
Prerequisites
An existing remote authentication server will be required to utilize this functionality. The deployment and configuration of this resource will not be covered in this article. If you are interested in setting up a similar authentication server, this external tutorial may be helpful.
Active Directory Configuration
An organizational unit (OU) named ctrlx_umac was created on the Active Directory Server that contains four users and four groups. Each of these users has been added to a single group within the Active Directory. The ctrlx_umac OU has the following Distinguished Name (DN).
OU=ctrlx_umac,DC=ctrlx,DC=local
Each user has an attribute sAMAccountName equal to their first and last names concatenated with a period. For example, Alma Martin => alma.martin
The server is listening on port 389 with an IP address of 52.249.200.20
ctrlX OS Configuration
The remote authentication configuration dialog can be accessed from the Settings -> Users & Permissions -> More settings -> Remote authentication. The documentation on the dialog below can be found here.
Connection Parameters
First, the checkbox "Enable remote authentication" must be selected to enable the service.
The "Authentication service" drop down menu should be set to LDAP to utilize Lightweight Directory Access Protocol.
The server IP address and port should be entered in the corresponding fields.
If the server supports Secure LDAP (LDAPS), you can select the "Use transport layer security (TLS)" checkbox. Note that this service typically listens on port 3269.
The dropdown menu "Server type" should be set to Active Directory.
Query Parameters
The next configuration parameters deal with constructing the LDAP user and group queries.
In the field "Base DN", the user should enter the distinguished name of the object at the root of the query. In this example, that is the ctrlx_umac OU.
The "Read-only user" and "Read-only password" should be the credentials of a user on the authentication server with permissions to retrieve information via LDAP query.
In the "User filter" field enter an LDAP filter to obtain the users relative to the Base DN.
In the "Group filter" field enter an LDAP filter to obtain the groups relative to the Base DN.
Enter the attribute of the user which defines the username used for login on CtrlX OS in the "Username attribute" field.
Enter the attribute of the user which defines its group membership in the "Groupmembers attribute" field.
If the configuration is valid, the remote users and groups should be downloaded to the ctrlX OS device. At this point, remote authentication of these users should be possible on the control.
Log In
Once remote authentication has been enabled with a valid configuration, the login dialog will display a checkbox "Force local authentication". This option forces the control to authenticate using local user credentials. This is useful if the remote authentication server is unavailable.
Limitations and Future Functionality
A limitation of LDAP/RADIUS authentication is a difficulty of modeling user and group permissions on the server side. For this reason, it is necessary to configure user and group permissions on the control. This can be automated by applying a system backup or configuring permissions via REST API. In the future, additional remote authentication services will be supported, including Single Sign-On (SSO). This should allow for server side permission modeling.