Security > Directory Services Authentication
Directory Services Authentication
You can authenticate users through a Directory Service (like an LDAP system). For any Directory Service that you want to utilize, you can start a new Directory Service. In the configuration, you specify what service to connect to and your credentials.
You can also easily manage users that exist in an Active Directory system. See Managing Users in Active Directory.
You will be able to specify the following in the Configuration:
port — Directory Service server port
adminBindDN — Login (distinguished name) of the user that has permission to run the lookup
adminPassword — Password of the user that has permission to run the lookup
server — directory service address
userBaseDN — lookup for the user group or base (i.e. ou=people, dc=thingworx)
userIDAttribute — Attribute to match when looking up a user(i.e. uid)
Each Directory Service setup will have its own unique User Lookup 'tree structure' and ID attribute name.
Next create your users in BOTH ThingWorx and the Directory Service system. After that is finished, your user can now log in using their Directory Service credentials. ThingWorx does not retrieve any additional information from the Directory Service. This means that you need to create the same user in ThingWorx to set Permissions.
If a user logs in and enters the incorrect Directory Service password, ThingWorx will verify it against the user's ThingWorx password. So it is best practice to NOT give the users their ThingWorx password, only the Directory Service password.
The Directory Service systems are called when a user attempts to login to validate the credentials. If more than one Directory Service is configured, ThingWorx will attempt to authenticate the entered credentials against each defined directory service until the first success. If the Directory Service authentication fails, the system will then attempt to authenticate the credentials against the Users defined.
Related Links
Directory Services Example
Managing Users in Active Directory