By default, Shop Floor Time users log into the application with Person/PIN Validation which means that whenever a user logs in to the application, he or she is authenticated against the Login Name and Password combination in the application database.
You can also configure Shop Floor Time to use LDAP (Lightweight Directory Access Protocol) Authentication. With LDAP Authentication, the system will validate the person’s User Name and Password with a directory provider to determine the person’s identity and authenticate the login.
See Also:
In order to apply LDAP authentication, complete the steps described in the table below:
Step |
Description |
Optional |
If you want the system to connect/communicate with a directory through SSL, you must have a valid keystore. See LDAP Authentication Using SSL.
|
1. |
Configure an LDAP Policy.
|
2. |
Configure the LDAP Authentication.
|
3. |
Assign the LDAP Policy you created in Step 1 to a Employee, Employee Group, or System Settings.
|
4. |
Configure the web application for LDAP login. To do so, set the Web Authentication Profile setting to LDAP User/Password Validation. Assign this setting to the appropriate Employee, Employee Group, or System Settings.
|
|
Configure the Web Time Clock for LDAP login. To do so, modify the Terminal Profile for the Web Time Clock and set the Login Event Name to LOGIN_XML_LDAP.
|
5. |
Configure the ldap_pw_restricted_char setting. Special characters such as * & | ! ( ) | , + ; > and < may create a security risk for the LDAP server. You can use the ldap_pw_restricted_char setting to prevent users from entering these characters in the Password field when logging into Shop Floor Time.
|
6. |
Ensure that the user's Login Name on the Employee form matches the user's value in the directory attribute you specified in the Search RDN field on the LDAP Authentication form. For example, if the Search RDN field on the LDAP Authentication form is sAMAccountName (for Active Directory), then the Login Name on the Employee form must match the user's sAMAccountName value in Active Directory. Note: The default value to log in to the application is the user's Employee/Person Number. The Login Name is created when the person is added on the Employee form. The Login Name can be modified but it must be unique. You can use a combination of letters and numbers and you can include the special characters @ and .
|
The table below describes the possible Web Authentication Profile and LDAP Policy setting combinations.
Web Authentication Profile Setting Value |
LDAP Policy assigned? |
Outcome |
LDAP User/Password |
Yes |
The user is authenticated against the directory provider identified in the user's LDAP Policy. |
LDAP User/Password |
No |
The login authentication will fail because there is no configured/assigned LDAP Policy. |
Person/PIN Validation |
Yes |
The user is authenticated against the Login Name and Password combination in the application database. The LDAP Policy does not apply. |
Person/PIN Validation |
No
|
The user is authenticated against the Login Name and Password combination in the application database. Note: This combination is the default setting in System Settings, which apply to all users. Unless the user has other setting values via Employee Group or Employee, the default setting applies. |
If you want the system to connect to the LDAP directory using SSL, your LDAP Policy must have Use SSL checked. You must also have a valid keystore and configure your application server to recognize the keystore. These configurations are explained below.
Note: Do not store your keystore file in the \app directory where the Shop Floor Time application is installed. The files in the \app directory will be overwritten when you upgrade the application.
Make sure your LDAP Policy has the Use SSL box checked.
You must obtain an SSL Certificate file and import it to your Java keystore file.
You must then configure your application server to use HTTPS communication and to recognize the keystore file. This configuration will depend on the type of application server you have (WildFly 8, WebLogic 12, etc.). Refer to your application server's documentation for more information.