Nx Witness User Manual
LDAP integration allows a System to import Users and User Groups from an LDAP Server.
•Users must exist in the LDAP database object tree, match the base selection, and not be disabled in the LDAP Server to be imported.
•LDAP Groups and Users can be assigned Permissions and placed in any existing System Groups, except the Built-In Administrator Group (see "Configuring Users" and "Configuring Groups").
•LDAP Groups have certain specifics in terms of configuration (see "Configuring Groups").
•LDAP Users can access the System using their LDAP username and password.
•LDAP users will not be able to log in while the LDAP Server is not available (see "LDAP Sync Failure").
•The following LDAP Servers types are supported:
oMicrosoft Active Directory,
oOpen LDAP Server,
oJumpCloud.
IMPORTANT: LDAP Users must have Resource Permissions granted (see "Permissions Management") or to be added to a Built-In Group to do anything more than connect to a System.
Setting Up LDAP Integration
To import LDAP users and allow them to connect to the System, it is necessary to establish a connection between Nx Witness and the LDAP Server. The LDAP server does not have to be a part of the same LAN the Media Server is on, but it must be available for the Media Server either by LAN or WAN.
•LDAP integration should be performed by, or in cooperation with, the Network (Domain) Administrator.
•LDAP over SSL may require certificates on both the LDAP and Nx Witness Servers.
Note: When configuring LDAP integration, do not specify the domain's base distinguished name (DN) as a search base, instead specify the organizational units (OU's) underneath the base DN because it is not possible to filter on OU membership, but you can filter on group membership.
To retrieve all users that are members of a specified group, filter on the memberOf attribute. For example: memberOf=CN=Security Users,CN=Users,DC=DOMAIN,DC=LOCAL.
1.Select Main Menu > User Management and go to the LDAP tab.
A Configure button is displayed when no LDAP information exists in the System, otherwise the LDAP dialog displays the following summary information:
•Server,
•Server status,
•the last synchronization timestamp,
•the numbers of users and groups retrieved.
2.Click the Edit button below the summary information to open the LDAP Connection Settings dialog.
3.Enter the following information (consult with your Network or Domain Administrator as needed):
•Host: (ldap:// or ldaps://)
IMPORTANT: If using a Server URL, it should be a fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name. See https://en.wikipedia.org/wiki/Fully_qualified_domain_name for details.
•Login DN
•Password
•Options:
oUse StarTLS
oIgnore LDAP Server certificate errors
4.Click the Test button to validate the server connection and credentials. One of the following message will be displayed:
•Connection OK
•Cannot connect to LDAP Server
5.Upon successful test results click the Apply button to save the connection setting and return to the LDAP summary. Clicking Cancel will discard all settings entered and exit the LDAP Connection Settings dialog.
6.Click the +Add button along the Search Bases heading to open the Add Search Base dialog; enter the following information:
•Name – often "Users"
•Base DN – the starting point for LDAP searches and synchronization.
•Filter – specific which Users and Groups from the Base DN to are allowed (optional).
7.Click OK to close the dialog and return to the LDAP tab of the User Management dialog.
8.Click Apply to save the Search Base parameters and retrieve User and Group information from the LDAP server. The Users and Groups count will update upon a successful retrieval.
9.Optional – Click on Advanced Settings to review and change defaults for:
•Synchronize Users – Always or only at Login.
•Sync Interval – a value from 1 to 9999999 in seconds, minutes, or days.
•Proxy Server – select a specific Server to connect to the LDAP server, or Select Auto.
oIn Auto mode, each server tries to connect to LDAP directly. If the connection fails, then every Server in the System will try to connect. If a specific Server is selected, but it is unavailable, the System defaults to Auto mode.
•Users – Deselect Auto to provide a specific value; use the checkbox to toggle the allowing insecure (digest) authentication for imported Users.
•Groups – Deselect Auto to provide a specific objectClass value.
•Membership – Deselect Auto to provide a specific Group Members Attribute.
Importing Users from LDAP Server
LDAP Users and Groups are imported immediately after the LDAP integration is completed and validated. Follow these steps to force an LDAP synchronization:
1.Open Main Menu > User Management > LDAP tab.
2.Below the User and Group count is the Last Sync timestamp and a refresh icon.
3.Click the refresh icon to force LDAP synchronization. The refresh icon is not displayed when the sync interval in Advanced Settings is set to 1 minute or less.
4.Once imported, LDAP users can be enabled or disabled (see "Enabling and Disabling Users"), and assigned User Permissions or placed in Permission Groups (see "Configuring Users").
Note: LDAP users must successfully log into the Desktop Client one time before they can use the Web Admin.
Changing or reconfiguring LDAP Servers
Changing or reconfiguring the LDAP Server integration can result in existing LDAP Users becoming invalid and thus disabled in the System. A warning banner and confirmation dialog is presented when LDAP integration changes may disrupt the validity of existing LDAP Users and Group.
Removing or Deleting an LDAP Server from the system
Removing or deleting and LDAP Server connection that has been synchronized at least once will remove all LDAP User and Groups from the System. All System Permissions and Group membership configurations for LDAP User will be removed and all history for the LDAP Users will be removed from the Audit Trail of User Actions. This action cannot be undone.
1.Open System Administration > User Management > LDAP tab.
2.Click on the Disconnect button near the Edit and Advanced Settings buttons.
3.Confirm to Disconnect LDAP server and remove all LDAP Users and Groups.
LDAP Warnings
The following warning may be displayed during LDAP configuration, testing, and update Synchronization
•Remove existing LDAP Users and Groups:
oThis warning is displayed for any action that will force the removal of all existing LDAP Users from the system.
•Disconnect LDAP Server confirmation:
oThis dialog is displayed before disconnecting and LDAP Server and removing all LDAP Users from the System.
•LDAP Server is offline:
oThis banner is displayed in the User Management dialog for LDAP and includes a count of how many Users are currently unable to connect to the System.
•LDAP User Duplication:
oThis banner is displayed in the User Management dialog when imported LDAP usernames conflict with existing usernames in the System. System accounts have priority and the duplicated LDAP usernames will are disabled.
•LDAP Digest Authentication:
oAn informational dialog is presented when changing the LDAP Digest Authentication settings if some Users will also need their User Configuration Settings changed.
