AX2581

Using LDAP Authentication

You can enable LDAP Authentication for Axiom Enterprise Decision Support, so that users are authenticated against your LDAP server when launching Axiom Enterprise Decision Support.

NOTE: LDAP Authentication is not supported for use with Axiom Cloud systems.

LDAP Authentication behavior

When the Axiom Enterprise Decision Support login screen displays, users must enter their LDAP user name (with or without the suffix) and their LDAP password. If the LDAP user name matches a user name in Axiom Enterprise Decision Support, then the credentials are passed to LDAP for authentication into Axiom Enterprise Decision Support.

If the LDAP Authentication configuration for Axiom Enterprise Decision Support only allows one LDAP suffix, then that suffix will be used for all LDAP authentication. The user can include the suffix or not when logging in, and the Axiom user name can contain the suffix or not. Axiom will automatically append the suffix as needed when sending the credentials to LDAP for authentication. However, if multiple suffixes are allowed, then the suffix must be specified using any of the following approaches:

• The user must specify the appropriate suffix using the Domain selection list. This is an optional login setting that can be enabled for your installation. For more information, see Domain selection list.
• The user must include the suffix as part of their user name when logging in.
• The user names in Axiom Enterprise Decision Support must include the appropriate suffix for each user.

Users must enter their credentials each time they log in, unless they select Remember me to store their credentials for future use. For more information, see Remember me.

Setting up LDAP Authentication

The following summarizes the setup process for LDAP Authentication.

To set up LDAP Authentication:

1. LDAP Authentication must be enabled for the system.

   LDAP Authentication can be enabled during the Axiom Application Server installation. If it was not enabled during the installation, you can configure it later using the Configure Authentication Methods page of the Axiom Software Manager. For more information, see the Installation Guide.

   When you enable LDAP Authentication, you must specify the connection string to the LDAP server, as well as a user name and password for the connection. You must also specify the allowed suffix(es) for user names.

2. In security, Axiom Enterprise Decision Support users must be set up as follows to support LDAP Authentication:

   • The user's Axiom Enterprise Decision Support login name must match their LDAP login name.

     The user name can contain the LDAP suffix or not as desired. Note that the user name must include the suffix if there is a naming conflict with another user who is configured with a different authentication type (or with a different LDAP suffix). For example, if you have an Axiom Prompt user jdoe, and you have an LDAP user jdoe, then the LDAP user must include the suffix on their user name to differentiate the two users.

   • The user's Authentication method must be set to LDAP Prompt. This is the default setting for new users if your installation is enabled for LDAP Authentication.

All users who are assigned to the LDAP authentication type will be authenticated by your designated LDAP directory. This is the only way that these users can log in—they cannot log in using an internal Axiom Enterprise Decision Support password.

If you need to test the security settings of an LDAP authentication user, you can use the Log in as selected user feature to log in to Axiom Enterprise Decision Support as that user. For more information, see Testing user security.