Configure Autoform DM to use LDAP

Autoform DM can be configured to use the Windows Active Directory to obtain user login credentials and even allocate group access. Once LDAP is set up correctly, all user management can be done externally from DM, and as a result, users can use their Windows login to access DM as long they are in the relevant active directory groups.

Depending on your DM version some of the options may appear differently. Most of the settings will be for whoever manages the Windows Active Directory to specify.

Note

In some scenarios, you might need to disable LDAP. For more information, and for steps, see Disable LDAP.

Enable LDAP

To configure Autoform DM to use LDAP, follow these steps:

1. Click Administration in the Autoform DM menu, then click LDAP settings configuration.

   

2. In the Server Details area of the page, supply information about the Active Directory.

   

   • LDAP Server Address: This will be the name or IP of the server which holds all the Active Directory settings.

     Note

     We recommend defining the domain instead of a specific domain controller (DC) if there are multiple domain controllers controlling the same domain. So if one DC goes down, the other DC takes the role and DM remains connected.

   • LDAP Server Port: The port of the Active Directory Server.

   • LDAP Binding Username: Administrative username with full access to LDAP tree being searched.

   • Change LDAP Binding Password: For changing the binding user's password.

   • Follow LDAP Referrals: Check for whether to use AD referring or not.

   • LDAP SSL Enabled: Secure LDAP communication.

   • LDAP Server Domain: The name of the domain Autoform DM/AD is installed on.

   • Designated LDAP admin account: Account to bypass license limitations for emergency access.

3. In the Users area, provide the Active Directory settings for users.

   

   • Create users automatically: Automatically create users when logging into Autoform DM.

   • LDAP User Search Base: Specifies the tree location of the usernames in Active Directory. For example: CN=Users,DC=mydomain,DC=local

   • LDAP User Search Scope: Number of levels to search for users beyond the User Search Base.

   • LDAP Username Attribute: The field within Active Directory that holds the login name (UID attribute) for the user selected. Over the version of 6.919 (included) only UPN can be used (SamAccountName can't be used anymore).

   • LDAP User Object Class: Used to limit results to users and not computer names etc, enter class name of a person. If this is not the default, change as appropriate.

   • LDAP Mail Attribute: The field that contains the email address of the user in Active.

   • LDAP Full Name Attribute: LDAP field that contains the full name of the user.

4. In the Groups area, provide the Active Directory settings for groups.

   

   • LDAP Group Search Base: Specifies the tree location of the group names in Active Directory. For example: CN=Groups,DC=mydomain,DC=local

   • LDAP Group Search Scope: Levels to search for groups beyond the Group Search Base.

   • LDAP Group Name Attribute: The field within Active Directory that holds the group name.

   • LDAP Group Membership Attribute: The field within AD that holds the member list of a group.

   • LDAP Group Object Class: Name of the group object class.

   • LDAP Group Membership Attribute Search Scope: Levels to search for group members beyond the base.

5. In the Group Mappings area, map Autoform DM groups to Active Directory groups.

   

   • Normal user group: Name of the user group in Active Directory that will contain users of DM.

   • Admin user group: Name of the user group in AD that will contain DM administrators.

   • LDAP groups area: Autoform DM will then list any groups you have in DM. You can map these to groups in AD.

   • Is LDAP Authoritative: Designates whether DM will always rely on AD to get group/application access permissions or if it will still allow access to be set manually within DM.

6. Test the LDAP connection settings:

   1. Find the Test LDAP Connection Settings area on the page. In the LDAP Test Username box, enter a name that exists in Active Directory.

      

   2. Click Test. Autoform DM will display the result of the test. If successful, the page will display the groups that the user belongs to.

7. To enable LDAP, click the option (in the LDAP test area) to enable LDAP. Autoform DM displays this option only after a successful LDAP connection test.

LDAPS

Autoform DM supports LDAPS. To implement LDAPS, follow these steps:

1. Configure LDAP as described above.

2. Import a root certificate from the LDAP Server Certificate Store into the JDK Certificate Store. The DM JDK is in the DM installation folder; for example: C:\Program Files\Formpipe Software\Autoform DM\Server_x.x.x\jdkx.x.x_xx.

3. Open a command prompt as an Administrator, then navigate to the bin folder within the JDK folder mentioned in the preceding step.

4. Run the following command:

   keytool.exe -import -file -alias DOMAINNAME -keystore ..\lib\security\cacerts

5. When you run this command you will be prompted for the Java cacerts password. The default password is changeit

6. Restart Autoform DM.

7. After Autoform DM starts, log in and then navigate to the LDAP configuration screen.

8. Disable LDAP (to reveal the LDAP configuration).

9. Change LDAP Server Port to 636 and select the LDAP SSL Enabled check box.

   

10. To enable LDAPS, follow the LDAP test and enable instructions in the LDAP steps above.

Disable LDAP

In some scenarios, you might need to log into Autoform DM as a local user. For example:

• Scenario 1: You need to disable LDAP to update the LDAP settings.

• Scenario 2: Your LDAP server is down or unreachable, and you need to disable LDAP without logging into Autoform DM.

Scenario 1: LDAP is Currently Running But You Need to Disable It

To turn off LDAP, follow these steps:

1. Log in to Autoform DM. Click Administration in the Autoform DM menu, then click LDAP settings configuration.

   

2. Clear the LDAP integration enabled check box.

   Warning

   Ensure the next step is performed out of hours, or ensure that all users are aware they will be logged out automatically.

3. Click Yes to proceed.

   

Scenario 2: Your LDAP Server Is Down or Unreachable

It is possible to disable LDAP authentication by editing the setting in the Autoform DM database.

Warning

This should only be done with assistance from a Formpipe Engineer. If you require this change to be made, contact Formpipe Support.

To disable LDAP within the database, follow these steps:

1. Stop the Autoform DM service.

2. Back up the database (default AFPDM).

3. Open the tblGlobalSettings table in the database.

4. Find the entry with ConstID 3201 and change the value to false.

5. Restart the Autoform DM service.

6. Once Autoform DM is deployed, log in with a local user.