Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry AtHoc
  3. Desktop App 6.2.x.278
  4. Desktop App Installation and Administration Guide
  5. Operation
  6. Authentication
  7. Use LDAP attribute

Use LDAP attribute

You can use LDAP attributes to provide authentication without Windows usernames and domain names being sent outside of the domain.
Desktop app version 6.2.x.271 and BlackBerry AtHoc server version 6.1.8.87 CP1 support the use of LDAP attributes for authentication.
Organization configuration
LDAP authentication is based on the end user's Username. When using the mail attribute, the end user's Username attribute must contain the end user's email address from Active Directory.
To configure your organization to use the LDAP attribute for authentication, complete the following steps:
  1. Log in to the BlackBerry AtHoc management console as an administrator.
  2. In the navigation bar, click the The Settings icon (Settings) icon.
  3. In the Users section, click 
    User Authentication
    . The User Authentication screen opens.
  4. In the Enabled Authentication Methods section, select the 
    Enable 
    check box next to LDAP Attribute.
  5. In the Assign Authentication Methods to Applications section, select 
    LDAP Attribute
     from the Authentication Method list in the Desktop app section.
  6. In the Attribute field, enter the Active Directory attribute to use for authentication. For example, mail.
  7. Next to Create New User if an Account is not Found, select the 
    Enable 
    check box.
  8. Click 
    Save
    .
Migrate existing users to LDAP attributes
To migrate existing users to use LDAP attributes, complete the following tasks:
  • Configure the LDAP Attribute option in the BlackBerry AtHoc management system and enter the attribute, as described in the previous task. 
  • Save the changes.
  • Update the end Username for each user. For example, when using the LDAP mail attribute, set the Username to the value of the user's email address in Active Directory.
  • Restart the desktop app.
When the desktop app starts, it receives instructions from the server about the LDAP attribute to use. The desktop app then queries Active Directory for the value of that attribute for the local user. In order for the client to query Active Directory, users must have at least read-only permission to their Active Directory. The client sends the value of the attribute to the server. The server performs a user search where the Username in each user record is compared to the attribute value. If a match is found, the client is connected to the user record in the system and the user can then receive alerts that are targeted to them.
If the LDAP attribute values have not been synchronized to the Username field, or if the value is not matched to an existing user in the BlackBerry AtHoc system, a new user is created. Starting with BlackBerry AtHoc server version 7.0.0.1 there is a “Create new user if an account is not found” option that is not selected by default. This is to prevent desktop apps from creating a user, and to prevent the desktop app from creating duplicate users when a user's Username has not been set correctly.
If the desktop app cannot query Active Directory, it waits until it can. The desktop app caches the designated attribute in the registry, in the string value LdapAttributeValue under HKC\Software\AtHoc[edition], and uses the cached copy if access to Active Directory fails.
Desktop app configuration
When the authentication mode is changed in the User Authentication settings, you must stop and then restart the desktop app to apply the new settings.
When the desktop app restarts, it downloads baseurl.asp which contains the initial instructions for sign on. When LDAP authentication is enabled, the instructions include a userLookupMode node with type="LDAP" and the name of the attribute to use. For example:
<userLookupMode type="LDAP">mail</ UserLookupMode>
The desktop app then creates a new "LdapAttributeValue" string value in the registry under HKCU\Software\AtHoc[Edition].
If the user does not have read access to Active Directory, the registry value can be updated manually or with a Group Policy Object (GPO). Each user has a different value, for example email address, so the GPO must take that into consideration.