Use LDAP attribute
You can use LDAP attributes to provide authentication without Windows usernames and domain names being sent outside of the domain.
Desktop app version 6.2.x.271 and
BlackBerry AtHoc
server version 6.1.8.87 CP1 support the use of LDAP attributes for authentication.Organization configuration
LDAP authentication is based on the end user's Username. When using the mail attribute, the end user's Username attribute must contain the end user's email address from Active Directory.
To configure your organization to use the LDAP attribute for authentication, complete the following steps:
- Log in to theBlackBerry AtHocmanagement system as an administrator.
- In the navigation bar, click
. - In theUserssection, clickUser Authentication.
- On theUser Authenticationscreen, in theEnabled Authentication Methodssection, select theEnablecheck box next to LDAP Attribute.
- In theAssign Authentication Methods to Applicationssection, selectLDAP Attributefrom the Authentication Method list in the Desktop app section.
- In theAttributefield, enter the Active Directory attribute to use for authentication. For example, mail.
- Next toCreate New User if an Account is not Found, selectEnable.
- ClickSave.
Migrate existing users to LDAP attributes
To migrate existing users to use LDAP attributes, complete the following tasks:
- Configure the LDAP Attribute option in theBlackBerry AtHocmanagement system and enter the attribute, as described in the previous task.
- Save the changes.
- Update the end Username for each user. For example, when using the LDAP mail attribute, set the Username to the value of the user's email address in Active Directory.
- Restart the desktop app.
When the desktop app starts, it receives instructions from the server about the LDAP attribute to use. The desktop app then queries Active Directory for the value of that attribute for the local user. In order for the client to query Active Directory, users must have at least read-only permission to their Active Directory. The client sends the value of the attribute to the server. The server performs a user search where the Username in each user record is compared to the attribute value. If a match is found, the client is connected to the user record in the system and the user can then receive alerts that are targeted to them.
If the LDAP attribute values have not been synchronized to the Username field, or if the value is not matched to an existing user in the
BlackBerry AtHoc
system, a new user is created. Starting with BlackBerry AtHoc
server version 7.0.0.1 there is a “Create new user if an account is not found” option that is not selected by default. This is to prevent desktop apps from creating a user, and to prevent the desktop app from creating duplicate users when a user's Username has not been set correctly.If the desktop app cannot query Active Directory, it waits until it can. The desktop app caches the designated attribute in the registry, in the string value LdapAttributeValue under HKC\Software\
AtHoc
[edition], and uses the cached copy if access to Active Directory fails.Desktop app configuration
When the authentication mode is changed in the User Authentication settings, you must stop and then restart the desktop app to apply the new settings.
When the desktop app restarts, it downloads baseurl.asp which contains the initial instructions for sign on. When LDAP authentication is enabled, the instructions include a userLookupMode node with type="LDAP" and the name of the attribute to use. For example:
<userLookupMode type="LDAP">mail</ UserLookupMode>
The desktop app then creates a new "LdapAttributeValue" string value in the registry under HKCU\Software\
AtHoc
[Edition].If the user does not have read access to Active Directory, the registry value can be updated manually or with a Group Policy Object (GPO). Each user has a different value, for example email address, so the GPO must take that into consideration.