Skip to main content
Version: 8.1

AD Database Hybrid

Inductive University

AD Database Hybrid

Watch the video

AD/Database User Source​

This AD/Database Hybrid User Source is not manageable from within Ignition. Users/passwords must be administered through Active Directory, and roles, contact info, and so on, must be administered directly through the database. The way AD/Database Hybrid works, is it has all the same information requirements as the other authentication profiles, but it also has a number of Database properties. You need to specify a database (i.e., MySQL) to store information, and set up queries that you want to use. You must also specify the host that is acting as your primary domain controller, and a secondary domain controller in case the primary is unavailable. You'll also need to specify the name of the domain and credentials for the Gateway itself to use for authentication when it queries the list of roles.

AD/Database User Sources now support SASL (Simple Authentication and Security Layer). SASL is a framework for authentication and data security in Internet protocols such as LDAP.

Property Reference​

This User Source shares many properties with both the AD User Source and Database User Source.

Creating an AD/Database Hybrid User Source​

  1. On the Gateway Webpage, under the Config tab, go to Security > Users, Roles. The Classic Authentication Strategy page will be displayed. Click the blue arrow, Create new User Source.

  2. Choose the AD/Database Hybrid authentication type, and click Next.

    note

    When using AD/Database Hybrid User Source, you may need to consult with your internal IT Department to get the required information to complete your user source setup.

  3. The New User Source window will open. Some properties are optional depending on how you set up your profile. Details on the Main Properties can be found on the User Sources page. The Active Directory Properties and Database properties are listed in the tables below.

  4. Click Create New User Source to save the new user source.

Active Directory Properties​

NameDescription
DomainThe Windows Domain your active Active Directory server is running on. If you aren't sure of your domain, ask your network administrator.

Leave blank to set advanced properties manually.
Primary Domain Controller HostThe IP address or hostname of your primary domain controller. Example: "192.168.1.4" or "MainServer"
Primary Domain Controller PortThe port number for the primary domain controller's LDAP interface.
List Users from Active DirectoryIf true, Active Directory will be queried for the list of all users. If false, the database will be queried instead. Default is true.
Gateway UsernameThe login name for the Gateway to use when querying Active Directory. Used for retrieving the list of users and roles via LDAP.
PasswordThe password for the above username.
PasswordRe-type password for verification.
SSO EnabledWhether or not to use Single-Sign-On (SSO) to authenticate AD users. Note that projects must also have this option enabled for SSO to work. Default is false.

Changed in 8.1.17
This setting was disabled and deprecated in 8.1.17 to protect against a potential security vulnerability. While the property is still visible, it cannot be enabled without setting a special system property. This is not recommended. Check out the Active Directory SSO Disabled for 8.1.17 & 7.9.20 article for more information.
SSO DomainThe domain that Windows users must match in order to use SSO. If blank, the main "Domain" property will be used. Not case-sensitive.

Database Properties​

NameDescription
DatabaseDropdown list. Choose the database connection this authentication profile will use.
User Properties QueryA query that returns the basic properties for a single user. Supported return columns are [username, firstname, lastname, schedule, language, notes].
Role List QueryA query that returns all possible roles that any user could have. The role names must be returned in the first column of the query's results.
User's Roles QueryA query that returns all of the roles that the provided user belongs to. The roles must be strings (i.e., the role names), and must be in the first column of the query's results. The username will be inserted into this query as a parameter.
Contact Info QueryA query that returns all of the contact info for the user. The first column must be the contact type, the second column the contact value, and the third column the name of a schedule. Optional, may be blank.
Schedule Adjustment QueryA query that returns the upcoming schedule adjustments for the user. Columns must be Start(date), End(date), Available(boolean), Note(string). Optional, may be blank.
Extra Properties QueryA query that returns name, value pairs of extra properties for the user. Will be run with one parameter: the username. Optional, may be blank.
Find User Query​
New in 8.1.6
A query that must return a row if a user with the given username exists. The query will be run as a prepared statement, so use question mark (?) to represent username. There must be at least one column: the username. Other columns are optional, supported columns are: [username, firstname, lastname, schedule, language, notes, badge].

Example: SELECT username, firstname, lastname, schedule, FROM USERS WHERE username = ?

When the User Source is paired with an Ignition Identity Provider, enabling this option can provide a modest performance improvement during session login.
List Users QueryA query that returns a row containing each username. Only used if "List Users from Active Directory" is false. There must be at least one column: the username. Other columns are optional, supported columns are: username, firstname, lastname, schedule, language, notes.
Badge Authentication QueryA query that must return a row if the given badge provided is valid. The query will be run as a prepared statement, so use question mark (?) to represent the badge. The returned row must contain the username.
Example: SELECT username FROM USERS WHERE badge = ?

Advanced Properties​

The following table describes several configurable LDAP properties. See Microsoft's official documentation on LDAP Syntax Filters for more in-depth information about LDAP.

NameDescription
Secondary Domain Controller HostThe IP address or hostname of your secondary domain controller (optional). Example: "192.168.1.5" or "BackupServer"
Secondary Domain Controller PortThe port number for the secondary domain controller's LDAP interface. Default: 389.
Read TimeoutThe read timeout in milliseconds for LDAP operations. Default is 60,000.
Results Page SizeThe number of entries returned per page of results in a query. Default is 1,000.
User Listing BaseThe base folder to search for users under, such as DC=MyCompany,DC=com. The entire subtree under this folder will be searched using the User List Filter. Multiple subtrees can be specified by putting them in parenthesis, like so: (OU=Administrators,DC=MyCompany,DC=com)(OU=Operators,DC=MyCompany,DC=com) If you leave this blank the whole subtree of the domain controller will be searched.
User List FilterThe LDAP search filter used when querying for the list of all users. Should restrict the type to user. Default is (&(objectClass=user)(!(objectClass=computer))).
User Search FilterThe LDAP search filter to use to find a specific user. Use the placeholder {0} as a stand-in for the login name. Default is (&(objectClass=user)(sAMAccountName={0})).
Username AttributeThe attribute on the User object to define the username. Default is sAMAccountName.
Username PrefixThis prefix will be prepended to the username before an Active Directory bind is attempted for authentication.
Username SuffixThis suffix will be appended to the username before an Active Directory bind is attempted for authentication.
Automatic SuffixIf this option is checked, and the suffix is left blank, then the suffix will automatically be assigned a value of @<domain>. Default is true.
Use prefix and suffix for Gateway username
New in 8.1.24
If this option is checked, the username prefix and suffix will be applied to the Gateway username before a bind is attempted. This option is checked by default.
Allow AnonymousIf enabled, authentication attempts with blank passwords will be passed through to LDAP, which may choose to accept them.

Caution: It is highly recommended to disable this setting unless you know it is required. AD servers may allow logging in as any user with a blank password when Security Authentication is set to β€œNone” or β€œSimple” (even if a provided username does not exist in AD), which is a major security risk.
Security ProtocolAuto or SSL. Default is Auto.
Security AuthenticationThis property specifies how usernames and passwords are used to bind to LDAP. The following options are available:
  • AUTO: Unspecified from the Gateway side, meaning the LDAP implementation will choose.
  • NONE: Anonymous access.
  • SIMPLE: Plaintext username and passwords will be used.
  • STRONG: Usernames and passwords will be encrypted.
  • SASL: Simple Authentication and Security Layer. See the SASL Properties table below for additional SASL authentication configuration settings.
Referral
New in 8.1.1
Specifies how referrals are to be processed. Possible options are:
  • Follow: Always automatically follow referrals. This is the default option.
  • Ignore: Ignores referrals.
  • Throw: Throws a ReferralException whenever a referral is encountered.

SASL Properties​

These settings are utilized when Security Authentication is set to SASL.

NameDescription
MechanismAn ordered list of space-separated mechanism names. The LDAP provider will use the first mechanism for which it finds an implementation. A blank value will leave this setting unspecified. Default is DIGEST-MD5 CRAM-MD5.
RealmA realm defines the namespace from which the user is selected. A blank value will leave this setting unspecified. This setting will only be used by mechanisms which support it. Default is blank.
Quality of ProtectionA comma-separated list of Quality-of-Protection (QoP) values, the order of which specifies the preference order. There are three well-known values: "auth" (authentication only), "auth-int" (authentication with integrity protection), and "auth-conf" (authentication with integrity and privacy protection). A blank value will leave this setting unspecified. This setting will only be used by mechanisms which support it. Default is auth-conf,auth-int,auth.
Protection StrengthA comma-separated list of privacy protection strength values, the order of which specifies the preference order. The three possible strength values are "low", "medium", and "high". A blank value will leave this setting unspecified. This setting will only be used by mechanisms which support it. Default is high,medium,low.
Mutual AuthenticationEnable or disable mutual authentication. This setting will only be used by mechanisms which support it. Default is disabled.