LDAP Authentication

Authentication through an external system can also be performed directly inside Watson™ Explorer Engine (instead of relying on the web server). The following macro tells Watson Explorer Engine to connect to the specified LDAP directory server (specified by URL and port) and check the username and password provided by the current user.

Note: LDAP authentication should not be used to authenticate users of the admin script (admin.exe on Microsoft Windows systems). If LDAP is used to authenticate these users, sections of the Admin Tool interface will not be accessible (including, but not limited to the online help search feature).

<macro name="authentication">
  <if-var name="username" realm="state-param">
    <parse>
      <attribute name="username">
        <parse username="cn=dctmtest,ou=Employees,dc=na,dc=jnjn,dc=com" password="XXXXXX">
          <attribute name="url">
          <scope>
       ldap://auth.domain.com:3268/dc=jnjn,dc=com?dn?sub?(sAMAccountName=
          </scope>
          <value-of-var name="username" realm="state-param" />
          <scope>)</scope>
        </attribute>
        <parser type="html-xsl">
          <![CDATA[
          <xsl:template match="/">
            <xsl:value-of select="viv:if-else(string(.),viv:replace(.,'DN:[[:space:]]*','','gi'),'XXXX')" />
          </xsl:template>]]>
        </parser>
      </parse>
    </attribute>
    <attribute name="password">
      <value-of-var name="password" realm="state-param" />
    </attribute>
    <attribute name="url">ldap://auth.domain.com:3268/dc=jnjn,dc=com?dn</attribute>
    <parser type="html-xsl">
      <![CDATA[
        <xsl:template match="/">
          <xsl:if test="contains(., 'DN:')">
            <user-authenticate>
              <attribute name="name">
                <value-of-var name="username" realm="state-param" >
              </attribute>
            </user-authenticate>
            <if test="not(viv:authenticated-user())">
              <user-create>
                <attribute name="name">
                  <value-of-var name="username" realm="state-param" />
                </attribute>
              </user-create>
              <user-authenticate>
                <attribute name="name">
                  <value-of-var name="username" realm="state-param" />
</attribute>
              </user-authenticate>
            </if>
          </xsl:if>
        </xsl:template>
        ]]>
      </parser>
    </parse>
    <fetch timeout="10000" finish="finish" />
  </if-var>
</macro>

The first part of the macro tells Watson Explorer Engine to check the user's credentials (username and password) with a directory server specified by URL, as in the following:

ldap://auth.domain.com:3268/dc=jnjn,dc=com?dn?sub(sAMAccountName=username)

It will first get the Distinguished Name (DN) associated with the account name provided by the end user and then try to bind to the directory using the DN and the password provided by the end user.

Once the binding succeeds, Watson Explorer Engine automatically authenticates the user, after eventually creating a profile, as in the previous scenario.

For examples of the Distinguished Name (DN) format, see the Binding username (DN) entry in Directory Settings.

Security requirements tend to vary greatly between organizations. Contact product support to explore the different options offered by Watson Explorer Engine to configure it to meet your IT requirements.