The Authentication Only mode for LDAP authentication operates similarly to RADIUS authentication. Primary and backup server and login information is configured, and DMZ uses these settings to simply authenticate the user. The [USERNAME] macro is the only one available, so users can only be authenticated from a single organizational unit or domain on the LDAP server.
The Edit LDAP Authentication Settings section determines the primary and backup server URL and login template to be used for this source. The primary fields are required to be present. The backup fields are optional. The macro [USERNAME] can be used in the login templates to represent the username of the user.
The use of "LDAP://..." vs. "LDAPS://..." in the path fields determines whether or not LDAP over SSL will be used. The use of LDAP over SSL is strongly recommended to protect the transmission of credentials and other user information between MOVEit DMZ and any LDAP servers. Most modern LDAP servers support this.
Also available in this section is the Max Retries setting. Max Retries determines how many additional times the authentication source will be queried if a query has an error.
Finally, both the primary and backup LDAP server sections have Test Connection links which can be used to test the authentication settings. Clicking either link will open a test window prompting for a username and password to attempt authentication with. Once these are provided, the LDAP Connection Test Results window will appear, which will list the parameters of the test, the result of the test, and any diagnostic information collected during the test.
The Edit LDAP User Settings section determines how a user authenticated by this source will be handled. The settings effect only users who successfully authenticate to the LDAP server, but don't yet exist on the DMZ server.
The Auto-Create Account on Signon setting determines whether a new user will be automatically added to DMZ when they successfully authenticate. The Fullname, Email, and Notes template fields determine what values will be used for the new user's full name, email address, and notes fields if they are added. The macro [USERNAME] can be used to represent the username of the user. The Default Authentication Method setting determines whether the user will authenticate using both the external authentication sources and MOVEit DMZ's internal database, or just the external sources. This value will default to External Only for newly created authentication sources. The Create User As Clone Of setting allows the administrator to select an existing user as a template for users created by this authentication source. When this setting is enabled, the selected user will be cloned to create the new user account. If JavaScript is enabled on the browser and one or more template users exist in the organization, only template users will be shown in the dropdown menu by default. The Show All Users link will cause all users to be listed again.
If you plan on cloning users with preconfigured expiration policies (such as "expire after 30 days of inactivity"), you must use a "template user" (i.e. a user with a status of template rather than active or inactive). Cloning a template user allows MOVEit DMZ to carry an expiration policy from user to user, but template users are not themselves affected by expiration policies.