Authentication via LDAP Server

Starting with version 6.1 it is possible to pair users in Vertec with users in an LDAP server (e.g. Active Directory). The prerequisite for this is a correctly configured LDAP server. The customer is responsible for this. When logging in to Vertec, the user can then log in with his username and password from LDAP. For this purpose, there are a number of properties in the system settings Authentication:

The following guidelines apply:

• Linking to the Vertec user is done via the member loginName on the project user. This must match the domain user name.
• In order to delegate authentication to the LDAP server, these four system settings must be set:
  • LDAP Administrator
  • LDAP Server Address
  • LDAP Authentication via Domain
  • LDAPS certificate fingerprint, if the LDAP server does not have a trusted certificate, see description .

  If one of these settings is not set, the authentication takes place via the Vertec logins.

• The exception is the user registered as LDAP Administrator – this is always authenticated via the Vertec login. This happens as follows: Desktop App or Cloud Server search for the login name of the registered Ldapadmin user. If a user wants to log in with this login name, the username and password are directly matched with the Vertec database.
• Only secure connections via SSL/TLS are allowed.
• If login data is stored locally (see Remember me in), these have priority over logging in via LDAP server (since no login comes at all).

Changes to the system settings will only take effect in the Cloud app and Web app after restarting the Cloud Server. The Desktop App must also be restarted (logging out is not enough). Cloud Suite customers can use the Restart via Customer Portal trigger.

If the host or LDAP server goes down while the Cloud Server is running, the authentication server will be shown to the users when they attempt to authenticate. If the LDAP server becomes available again, the Cloud Server will reconnect transparently. In this case, there is no need to restart the Cloud Server.

There are cases where the connection to the LDAP server is lost after a prolonged period of inactivity. For example, when using Azure Active Directory, this is the case after 4 minutes (see https://azure.microsoft.com/de-de/blog/new-configurable-idle-timeout-for-azure-load-balancer/). In such cases, it is advisable to ensure at the network level that this does not happen, for example by configuring a TCP keep alive timeout that is less than 4 minutes.

With Vertec version 6.1.0.11 the static connection of the Cloud Server to the LDAP server has been removed. The Cloud Server then establishes a new connection to the LDAP server (similar to the Desktop App) for each authentication attempt.

The log entries regarding LDAP are located in Vertec.Cloudserver.log. when using a Cloud Client or in Vertec.Deskop.log. when using the Desktop App.

The connection to the LDAP server at the start of the Cloud Server or the Desktop App is shown by Info Messages (Connecting to the LDAP authentication server, Connect to the LDAP authentication server). These always appear in the log when LDAP is configured.

Log entries for LDAP configuration and bind call errors will appear as Debug Messages in the log file if the appropriate Debugcategory named Verteclib.LdappasswordAuthenticationProvider is specified. Contact your Vertec adviser.

Authentication via an external tool

If you already use LDAP and want to use the usual two-factor authentication of an external tool for Vertec logins, this is possible if the tool allows it with LDAP.

Up to now, an application has been made, for example, with Duo whose authentication proxy shows a push message on the Duo app when a user attempts to log in to Vertec via LDAP, where the user can confirm his login attempt.

The application takes place purely in the external tool, which is compatible with LDAP, and has nothing to do with Vertec itself. Therefore, only the push notifications for logging in to Vertec work, no direct input of codes etc.