Authentication via LDAP Server
Pair workers in Vertec with users in an LDAP server (e.g. Active Directory).
Product line
Standard
|Expert
Operating mode
CLOUD ABO
|ON-PREMISES
Modules
Services & CRM
Budget & Phases
Purchases
Resource Planning
Business Intelligence
Created: 14.11.2016
Machine translated
Updated: 09.09.2024
|
Inserted section on 2FA.
For an overview of all authentication options, see Overview Authentication .
Users in Vertec can be linked to users in an LDAP server (e.g. Active Directory). A prerequisite for this is a correctly configured LDAP server. The customer is responsible for this. When logging in to Vertec, the user can then log in with his login name and password from LDAP. For this purpose, there are a number of properties in the authentication system settings:
LDAP Administrator |
Here a Vertec user must be defined as LDAP administrator. All Vertec administrators can be selected. This user is always authenticated directly via his Vertec login. An access to Vertec is therefore possible for the admin even without an available LDAP server. |
LDAP Authentication via Domain |
The domain name that users can use to authenticate themselves. |
LDAP Server Address |
The server address of the LDAP server without port. |
LDAP Server Port |
The port on which the LDAP server can be reached. If empty, the default port 636 is taken. |
LDAPS certificate fingerprint |
The fingerprint of the LDAP server certificate. If the LDAP server has a trusted certificate, as of Vertec 6.5.0.16, the fingerprint check is waived if the operating system accepts the certificate as valid. In this case, as of Vertec 6.5.0.16, some symbol must be inserted in this field (the field must not be blank). As of Vertec 6.7.0.1, the field can also be left blank. If the LDAP server does not have a trusted certificate and if the fingerprint entered here does not match the fingerprint entered when connecting to the LDAP server, the connection will be denied. Please note: Even if the certificate is automatically renewed by the LDAP server, the fingerprint will change and must be entered again. Otherwise, the login to Vertec will fail. To enter the fingerprint of the certificate in Vertec, double click on the certificate (.cer File), tab Details, field Fingerprint. If you select the entry, the value to be copied will be displayed in the lower area. Note: If you select the entire string in the lower area, invisible Unicode characters will be included – see https://support.microsoft.com/en-us/help/2023835. If this string is copied into Vertec, a question mark will appear at the beginning of the string. This must be deleted, otherwise the fingerprint comparison will fail. It is a pure sequence of hexadecimal numbers. There must be no special characters or colon between the symbols. Only spaces are allowed as separators. For more information on certifications, see the article on . Cloud Server |
Changes to the system settings become active in the cloud app and the web app only after restarting the cloud server. The desktop app must also be restarted (logging out is not enough). Cloud subscription customers can trigger the Restart via customer portal .
The following guidelines apply:
- Linking to the Vertec user is done via the member loginName on the project editor. This must match the domain user name.
- In order to delegate authentication to the LDAP server, these four system settings must be set:
- LDAP Administrator
- LDAP Server Address
- LDAP Authentication via Domain
- LDAPS certificate fingerprint, if the LDAP server does not have a trusted certificate, see Description .
If one of these settings is not set, authentication takes place via the Vertec via login name and password .
The exception is the user registered as LDAP Administrator – this is always authenticated via the Vertec login. This happens as follows: Desktop app or cloud server searches for the login name of the registered LDAPAdmin user. If a user wants to log in with this login name, the username and password are directly matched with the Vertec database.
- Only secure connections via SSL/TLS are allowed.
If the host or LDAP server goes down while the cloud server is running, users will be shown that the authentication server is not reachable when they attempt to authenticate. If the LDAP server is reachable again, the cloud server reconnects transparently. In this case, there is no need to restart the cloud server.
There are cases where the connection to the LDAP server is lost after a prolonged period of inactivity. For example, when using Azure Active Directory, this is the case after 4 minutes (see https://azure.microsoft.com/de-de/blog/new-configurable-idle-timeout-for-azure-load-balancer/). In such cases, it is advisable to ensure at the network level that this does not happen, for example by configuring a TCP keep alive timeout that is less than 4 minutes.
With Vertec version 6.1.0.11 the static connection of the cloud server to the LDAP server has been removed. The cloud server then establishes a new connection to the LDAP server (similar to the desktop app) for each authentication attempt.
remember me
The feature Remember me logged in also works via LDAP. If login data are stored locally, they have priority over logging in via LDAP server (since no login comes at all).
2 Factor Authentication (2FA)
Vertec supports a 2nd factor for logging into cloud clients (cloud app, web app, phone app) via Authenticator app, e.g. Google Authenticator. This can also be activated in conjunction with a login via LDAP.
Especially if the Vertec instance is available over the internet, we strongly recommend requiring a complex password in combination with 2FA.
For detailed information, see the article 2 Factor Authentication.
Authentication via an external tool
If you already use LDAP and want to use the usual two-factor authentication of an external tool for Vertec logins, this is possible if the tool allows it with LDAP.
To date, an application with Duo , for example, is known whose authentication proxy displays a push message on the Duo app when a user attempts to log in to Vertec via LDAP, where the user can confirm his login attempt.
The application takes place purely in the external tool, which is compatible with LDAP, and has nothing to do with Vertec itself. Therefore, only the push notifications for logging in to Vertec work, no direct input of codes etc.
Logging
The log entries concerning LDAP are located in Vertec.CloudServer.log. when using a cloud client or in Vertec.Deskop.log. when using the desktop app.
The connection to the LDAP server when the cloud server or the desktop app is started is shown by info messages (Connecting to the LDAP authentication server, Connected to the LDAP authentication server). These always appear in the log when LDAP is configured.
Log entries for LDAP configuration and bind call errors will appear as Debug Messages in the log file if the appropriate DebugCategory named VertecLib.LdapPasswordAuthenticationProvider is specified. Contact your Vertec advisor.