Configure LDAP user authentication

You can use the Lightweight Directory Access Protocol (LDAP) to authenticate users. Specify user roles by using group DNs for users who log in as an Administrator, Operator, or as a Viewer.

The system has only one admin user and one operator. LDAP users must log in as either an admin or an operator and do not have their own private profiles. Any LDAP users with the name admin, operator, or viewer are ignored and the local accounts are used instead.

When enabled, LDAP authentication is an alternative to the regular system user names and passwords. You may still login as admin, operator or viewer using the passwords for those accounts.

LDAP replaces the local viewer account instead of working side-by-side with it when LDAP is enabled and the viewer account has no password (either there is no global viewer password configured or the channel overrides the global password with a blank password). In this case, the viewer must authenticate with LDAP and cannot use the default viewer account with a blank password to log in.

For security reasons, you should configure passwords for the local accounts. See Configure LDAP user authentication.

These instructions assume you have a pre-configured LDAP server. The server must support anonymous binding or have a special bind account with search access privileges. Note that Active Directory does not support anonymous binding. LDAP referrals, restrictions and failovers are not supported.

Configure LDAP authentication using the Admin panel

  1. Login to the Admin panel as admin, see Connect to Admin panel.
  1. From the Configuration menu, select Security. The Security configuration page opens.
  2. In the LDAP authentication section, check Enable LDAP authentication. Uncheck the check box to disable LDAP authentication.

  1. In the Server address[:port] field, enter the server IP address and (optional) port for your LDAP server. For example, 192.168.1.101:389.
  2. In the Connection encryption drop-down, choose the type of encryption used by your LDAP server (if any is used).
Connection encryption Description/Default port used
No Encryption No encryption is used to connect to the LDAP server. The default port is 389.
SSL SSL encryption is used to connect to the LDAP server. The default port is 636.
TLS/STARTTLS The connection is initially unencrypted then upgraded to TLS encryption is used. The default port is 389.
  1. In the Bind DN and Bind password fields, specify the fully qualified DN and password for LDAP bind. These fields are only needed if your LDAP server does not support anonymous binding.
  2. In the Base DN field, specify the baseObject to search for entries. The system will search this object and the whole subtree starting at the base DN.
  3. (Optional) By default the search attribute is uid, which is suitable for a unix environment. You can specify a different value in the Search attribute field, if needed. For Active Directory environments, specify userPrincipalName. The value of this attribute must be unique in the Base DN.
  4. In the Administrators (group DN) field, specify the distinguished name of the group users must be part of to be logged in as the administrator. Users must have the member or unqueMember attribute for the specified group to be granted Administrator access.
    If left blank, LDAP is not supported for Administrators (but can still be used for Operators and Viewers).
  5. In the Operators (group DN) field, specify the distinguished name of the group users must be part of to be logged in as the operator. Users must have the member or unqueMember attribute for the specified group to be granted Operator access.
    If left blank, LDAP is not supported for Operators (but can still be used for Administrators and Viewers).
  6. In the Viewers (group DN) field, specify the distinguished name of the group users must be part of to be logged in as a viewer. Users must have the member or unqueMember attribute for the specified group to be granted Viewer access.
    If left blank, LDAP is not supported for Viewers (but can still be used for Administrators and Operators).
  7. Click Apply.

When a user of the LDAP server next visits the admin or viewer page for the system, the system prompts for use the username and password. For ActiveDirectory servers, the user needs to enter his fully qualified username (i.e. username@domainname) in addition to his LDAP password.

Users are required to authenticate once to the system and one time per channel they view. Therefore users see a prompt to log in to the system (the system name is shown) and a second time to log in to the channel (the channel name is shown).