Authorization of LDAP-server users in MasterSCADA 4D

Starting from version 1.3.3, MasterSCADA 4D  supports integrating the built-in Security system with Active Directory (AD) directory services databases deployed on a Linux server, based on using the LDAP protocol.

LDAP (Lightweight Directory Access Protocol) is an open, cross-platform protocol used for directory service authentication. The term  LDAP server is used to denote the server storing the LDAP directory databases.


Example of Linux LDAP Server Settings

In this example, groups and users from a FreeIPA server are used as the AD.

FreeIPA is open-source software, a specialized directory service designed to create an environment in Linux OS that allows centralized user authentication management. The functionality of FreeIPA is similar to Active Directory.

The following figures show the users and groups created by the administrator:

Each user has their own settings. For example, if you navigate to the user apetrov, you can view: the full name, account name, their unique identifier UID, and account alias:

This is just a small part of the service settings, which is mandatory for the initial creation of a user.

If you go to the User Groupstab, you can see the list of groups to which the selected user belongs. In this case, apetrov is a member of the ipausers groups (the server's primary group) and operators (created by the administrator):

Groups have two mandatory parameters: name and id:

If you go to the Users tab, you can launch the list and see the number of users added to the selected group. The user apetrov has been added to the operators  group:

Interaction between MasterSCADA 4D and the LDAP Server

To be able to log into the HMI client under a specific LDAP server user, the following new properties of the Security element need to be configured:

Active Directory Server Address. This field can contain either the DNS or IP address of the server. If no value is set, the first list of users will not be displayed in the authorization window when the HMI client attempts to connect.

Active Directory Server Type. A dropdown list with possible values: Active Directory (directory service used in Windows OS) and LDAP (directory services operating via the LDAP protocol).

Important! The LDAP server type can only be set if the runtime is located on a device with a Linux OS. The runtime on Windows OS only supports the Active Directory server type.

It is also necessary to create roles in the  Security element corresponding to the LDAP server groups. Users created in MasterSCADA 4D can also be added to the created roles:

Next, access rights must be assigned to the created roles. Be sure to configure the Window Opening and Control access rights:

After this, in runtime mode, when connecting the HMI client, you can enter not only the username created in MasterSCADA 4D but also the LDAP-server but also the:

If incorrect user authentication data is entered, a corresponding error will be displayed:

If the LDAP server is unavailable, a comment will also appear in the HMI client after the authorization attempt:

If  LDAP  is selected in the Active Directory Server Type  property of the  Security  element panel for a project running in a  Windows OS runtime the connection to the server is not established, and the error  Incorrect server type is displayed:

To obtain information about changes in LDAP server users, you can use a special service function block (FB) UsersGetADUserGroups.

To output information about the group (FB parameter groups) and the full name of the client (FB parameter full name) of the LDAP server, you need to issue a command containing the FB's input parameters: server, name, password (server name, login, and password) of the user:

In case of unsuccessful operation of the function block, an error will be output:

- incorrectly entered server user data:

- LDAP server is unavailable:

Now, in the properties panel of the program containing the FB UsersGetADUserGroups, in the Task category, it is recommended to set the  Execution Method property to On Call: