Wednesday, February 22, 2012

Using Windows Active Directory, LDAP, or LLLDAP Authentication with IBM Datacap Taskmaster Capture

Using Windows Active Directory, LDAP, or LLLDAP


Authentication with IBM Datacap Taskmaster Capture


Abstract


How to configure IBM Datacap Taskmaster to use Windows Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or Low-Level Lightweight Directory Access Protocol (LLLDAP) Authentication for client side login?

Cause


Taskmaster thick client and Taskmaster Client Service version 7 and above support enterprise management of users in groups, using either Active Directory (AD) or any LDAP provider. This feature replaces the NT Authentication method in previous versions of Taskmaster.

Taskmaster Web v7.5 also supports this implementation of AD/LDAP user management.

Taskmaster Server grants access (authenticates) the user if he or she is a member of one or more AD/LDAP Groups that are specially defined in Taskmaster.  Taskmaster grants the user each of the permissions and privileges associated with any of the groups that they belong to – limited by the permissions and privileges of the Station in use.

Taskmaster 8.x supports LLLDAP which manages user permissions on a user level, instead of the group level. This requires that user names be added to the Users tab in Taskmaster Administrator through Taskmaster Client. LLLDAP requires password authentication, while ADSI and LDAP authentication do not.

The selection of AD or LDAP, and the path syntax used to find the user in the selected directory are specified in the registry.  In Taskmaster 7.5 and above this setting is available in the Taskmaster Server user interface in the Taskmaster tab, by clicking Advanced.  See the LDAP template field in the illustration below.



When using Windows AD authentication, Taskmaster looks up the user in Active Directory using syntax similar to WinNT://<%domain%>/<%user%> where <%domain%> and <%user> are automatically replaced with the users login domain.

If the user is found in the AD/LDAP directory, Taskmaster retrieves a list of all domain security groups that this user belongs to.  For example, if the login domain is mydomain.com and the user belongs to the group Domain Users, a Taskmaster group named Domain Users.mydomain will match this domain group and if it exists, Taskmaster will give this user all permissions and privileges associated with this Taskmaster group.  Any other AD/LDAP groups the user belongs to, with corresponding groups in Taskmaster, will grant additional permissions and privileges to the user.

Taskmaster Client Service v.7.0.11 and above can be set up to impersonate a Windows User, in which case the same method is used to authenticate and assign Taskmaster permissions and privileges to the service.

Answer


To Configure Authentication

  1. Run Taskmaster Server Manager and select the Taskmaster tab.

  2. Click on Show advanced and set Authentication system to use the desired authentication.

  3. Edit Authentication path template, if necessary, and click on Save.
    Note: Older versions of Taskmaster may not allow setting of the Authentication path through Taskmaster Server Manager. For these versions, if the default user lookup syntax needs to be changed, edit the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Datacap\TMS\InterThread\LDAP template

    • For native AD authentication, set this key value to:
      WinNT://<%domain%>/<%user%>

    • For typical LDAP authentication, set the key value to: LDAP://CN=<%user%>,CN=Users,DC=<%domain%>,dc=Com



  4. To force Taskmaster Client to try AD/LDAP authentication first, set the shortcut to:
    \Datacap\tmclient\tmclient.exe –nta.

    • If User authentication is successful, the StationID is determined from the previous login on this station, as recorded in the Windows Registry. If LDAP authentication fails, Taskmaster presents its standard login dialog and authenticates via the Taskmaster Admin database.

    • To restore Taskmaster Client to using Taskmaster authentication, use the command line flag –tma.

    • Taskmaster 8.x and above does not support the -nta nor the -tma flag. Taskmaster 8.x will only use the authentication mode specified in the Taskmaster Server Configuration.




To Troubleshoot Authentication

  1. Examine the Audit table in the Admin database of the application for relevant messages.

  2. Stop the Taskmaster Server Service.

  3. Copy tmserver\dclog.dll to a backup, and then copy dcshared\dclog.dll to tmserver\dclog.dll.

  4. Turn on maximum logging in the Taskmaster Server UI, and then restart the service.

  5. Attempt to login.  Stop the Server and review the log.

  6. When finished, turn off Server logging and restore the original dclog.dll to the tmserver folder.

2 comments:

  1. Thank you for the post! Beyond authentication, can user information (e.g. email address) be pulled from AD and used in Datacap applications?

    ReplyDelete