When setting up PAS for OpenEdge so that it can authenticate clients against the user account information stored in Microsoft Active Directory, your fundamental goals are:

  • To use the Active Directory-stored user account information to authenticate a user and to authorize access by that user to the ABL application
  • To produce a CLIENT-PRINCIPAL object that can be passed to the ABL application so that that same identity can be used to manage the OpenEdge Database user, and therefore access to tables, fields, and so on

PAS for OpenEdge includes two Spring-implemented plug-ins that can satisfy the requirement to authenticate user identities that have accounts that are stored in Active Directory:

  • Active Directory authentication manager—ad
  • Generic LDAP authentication manager—ldap

An authentication manager plug-in performs the authentication process on behalf of an ABL application that is hosted on PAS for OpenEdge, and returns a sealed token that contains the user's credentials and other information, as explained in Learn about Security Tokens.

When to choose the Active Directory authentication manager plug-in

The Active Directory authentication manager plug-in may be appropriate if the following conditions are met:

  • Your PAS for OpenEdge instance authenticates client credentials (that is, username and password) using Windows Active Directory.
  • Your ABL application uses the Active Directory user account’s userPrincipalName (UPN) attribute as its application user identity and OpenEdge domain. For example, the userPrincipalName bobs@acme.com consists of the Client-Principal user identity bobs in the OpenEdge domain acme.com.

When to choose the generic LDAP server authentication manager plug-in

The generic LDAP authentication manager plug-in is appropriate when you need more direct control of the authentication process interaction with Microsoft Active Directory, such as the following:

  • User account class object schema
  • User account storage location in Active Directory
  • The mapping of a client's identity to information stored in the corresponding user account in Active Directory, such as an email address, full name, nickname, and so on
  • The mapping of the Active Directory user account group object to ROLE_names
  • LDAP group object storage location in Active Directory
  • The ability to assign Active Directory user accounts to an OpenEdge domain

Most significantly, if the ABL application is multi-tenant, you must use the generic LDAP server authentication manager plug-in.

How to configure the authentication manager plug-in

You configure your chosen authentication manager plug-in using the the SECPROP utility, which manages all Spring Security framework properties that are set in the oeableSecurity.properties file of your ABL web application. You select your authentication manager plug-in by setting the http.all.authmanager property to one of the following:

  • ad—Selects the Active Directory authentication manager plug-in
  • ldap—Selects the generic LDAP authentication manager plug-in

For details, see SECPROP in Manage Progress Application Server (PAS) for OpenEdge.