The LDAP server authentication process in OpenEdge uses configuration properties specific to the enterprise. Understanding this process clarifies the purpose of the various configuration options, properties, and property values that you need to configure.

When a client request has arrived in an ABL web application that deployed on a PAS for OpenEdge instance that is configured with Active Directory, the authentication process used by either the Active Directory or generic LDAP authentication manager plug-ins in works as shown in the following figure.

  1. The authentication manager plug-in obtains the LDAP user account identity needed for authentication. This may come from the client login information, or by searching Active Directory using the client login information as the search key.
  2. Connect to Active Directory with an LDAP user account identity and password. Generate an exception if an error occurs.
  3. Search for the Active Directory user account storage object to return account attributes that can be propagated into a CLIENT-PRINCIPAL object.
  4. Search Active Directory for groups that the authenticated user account has been granted access to by the Active Directory administrator. If no groups are found, generate an exception.
  5. Disconnect from Active Directory.
  6. Propagate the Active Directory user account information to a sealed CLIENT-PRINCIPAL object.

The ABL application can then use the CLIENT-PRINCIPAL object for authorizing access to resources, such as PAS for OpenEdge services, OpenEdge Database, or ABL application processes or data.