The LDAP server authentication process in OpenEdge uses configuration properties specific to the enterprise. Understanding this process clarifies the purpose of the various configuration options, properties, and property values that you need to configure.

When a client request arrives in an ABL web application that is deployed on a PAS for OpenEdge instance, and the instance is configured with Active Directory, the authentication process used by either the Active Directory or generic LDAP authentication manager plug-in works as shown in the following figure.

  1. The authentication manager plug-in obtains the LDAP user account identity needed for authentication. This may come from the client login information or by searching Active Directory using the client login information as the search key.
  2. Connect to Active Directory, using an LDAP user account identity and password. Generate an exception if an error occurs.
  3. Search for the Active Directory user account storage object to return account attributes that can be propagated into a CLIENT-PRINCIPAL object.
  4. Search Active Directory for groups that the authenticated user account was granted access to by the Active Directory administrator. If no groups are found, then generate an exception.
  5. Disconnect from Active Directory.
  6. Propagate the Active Directory user account information to a sealed CLIENT-PRINCIPAL object.

The ABL application can then use the CLIENT-PRINCIPAL object for authorizing access to resources, such as PAS for OpenEdge services, OpenEdge database, or ABL application processes or data.