c-treeACE V11.0 Update Guide

LDAP Authentication Controls and Group Support

c-treeACE now supports LDAP authentication for both ISAM and SQL user connections.

LDAP (Lightweight Directory Access Protocol) is a directory solution employed in many enterprise environments centralizing institutional data. That data includes user credentials, for example, allowing “single sign-on” to multiple systems, now including c-treeACE servers. This greatly simplifies administration of large numbers of users accessing many independent systems. And, c-treeACE allow support for both user and group management at SQL and NoSQL layers.

LDAP Group Membership Control

LDAP support includes an ability to check LDAP group membership. Specify the following configuration for the LDAP_ISAM_ALLOWED_GROUP and/or LDAP_SQL_ALLOWED_GROUP options using this syntax.

LDAP_ISAM_ALLOWED_GROUP {attr:ATTRIBUTE_VALUE}{base:BASE_VALUE}{filter:FILTER_VALUE}

For example:

LDAP_ISAM_ALLOWED_GROUP {attr:member}{base:dc=mycompany,dc=com}{filter:(&(objectClass=groupOfNames)(cn=myusergroup))}

Important: The super administrator (ADMIN) user account is always authenticated using c tree's authentication and not LDAP authentication. This means a client not supporting LDAP/secure key exchange logon can still connect using the ADMIN account.

Compatibility Notes

• The c-treeACE implementation of LDAP support is based on the OpenLDAP API standard. Other LDAP implementations should function similarly based on the standard API calls used.
• c-treeACE SSL support included in securing LDAP connections is based on OpenSSL. Most standards-based SSL implementations should function similarly.
• C# and Java interfaces use support built in to their frameworks to implement secure key exchange. They do not require a separate SSL library.
• The C# interface requires BigInteger support, only available in .NET framework 4.0 and later.