How to use the DirectAD on the Identify

Introduction

When configuring LDAP transformation or LDAP identity provider, you need to configure the LDAP web service first. If your purpose is only for your owned AD, you can consider to setup a "Direct AD" to be used in LDAP transformation or LDAP identity provider.

Solution

Step 1: open the web.config file in the Runtime folder using a text editor.

Step 2: under appSettings section, add the following section:

<GAD>
<ADToolBox>
<!-- Path to the Active Directory. This can be either the domain or a specific server -->
<LDAPPath>LDAP://yourdomain.com</LDAPPath>
<!-- The root of all LDAP operations. All operations will be restricted to this root -->
<DomainRoot>DC=yourdomain,DC=com</DomainRoot>
<!-- Set to true, to prevent memory leaks in long running processes -->
<DisposeSearchResultCollections>True</DisposeSearchResultCollections>
<Authentication>
<!-- Set to true to use the app pool identity. Set to false to use the specified account -->
<Impersonate>True</Impersonate>
<!-- The username to use, if not impersonating -->
<UserName></UserName>
<!-- The password to use, if not impersonating -->
<Password encrypted="False"></Password>
<!-- Don't change -->
<AuthenticationType>Secure</AuthenticationType>
</Authentication>
</ADToolBox>
<DirectoryRepository>
<DirectoryRepositoryConfiguration configFile="~/DirectoryRepositoryConfiguration.config" />
<PasswordGeneratorConfiguration configFile="~/PasswordGeneratorConfiguration.config" />
</DirectoryRepository>
</GAD>

Note: Technically, the LDAP plug-in of Safewhere Identify supports two methods of getting groups from AD - a new one and a legacy one. Although the new method is supposed to be faster than the legacy one, it might encounter errors with some specific AD setups. When that is the case, consider to add this setting to appSettings section on the web.config file to switch to the legacy method.

<add key="UseLegacyGetGroupsMethod" value="true"/>

Step 3: save the web.config file.

Step 4: reset IIS.

Step 5: log in to the Safewhere Admin, set the "None" option on the LdapWS service name setting of the LDAP transformation or LDAP authentication.