Creating a Directory Server Connection

On the Directory Servers page, click New. The Create New Server Connection page opens. Complete the fields below, then click OK.

When finished, proceed to Adding Users and Roles from a Directory Server Connection.

Create New Server Connection

  • Directory Type: Specify the directory server type, either Active Directory or Generic Directory, such as LDAP.
  • Name: Provide a name for the connection.
  • Host: The host name of the directory server.
  • Note: If Authentication Type (below) is SASL, and Host is an IP address, you must also specify a Realm.

  • Port: The port that is used to communicate with the directory server. Most common Windows domain configurations use port 389 or 636.
  • Connection Encryption: The encryption method to use when authenticating with the directory server.
  • Search Account Name: A Windows Service Account to use for importing directory server users and groups into FME Server. This account requires read access to the domain controller.
  • Specify the account in any of the following formats:

    Format

    Syntax

    Example

    NT Login DOMAIN\username MYCOMPANY\User1
    User Principal Name username@domain.net User1@MYCOMPANY.INTERNAL
    Distinguished Name CN=...,OU=...,DC=... CN=User One,OU=Service Accounts,OU=My Company,DC=company,DC=internal
  • Search Account Password: The password of the directory server account.
  • Account Name Attribute: If Directory Type is Generic Directory, the directory attribute to use for user account login in FME Server. Typical attributes are UID, mail, or CN.
  • Group Name Attribute: If Directory Type is Generic Directory, the directory attribute to use for role name in FME Server. A typical attribute is CN.
  • User Class: If Directory Type is Generic Directory, the objectClass attribute value that identifies directory users. This value must be consistent for all users, as it is used to search for users in the directory server. Typical attribute values are inetOrgPerson and organizationalPerson.
  • Group Class: If Directory Type is Generic Directory, the objectClass attribute value that identifies directory groups. This value must be consistent for all groups, as it is used to search for groups in the directory server. A typical attribute value is groupOfNames.

Authentication

  • Authentication Type: Specify the method of authenticating with the directory server:
    • Basic: SASL authentication is not enabled.
    • SASL: Enables simple authentication and security level (SASL).
      • SASL Mechanism:
        • GSSAPI: Kerberos V5 authentication
        • GSS-SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism
        • EXTERNAL: Context-implicit authentication
        • DIGEST-MD5: MD5 message digest
  • Enable Single Sign-On: If Directory Type is Active Directory, this setting, if checked, allows users imported from this connection to auto-connect to FME Server with their Windows credentials.
  • Note: To use Single Sign-On, you must also update your Windows domain and web browser configurations. For more information, see Configuring Integrated Windows Authentication.

    • Service Account Name: The name of the Windows Service Account to configure for single sign on, in the format USERNAME (do not specify DOMAIN).
    • Service Account Password: The Windows service account password.

Optional fields

  • Enable Synchronization: When checked, the connection synchronizes with the directory server at specified intervals. Information that synchronizes includes:
    • Relationships between users and groups. For example, consider User_1 who belongs to Group_1 in FME Server because of a corresponding relationship in the directory server. If that relationship is subsequently broken in the directory server, the relationship between User_1 and Group_1 will break in FME Server after the next synchronization interval. Likewise, if a directory server user changes groups, that change will synchronize in FME Server.
    • Name changes to user accounts on the directory server.
    • Note: When synchronization occurs, FME Server ensures any directory server name change does not break the user's connection to FME Server. However, FME Server does not update the user's login name (Username) or display name (Full Name).

    Note: If Enable Synchronization is not checked, you can still synchronize the connection manually after it is created. For more information, see To perform other tasks on Directory Server Connections.

    • Synchronization Interval: Specify the desired frequency of synchronization.
  • KDC Host: If Directory Type is Active Directory and SASL Mechanism is GSSAPI, specify the host name or IP address of the Kerberos key distribution centre (KDC). If not specified, the KDC is assumed to be located on the same server as the Active Directory domain controller.
  • Realm: If Directory Type is Active Directory and SASL Mechanism is GSSAPI or DIGEST-MD5, specify the authentication realm for Kerberos V5 or MD5 message digest authentication. On Active Directory, the authentication realm is the domain name. Specify the capitalized version of the domain name, in its fully-qualified domain name (FQDN) form. For example, if the FQDN is domain.net, use DOMAIN.NET. If not specified, the authentication realm is assumed to be the domain name of the Active Directory Domain Controller.
  • Note: If Host is an IP address, you must specify a Realm.

  • Search Bases: Specify the distinguished name of a section (sub-tree) of the directory server that is accessible to the connection. Any sections not specified are not accessible. If not specified, the entire directory is accessible.
  • Alternate Servers: Enables FME Server to access the directory server using alternate Host and Port combinations. This setting may be useful in either of these situations:
    • The directory server can be accessed from multiple, redundant servers. FME Server uses these servers to access the directory server in a rotating manner, which distributes the load across them.
    • If one directory server is inaccessible, FME Server connects to one or more alternate servers.

    To add a Host and Port combination, click +. To remove a Host and Port combination, click -.

  • Account Name Attribute: If Directory Type is Active Directory, the Active Directory attribute to use for user account login in FME Server. For Windows, leave blank to use the account's pre-Windows 2000 login name (sAMAccountName).
  • Account Member Attribute: If Directory Type is Generic Directory, the directory server attribute that contain a user account’s group membership. This attribute is not present in all directory servers. However, if present, it can make directory access more efficient. A typical attribute is memberOf.
  • Group Name Attribute: If Directory Type is Active Directory, the attribute to use for the role name in FME Server. For Windows, leave blank to use the group's pre-Windows 2000 group name (sAMAccountName).
  • Full Name Attribute: The directory server attribute to use for the user account’s full name in FME Server. If Directory Type is:
    • Active Directory: Leave blank for Windows to use displayName.
    • Generic Directory: A typical attribute is displayName.
  • Email Attribute: The directory server attribute to use for user account's email address in FME Server. If Directory Type is:
    • Active Directory: Leave blank for Windows to use the account's email address (mail).
    • Generic Directory: A typical attribute is mail.

What's Next?

Proceed to Adding Users and Roles from a Directory Server Connection.