In the LDAP Password method, the Advanced Authentication client retrieves password that is stored in the user repository from the Advanced Authentication server.
If you do not include the LDAP Password method in a chain, you will be prompted to perform a synchronization. When you set Save LDAP password to ON, the prompt is displayed only for the first time until the password is changed or reset. If you set this option to OFF, a prompt for synchronization is displayed each time.
NOTE:You can bypass the password synchronization dialog after the password change or reset by configuring the Password Filter. For configuring the Password Filter, seePassword Filter for Active Directory
.
To configure LDAP Password method, perform the following steps:
Set Enable SSPR integration to ON if you want to enable the Self Service Password Reset integration for Advanced Authentication web portals.
Specify the SSPR link text. This link is displayed on the login page where user specifies the LDAP Password.
Specify the SSPR URL. This URL points to the Self Service Password Reset portal.
Set Enable cached logon to ON if you want to validate the user specified password is validated with password stored (cached) in the Advanced Authentication server when the LDAP server is unavailable.
|
On-Premise |
Advanced Authentication as a Service (SaaS) |
|---|---|
|
If the user password does not match with the stored password or password is not stored on the Advanced Authentication server, then cached value gets reset and Advanced Authentication server contacts the LDAP server to validate the user password. If the validation failed, the password stored on Advanced Authentication Server gets reset, so next login will be without cache. |
If the user password does not match with the stored password or password is not stored on the Advanced Authentication server, the authentication fails. However, the cached password resets only after exceeding the set Cached logon offline period. If the user specified password matches the cached password, the Advanced Authentication server validates user password with LDAP server in the background. After the set Cached logon offline period, if the validation fails the password stored on the server gets reset and the subsequent login will be without cache. |
When the Enable cached logon option is set to OFF (default behavior), the Advanced Authentication server always contacts the LDAP server to validate the user password. It may cause performance issues.
With Enable cached logon set to ON, you can set the duration until which users can perform offline login when the repository is unavailable in Cached logon offline period (minutes). By default, offline period is set to 60 minutes.
NOTE:The Enable cached logon option works only if any one of the following setting is set to ON:
Save LDAP password in the LDAP Password method.
Enable local caching in the Cache Options policy.
LDAP password is stored on the Advanced Authentication server at the following two places:
User data: It is used for OS logon (Windows Client, Mac OS X Client, and Linux PAM Client) and is stored when Save LDAP password option in LDAP Password method is set to ON.
LDAP password authenticator: It is used while using cached logon. The password is stored when the Enable local caching option is set to ON in the Cache Options.