Certify-LDAP integration

Worksoft Certify-LDAP integration
 
Worksoft Certify-LDAP integration allows authentication of Certify users against Lightweight Directory Access Protocol (LDAP) system.
 
The integration involves sending a username/password combination to LDAP and getting back a response from LDAP on whether the combination is valid.  If so, the user is authenticated. Worksoft Certify does not pull or use Kerberos tickets.
 
Certify-LDAP integration is only supported for Certify Windows Client in version 9.
 
If you press F1 for help when you are logged into Certify Windows Client, you can search for the term LDAP and get a couple of helpful hints on how to set up Certify-LDAP integration.
 
Note: In order to configure, Worksoft Certify with LDAP authentication, information on how to contact the LDAP server, i.e., path name and domain name, is required. Worksoft Certify does not use a service account to access LDAP.  Instead, Worksoft Certify takes the username and password provided by during configuration and sends a request to LDAP to authenticate the Certify user.  
 
Worksoft integrates with Active Directory via LDAP ONLY for authentication, but does not support single sign-on (SSO).
 
Troubleshooting:
 
#1 - If you are logging as "Admin" and are having a problem, please read below.
 
When you login as admin, the login is always checked against the Certify database.  Even if you have LDAP enabled.  We did this to make sure you can always get back in. If you have LDAP disabled, then username/password are compared against the Certify database. If you have LDAP enabled, then username/password are compared against the LDAP source which in this case is our corporate Active Directory.  You need to make sure to enter your network password, not your Certify password.
 
#2 - If your existing Certify-LDAP integration stops working after upgrading to Certify 9.0.2, please see below:
 
Please change to the correct the BaseDN for the configuration.
Option: While in the LDAP configuration screen, also updated the filter expression from the default value of (|(uid=={0}*)(sAMAccountName={0}*)) to (&(objectCategory=person)(objectClass=user)(sAMAccountName={0}*)). The first expression is a generic search expression that supports both active directory and non-active directory LDAP stores. If are using active directory, we can use the second expression. Adding additional parameters in the filter will speed the query and return an authentication result faster, especially when searching across multiple sub-domains.