Centralized authentication is extremely important in today’s IT environments. This is generally provided by LDAP-enabled directories like Microsoft Active Directory Domain Services (ADDS). Often, companies maintain very complex LDAP infrastructures that may include different domains and subdomains. This can be due to any number of reasons. When it comes to using multiple LDAP directories to provide authentication services and permissions to your thin client environment, this can present a challenge.

Beginning with version 7.9.1, Praim ThinMan includes a powerful feature of providing integration of multiple LDAP directories to provide options and configuration flexibility for centralized authentication in thin client environments. Let’s take a look at ThinMan integration of multiple LDAP directories, why this is needed, and how it is implemented in Praim ThinMan.    

Why multiple LDAP directories may be needed

One of the most important aspects of any environment is the identity configuration. Most security policies and permissions are based on some type of centralized identity source. For the majority of enterprise environments today identity management is serviced by a Lightweight Directory Access Protocol (LDAP) directory such as Microsoft’s Active Directory Domain Services. LDAP provides general authentication services for clients accessing resources. This also includes thin client environments as well.

Due to any number of reasons, businesses may need the flexibility to target more than one LDAP directory source for permissions or authentication services. This can be due to the following:

  • The organization is very large with multiple business units and geographic regions necessitating the use of multiple domain environments.
  • There may have been a recent merger or acquisition of businesses that requires the coexistence at least for a time of multiple domains with user accounts and other resources.
  • Other situations like corporate takeovers, absorption, and other restructuring.
  • One business may perform the management and administration of infrastructure and serve as the “resource forest” for another domain or multiple domains.

Organizations running multiple LDAP directories for one reason or another often need the ability to make use of all directories for assigning permissions or perhaps a subset of various directories for authentication services depending on how their business is structured.

As mentioned earlier, providing authentication to various resources in thin client environments generally depends on being able to target LDAP directory services. For businesses running multiple directories across their business landscape, having a solution that is limited to connecting to only one LDAP directory can be very limited and create additional challenges.

A great new feature in Praim ThinMan is the ability for integration of multiple LDAP directories. This provides the flexibility needed in today’s often very complex multi-domain configurations. Let’s take a closer look at Praim ThinMan integration of multiple LDAP directories, the features, and how this new feature works.

Praim ThinMan Integration of Multiple LDAP Directories

Praim ThinMan allows your business to make use of multiple LDAP directories which effectively gives you the flexibility needed in any number of business organizational landscapes. Multiple directories and multiple domains are now possible with Praim ThinMan.

The new feature is available from ThinMan versions 7.9.1 and higher. Additionally, ThinMan Advanced (versions 8.X) also adds to the tremendous value of the ADMIN+ and USER+ Feature Packs and improves upon the included features.

Where is it possible in ThinMan to take advantage of multiple LDAP integration?

  • Device Policy and User Policy – When ThinMan Login and Smart Identity are used in conjunction with specific policies, these are applied at the device or user. Now when choosing which users and groups policies are applied to, you can specify which LDAP directory/domain the user resides in.
  • ThinMan management – You can choose which users and groups are members of the various roles in the access control list for ThinMan management. Now, you can choose users and groups from different domains.

Configure ThinMan Server Multiple LDAP Integration

How is the new ThinMan Server multiple LDAP integration configured? Configuration of multiple LDAP directories can be completed in just a few clicks. Under General Options Settings > LDAP Servers, you can define the LDAP servers used by the Profile manager, ThinMan Login, and Smart Identity services.

As you can see below, you have the ability to define the “list” of LDAP servers and directories that will be used for authentication purposes. Domains can also be added but not Enabled. This flag needs to be set when adding the domain to for use in authentication.

Configuring Praim ThinMan multiple LDAP server configuration

Multiple LDAP Configuration in Policy Properties

With Applications and Device Policy there is a new section included in the Settings tab under the heading Authentication Service. This allows configuring which LDAP domain services are used for authentication purposes. This is available when ThinMan Login and/or Smart Identity functionality is in use.

When multiple domains are selected, the user has a drop-down box to choose which domain they want to choose for authentication.

Choosing domains in ThinMan policy settings

User Filters

You can also define which users are enabled for ThinMan Login and Smart Identity. This can be defined at the individual user level or by way of groups. If there are no filter options in place, the services are enabled for all domain users. Additionally, as you see in the screenshot below, you can filter users in multiple domains in the same User Filter dialog box.

Filter ThinMan Login and Smart Identity based on user or group

Performance Enhanced Multiple LDAP Configuration

For organizations with extremely large LDAP environments with tens of thousands of objects (users, devices, etc), performance is important when querying LDAP and returning security permissions. ThinMan multiple LDAP integration textual search has been tuned for performance by reducing the number of objects that are rendered.

If the number of objects returned is greater than 1000 objects, the user is directed to use the text search field for filtering the search query even further. In this way, performance of LDAP queries is enhanced while still returning objects effectively.

Concluding Thoughts

Working with multiple domains can present challenges with solutions that only allow integration with one identity source. Praim ThinMan allows specifying multiple LDAP integrations so you are able to authenticate users from multiple LDAP identity sources.

Using the multiple LDAP integration with ThinMan, you can effectively authenticate users and groups with ThinMan Login, Smart Identity, and User policies. These can be mixed and matched and users/groups can be filtered by domain to restrict only those users/groups you want to be able to authenticate.