Using LDAP SSO authentication with AMP

AMP supports authenticating users via LDAP to provide centralised authentication either across different AMP systems or other applications. This also allows you to authenticate against any LDAP compatible domain controller such as Active Directory.

LDAP authentication in AMP requires an Advanced Edition or higher-tier licence.

AMP uses group membership within the directory to determine which AMP roles a user belongs to. AMP allows you to specify a prefix for groups to allow you to separate AMP groups from anything else on your network. E.g. A user in the “AMP_Users” group with the prefix being “AMP_” would match up with a role in AMP called “Users”.

Setting up for the first time

Creating a role

Before you start, you need to sign into AMP normally - and create a new role for AMP administrators. Having done this you must then shut down AMP to alter its configuration.

Editing the configuration

Edit the following settings in your AMPConfig.conf - ignoring anything after the // as these are comments.

Login.UseLDAPLogins=True                           //Enables LDAP authentication as the preferred provider.
Login.UseLDAP3=True                                //Use the newer LDAP implementation. More flexible and supports more LDAP servers.
Login.LDAP3Host=localhost                          //The hostname/IP of the LDAP server. A hostname is required when using SSL.
Login.LDAP3FilterDN=CN=Users,DC=example,DC=org     //The search filter user to find users.                 //The DN of the user used by AMP to perform queries. Needs permission to query other users.
Login.LDAPGroupPrefix=AMP_                         //The group name prefix to identify memberOf groups that are to be mapped to AMP roles.
Login.LDAPQueryPassword=correcthorsebatterystaple  //The password of the user that will be performing LDAP lookups. This will be stored encrypted.
Login.LDAPStripDomainFromFilter=False              //If enabled, then logging in with simply "User@Domain" will be changed to be just "User"

The following settings still exist but are for the previous LDAP implementation:

Login.LDAPADPre2000=False                          //When enabled, uses \ instead of @ to separate the user and domain and uses the opposing order. E.g. "" becomes "\User"
Login.LDAPQueryUsername=Username                   //The username that queries will be performed as.                   //The server to authenticate against. Requires that the hostname of the server and the query DN match, and that the DNS server has appropriate records to identify the server.

Creating your directory user and groups

If in AMP we’ve named our new role created above “Admins” with a prefix of “AMP_” then in our directory server we should create a group called “AMP_Admins” and assign any users to it. This follows for any other roles that you wish to be able to use within AMP.

Implementation Notes

  • When using LDAP, Usernames are case-insensitive. Normally AMP logins are case-sensitive. AMP will query the correct casing of the supplied username from the LDAP server and use it internally.
  • When a user logs in via LDAP for the first time, AMP will internally create a matching user (it does not store their password) to match against the directory user. This allows AMP to store user information such as their email address, and any authentication tokens to allow the ‘Remember Me’ functionality to work.
  • Deleting the LDAP user in AMP wipes this information - but the user will be re-created if the user logs in again. When deleting users you should first remove them from your directory server before removing them from AMP.