Using LDAP
This chapter covers the following topics:
Overview of Using LDAP with Caché
Caché provides support for authentication and authorization using LDAP, the Lightweight Directory Access Protocol. LDAP systems have a central repository of user information, from which Caché retrieves information. For example, on Windows, a domain controller using Active Directory is an LDAP server.
Caché supports using LDAP for both authentication and authorization; it also supports using LDAP authorization with OS-based authentication for the local Caché terminal.
Caché includes several forms of support for LDAP:
-
Support for combined LDAP authentication and authorization. With LDAP authentication, Caché users are prompted for a username and password; the instance is associated with an LDAP server, which performs authentication and retrieves the user’s roles and other authorization information.
-
Support for OS-based authentication for the Caché Terminal that then uses LDAP for authorization. (Access to the Terminal is managed by %Service_Console on Windows and %Service_Terminal on all other operating systems.)
-
Support for LDAP cached credentials.
Caché can also provide authentication and authorization for multiple LDAP domains simultaneously.
To configure an InterSystems service or application to use an existing LDAP server for authentication and authorization:
-
Configure Caché to use the LDAP server:
-
Enable LDAP and related features for the instance.
-
Create an LDAP configuration for the instance. This includes specifying the names of LDAP user properties to be used for setting the values of properties of Caché users.
-
Optionally, configure the instance to support multiple LDAP domains.
-
Set up a role that is required for logging into the instance.
-
Enable LDAP for the instance’s relevant services and applications. This involves enabling LDAP for the entire instance of Caché and then enabling it for the relevant services or applications.
-
-
For LDAP authorization:
-
Design the groups for LDAP authorization on Caché instances
-
Configure the LDAP server to use those groups
-
Caché supports Active Directory and OpenLDAP for LDAP authentication and authorization. This support is for LDAP version 3 protocols; earlier LDAP protocols are not supported.
Configuring LDAP Authentication for Caché
This section describes the following tasks:
Enabling LDAP for a Caché Instance
The first step in configuring an instance of Caché to use LDAP is to enable the features you wish to use:
-
From the Management Portal home page, go to the Authentication/CSP Session Options page (System Administration > Security > System Security > Authentication/CSP Session Options).
-
On the Authentication/CSP Session Options page:
-
To enable LDAP authentication, select Allow LDAP authentication.
-
To enable authentication using LDAP cached credentials, select Allow LDAP cache credentials authentication. For more information on this topic, see the section “About LDAP Cached Credentials.”
-
-
Click Save to apply the changes.
Enabling LDAP for Services and Applications
After enabling LDAP authentication for the instance, enable it for the instance’s relevant services or applications:
-
Because LDAP authentication is enabled for the instance, an LDAP check box appears on the Edit Service page for the services that support LDAP authentication and the Edit Web Application page for web applications.
-
Enable LDAP authentication for services and applications as appropriate.
The following services support LDAP authentication:
-
%Service_Bindings
-
%Service_CallIn
-
%Service_ComPort
-
%Service_Console
-
%Service_CSP
-
%Service_Login
-
%Service_Terminal
-
%Service_Telnet
These fall into several categories of access modes:
-
%Service_CallIn, %Service_ComPort, %Service_Console, %Service_Login, %Service_Terminal, %Service_Telnet
To use LDAP authentication with local connections, enable it for the service.
-
%Service_Bindings
To use LDAP authentication with client/server connections, enable it for the service.
-
%Service_CSP
To use LDAP authentication with web connections, enable it for the web application. Enabling it for the service also allows the Web Gateway itself to authenticate using LDAP authentication.
Creating or Modifying an LDAP Configuration in Caché
To perform LDAP authentication, Caché uses an LDAP configuration. An LDAP configuration specifies a connection to an LDAP server for a particular security domain and has information required to:
-
Connect to and query the LDAP server
-
Retrieve the required information about the user being authenticated
If Kerberos is enabled for an instance, all menu items and other labels for LDAP configurations refer to LDAP/Kerberos configurations. The following procedure does not note this in each individual situation.
To create or modify an LDAP configuration:
-
Go to the Management Portal Security LDAP Configurations page (System Administration > Security > System Security > LDAP Configurations).
During installation, Caché creates an LDAP configuration based on the server’s domain and other configuration information.
-
Create or modify a configuration:
-
To modify an existing configuration, click its name. For example, if you are using the configuration associated with the local LDAP server, then you may simply wish to check this configuration’s attributes and modify any as needed.
-
To create a configuration, click the Create New LDAP Configuration button. This displays the Edit LDAP configuration page.
Note:When creating a configuration, on the Edit LDAP configuration page, select the LDAP configuration check box if it is available. This displays the fields that define the LDAP configuration.
-
-
Modify or complete the fields to define the configuration (listed below).
-
If you create multiple configurations, you must specify which one is the default on the System-wide Security Parameters page (Security Administration > Security > System Security > System-wide Security Parameters), using the Default security domain drop-down.
LDAP Configuration Fields
An LDAP configuration includes the following fields:
-
Login Domain Name — Required. The name of the LDAP configuration. This is typically in the form of example.com or example.org.
If you enter a value that does not include a period, the system appends .com to it, so that example becomes example.com. If you enter a value in uppercase, the system puts in lowercase, so that EXAMPLE.COM becomes example.com. The system performs both transformations, if appropriate.
The system uses the transformed value of the Name field to populate the LDAP Base DN to use for searches field.
-
Description — Any text to describe the configuration.
-
Copy from — Available only when creating a configuration. Whether or not Caché copies attributes from an existing LDAP configuration to specify initial values for this one.
-
LDAP Enabled — Whether or not Caché can use the configuration to connect to an LDAP server.
-
LDAP server is a Windows Active Directory server — Windows only. Whether or not the LDAP server is a Windows Active Directory server.
-
LDAP host names — Required. The name(s) of the host(s) on which the LDAP server is running. The complexity of each host name can range from an unqualified host name to fully-qualified host name with a port number; the required form of the host name(s) depends on the particular configuration. This field is populated with a value based on the IP address of the DNS name of the current LDAP server.
To specify multiple host names, separate the names by spaces. If the LDAP server is configured to use a particular port, you can specify it by appending “:portname” to the host name; typical usage is not to specify a port and to let the LDAP functions use the default port, such as:
ldapserver.example.com ldapserver.example.com ldapbackup.example.com
-
LDAP search information — varies by circumstances:
-
LDAP username to use for searches — For Windows Active Directory servers only. Required if available. The user name provided to the LDAP server to establish an initial connection and which is used to perform LDAP searches and lookups. This user is also known as the search user.
The search user must have permission to read the entire LDAP database. It is important to ensure that the search user has uninterrupted access to the LDAP database. For example, the user’s LDAP account should be set so that:
-
The user cannot change the account’s password
-
The password never expires
-
The account never expires
For more information on searching the LDAP database, see the section “Searching the LDAP Database.”
-
-
LDAP search user DN — For all non-Windows platforms and Windows non-Active Directory servers. Required if available. The Distinguished Name (DN) of the user provided to the LDAP server to establish an initial connection and which is used to perform LDAP searches and lookups. This user is also known as the search user.
The search user must have permission to read the entire LDAP database. It is also important to ensure that the search user has uninterrupted access to the LDAP database. For example, the user’s LDAP account should be set so that:
-
The user cannot change the account’s password
-
The password never expires
-
The account never expires
For example, if the search user is “ldapsearchuser”, the LDAP DN (distinguished name) might be as follows:
uid=ldapsearchuser,ou=People,dc=example,dc=com
For more information on searching the LDAP database, see the section “Searching the LDAP Database.”
-
-
-
LDAP username password — Available only when creating or modifying a configuration. The password associated with the account used for the initial connection.
-
LDAP Base DN to use for searches — Required. The point in the directory tree from which searches begin. This typically consists of domain components, such as DC=example,DC=com.
-
LDAP Unique search attribute — Required. A unique identifying element of each record, which therefore makes it appropriate for searches. For more information on searching the LDAP database, see the section “How Caché Uses the LDAP Database.”
-
Use TLS/SSL encryption for LDAP sessions — Whether or not the Caché instance and the LDAP server encrypt their communications using TLS/SSL (disabled by default).
-
TLS/SSL certificate file — UNIX® only. Specifies the location of the file containing any TLS/SSL certificates (in PEM format) being used to authenticate the server.
On Windows, to specify the location of a file containing any TLS/SSL certificates (in PEM format) being used to authenticate the server certificate to establish a secure LDAP connection, use Microsoft Certificate ServicesOpens in a new tab. Certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities certificate store.
-
Allow ISC_LDAP_CONFIGURATION environment variable — If you are using OS-based LDAP and multiple domains, specifies whether or not to use the ISC_LDAP_CONFIGURATION environment variable. If the environment variable is defined, then OS-based LDAP uses it to determine which LDAP configuration to use for authentication.
-
Use LDAP Groups for Roles/Routine/Namespace — Whether or not the user’s roles, routine, and namespace come from the user’s group memberships (true by default); if not, then they come from the attribute fields of the user’s LDAP record. If you select this field, the system enables and disables other fields (see each subsequent field for details).
Note:InterSystems recommends the use of LDAP groups for authorization, rather than LDAP attributes (including InterSystems registered LDAP properties). If you have existing code or are otherwise required to use registered properties, see the “Configuring the LDAP Server to Use Registered LDAP Properties” section for details.
-
Search nested Groups for Roles/Routine/Namespace — Only active if LDAP server is a Windows Active Directory server and Use LDAP Groups for Roles/Routine/Namespace are selected. Whether or not search returns all of a user’s nested groups. See the “Using Nested Groups” section for more information on nested groups.
-
Allow Universal group Authorization — Only active if Use LDAP Groups for Roles/Routine/Namespace is selected. Whether or not searches use the attributes on the LDAP server that are relevant for all Caché instances. See “Creating Universal LDAP Authorization Groups” for more information.
-
Authorization Group ID — Only active if Use LDAP Groups for Roles/Routine/Namespace is selected. Whether or not the multiple-instance group to which this instance belongs. See “Creating LDAP Authorization Groups for Multiple Instances (Multiple-Instance Groups)” for more information.
-
Authorization Instance ID — Only active if Use LDAP Groups for Roles/Routine/Namespace is selected. Whether or not the single-instance group to which this instance belongs. See “Creating LDAP Authorization Groups for a Single Instance (Single-Instance Groups)” for more information.
-
User attribute to retrieve default namespace (not active if LDAP groups are selected) — The attribute whose value is the source for the Startup namespace property for a user. This property of a Caché user is described in the section Properties of Users, in the “Users” chapter; this LDAP property is described in the section “Registered LDAP Properties.”
-
User attribute to retrieve default routine (not active if LDAP groups are selected) — The attribute whose value is the source for the Tag^Routine property for a user. This property of a Caché user is described in the section Properties of Users, in the “Users” chapter; this LDAP property is described in the section “Registered LDAP Properties.”
-
User attribute to retrieve roles (not active if LDAP groups are selected) — The attribute whose value determines the roles to which a user is assigned. When creating this attribute, it must be specified as an LDAP multivalued attribute. For information about a Caché user’s roles, see the Roles tab of a user’s Edit User page; this LDAP property is described in the section “Registered LDAP Properties.”
-
User attribute to retrieve comment attribute — The attribute whose value is the source for the Comment property for a user. This property is described in the section Properties of Users, in the “Users” chapter. Once a user has logged in, you can retrieve the value of this property using the Security.Users.Get() method.
-
User attribute to retrieve full name from — The attribute whose value is the source for the Full name property for a user. This property is described in the section Properties of Users, in the “Users” chapter. Once a user has logged in, you can retrieve the value of this property using the Security.Users.Get() method.
-
User attribute to retrieve mail address — The attribute whose value is the source for the Email address property for a user. This property is described in the section Properties of Users, in the “Users” chapter. Once a user has logged in, you can retrieve the value of this property using the Security.Users.Get() method.
-
User attribute to retrieve mobile phone — The attribute whose value is the source for the Mobile Phone Number property for a user. This property is described in the section Properties of Users, in the “Users” chapter. Once a user has logged in, you can retrieve the value of this property using the Security.Users.Get() method.
-
User attribute to retrieve mobile provider from — The attribute whose value is the source for the Mobile Phone Service Provider property for a user. This property is described in the section Properties of Users, in the “Users” chapter. Once a user has logged in, you can retrieve the value of this property using the Security.Users.Get() method.
-
LDAP attributes to retrieve for each user — Any attributes whose values are the source for any application-specific properties. Once a user has logged in, you can retrieve the value of these properties using the Security.Users.Get() method.
The values of the fields of an LDAP configuration are stored in an instance of the Security.LDAPConfigsOpens in a new tab class.
Note on LDAP/Kerberos Configuration Fields
If Kerberos authentication is enabled for an instance, then the page for creating an LDAP configuration is Edit LDAP/Kerberos configurations page. It has the same fields as the Edit LDAP configurations page, as described in the “LDAP Configuration Fields” section.
Using Multiple Domains with LDAP
When using LDAP with Caché, you have the option of supporting authentication with multiple domains. This allows the instance to have user accounts that include the same username from more than one domain, such as EndUser@example.com and EndUser@otherexample.com. This feature can be useful in multiple scenarios. For example:
-
It allows merging distinct sets of users from multiple domains into one larger group while preserving unique identifiers for each user.
-
It allows the same individual to have accounts on multiple domains with varying privileges for each.
To use multiple domains:
-
Create additional LDAP configurations according to the instructions in the previous section, “Creating or Modifying an LDAP Configuration in Caché.”
-
Configure the instance to use multiple domains and then specify a default domain:
-
Enable the use of multiple domains for the instance. In the Management Portal, on the System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters), select the Allow multiple security domains check box.
-
Specify a default domain. In the Management Portal, on the System-wide Security Parameters page (System Administration > Security > System Security > System-wide Security Parameters), select a default domain using the Default security domain drop-down.
-
Click Save.
For more information about this page, see the “System-wide Security Parameters” section of the “System Management and Security” chapter.
-
Even if you are using multiple domains, the name for each user must be unique, even if they are of different types. Hence, if you create a user such as EndUser@example.com that is a Password user, you cannot then log in to Caché through LDAP as the user EndUser@example.com, as Caché cannot create the account for EndUser@example.com as an LDAP user.
Other LDAP Topics
This section covers the following topics:
-
Checking and Removing Local Accounts Based on LDAP Account Conditions
-
Debugging When Using the LDAP APIs with Certificates on UNIX®
Viewing LDAP Configurations in the Portal as %Operator
If you are logged in to the Management Portal as a user who has the %Operator role or the %Admin_Operate:Use privilege, you can view (but not edit) the instance’s LDAP configurations:
-
In the Portal, go to the LDAP Configurations page (System Operation > LDAP Configurations).
-
On that page, click on the name of the configuration you wish to view, which displays the Display LDAP Configuration for that configuration.
To edit an LDAP configuration, go to the Security LDAP Configurations page (System Administration > Security > System Security > LDAP Configurations); you must have the %Admin_Secure:Use privilege.
About the Security LDAP Configurations Page
The Portal’s Security LDAP Configurations page (System Operation > LDAP Configurations) displays a list of the instance’s LDAP configurations. Click the name of a configuration to view its properties. If Kerberos authentication is enabled for the instance, this is called the Security LDAP/Kerberos configurations page (System Operation > LDAP/Kerberos configurations).
About LDAP Cached Credentials
An instance can use LDAP cached credentials to store (cache) a copy of the credentials that it most recently used to authenticate each user. If the use of cached credentials is enabled (by selecting the Allow LDAP cache credentials authentication field) and the instance is unable to connect to the LDAP server, then the instance uses the cached LDAP credentials to authenticate the user. This can be useful if the instance cannot contact the LDAP server, either because of an issue with the LDAP server itself or with the connection to the server.
To secure cached credentials, Caché stores all LDAP passwords in the security database as a one-way hash. If the instance cannot use the LDAP server to validate the user, it then attempts to confirm that:
-
The hash of the entered password matches the hash of the stored password
-
The cached expiration date from the last LDAP login has not been reached
If both conditions are true, the user is authenticated and login proceeds; otherwise, login fails.
Testing LDAP Configuration
Once you have created an LDAP configuration, you can test it. This allows you to confirm that it properly connects to the LDAP server or troubleshoot any issues that arise. To test a configuration:
-
In the Management Portal, go to the Security LDAP Configurations page (System Administration > Security > System Security > LDAP Configurations).
-
Click Test LDAP Authentication.
-
In the Username and Password fields, enter a valid username and password defined on the LDAP server. If the instance is configured to use multiple domains, you must provide a fully qualified username, such as EndUser@example.com; if the instance is using only a single domain, simply enter the unqualified username (without the @ symbol or the domain name), such as EndUser.
-
Click Test.
The Test Results field displays output from the LDAP server.
This feature only tests if an instance can connect to an LDAP server and perform authentication checks for the entered user. It does not perform any authorization or permission checks to determine if the user can successfully log in to the system.
If the test succeeds for the entered user, but the user cannot log in, then check the audit record for the login failure. To ensure successful login, you may need to give additional permissions to the user.
The State of an Instance after User Authentication
Any user who is initially authenticated using LDAP authentication is listed in the table of users on the Users page (System Administration > Security > Users) as having a Type of “LDAP user”. If a system administrator has explicitly created a user through the Management Portal (or using any other native Caché facility), that user has a type of “Password user”. If a user attempts to log in using LDAP authentication and is successfully authenticated, Caché determines that this user already exists as a Password user — not an LDAP user — and so login fails.
Configuring LDAP Authorization with Operating-System–Based Authentication (Operating System LDAP Authorization)
This section includes the following topics:
-
Enabling OS/LDAP for the %Service_Console and %Service_Terminal services
-
Configuring OS/LDAP with Multiple Domains for Simplified Prompting
About Operating System LDAP Authentication
Caché allows you to configure your system to support operating-system–based authentication, and then to perform authorization via LDAP. This is known as Operating System LDAP authorization or OS/LDAP. It allows a user to authenticate to Caché using credentials from the operating-system login and then to have their authorization information retrieved from an LDAP server. Operating system LDAP authorization is available in the Console on Windows and in the Terminal and on UNIX®, Linux, and macOS.
To configure OS/LDAP:
-
Enable OS-based authentication with LDAP authorization for a Caché instance.
-
As with standard LDAP authentication, set up a role that is required in order to be able to log in to the instance.
-
Enable OS/LDAP for the %Service_Console and %Service_Terminal services.
-
Configure authorization. This occurs in the same manner as that which accompanies LDAP authentication, as described in the section “Configuring LDAP Authorization for Caché.”
-
If you are using multiple domains, optionally configure OS/LDAP for simplified prompting.
Enabling OS/LDAP for a Caché Instance
To use OS/LDAP, first enable it for the instance:
-
From the Management Portal home page, go to the Authentication/CSP Session Options page (System Administration > Security > System Security > Authentication/CSP Session Options).
-
On the Authentication/CSP Session Options page, select Allow Operating Systems LDAP authentication.
-
Click Save to apply the changes.
Enabling OS/LDAP for the %Service_Console and %Service_Terminal Services
To enable OS/LDAP for the instance’s relevant services or applications:
-
With LDAP authentication enabled for the instance, an Operating System LDAP Authorization check box appears on the Edit Service page for %Service_Console and %Service_Terminal, which are the services that support OS/LDAP.
-
Enable LDAP authentication for those services, as appropriate.
OS/LDAP with a Single Domain and Multiple Domains
OS/LDAP supports the use of a single domain or multiple domains.
When Caché is configured to support only a single domain:
-
The system prompts the user for a username and password for the first login.
-
For subsequent logins, there is no prompt because the operating system has already authenticated the user.
When Caché is configured to support multiple domains:
-
The system prompts the user for a username and password for the first login.
-
For subsequent logins, the operating system prompts for a username and password by default. You can configure Caché to prevent this prompting; see the next section.
Configuring OS/LDAP with Multiple Domains for Simplified Prompting
If you are using OS/LDAP and multiple domains, you can configure the instance for simplified prompting. By default, users are prompted for a username and password at every login. You can configure Caché so that there is only a username/password prompt when a user first logs in, and that subsequent connections are authenticated without prompting.
To configure Caché for this behavior:
-
For each user, create the environment variable ISC_LDAP_CONFIGURATION with a value of the domain in which the user is authenticating.
-
For each domain in which users are authenticating:
-
Ensure that there is an LDAP configuration or create one.
-
For that LDAP configuration, select the Allow ISC_LDAP_CONFIGURATION environment variable check box, which enables use of the environment variable.
-
Using LDAP with Delegated Authentication or Other Mechanisms
You can also use LDAP as part of a custom authentication system (that is, with the Caché delegated authentication feature). To do this, use calls to the %SYS.LDAPOpens in a new tab class as part of the custom authentication code in the ZAUTHENTICATE routine.
InterSystems provides a sample routine, LDAP.mac, that demonstrates these calls. This routine is part of the Samples-Security sample on GitHub (https://github.com/intersystems/Samples-SecurityOpens in a new tab).
Also, if you need to authenticate to LDAP or use instance authentication after collecting credentials through another mechanism, call $SYSTEM.Security.Login with those credentials to authenticate the user.
For more details about delegated authentication and the ZAUTHENTICATE routine, see the “Delegated Authentication” chapter.
Securing Outbound LDAP Connections
While this chapter primarily concerns using LDAP for authentication and authorization when connecting to Caché, you may also wish to establish an outbound connection from Caché to an LDAP server. To secure an outbound connection to an LDAP server, Caché includes support for TLS/SSL. For more information on this topic, see the class documentation for %SYS.LDAPOpens in a new tab, in the content for the InitOpens in a new tab method.
Checking and Removing Local Accounts Based on LDAP Account Conditions
Caché performs checks on local user accounts and removes them under various conditions.
User-level checks – Caché performs checks on local user accounts and removes them when:
-
The LDAP account no longer exists.
-
The LDAP account is disabled.
-
On Active Directory (AD) only, the LDAP account is expired.
-
The LDAP account has the flag set to require a password change.
Important:When OS-based authentication with LDAP authorization is enabled, then the user’s account is not removed at login; however, if the account is on Active Directory and LDAP cached credentials are enabled, then the SecurityScan task does remove it.
Domain-level checks – Caché performs checks on LDAP domains and removes local user accounts in those domains when:
-
The LDAP configuration for the domain is disabled.
-
The default security domain for the instance is changed from one domain to another:
-
If multiple security domains are not enabled, Caché removes all user accounts in the old default domain.
-
If multiple security domains are enabled, Caché removes accounts in the old default domain with usernames that match accounts in the new default domain. (For accounts in the old default domain that do not have matching accounts in the new default domain, Caché creates accounts with these usernames in the new default domain.)
-
Caché checks for these conditions and removes accounts under the following circumstances:
-
When a user attempts to log into a Caché instance, the instance checks all the conditions associated with individual user accounts. It does not perform any checks at the domain level.
-
As a result of the SecurityScan task. Caché comes with this task.
Important:On Active Directory, the task checks if the account has the flag set to require a password change only if LDAP cached credentials are enabled.
Debugging When Using the LDAP APIs with Certificates on UNIX®
If you are using the Caché LDAP APIs with certificates on UNIX® and need detailed debugging information, you may wish to use the ldapsearch program that is part of the OpenLDAPOpens in a new tab package. Once you have corrected any problems with certificates, you can use the test configuration tool to verify that the connection is functioning. The ldapsearch program may also be useful for debugging other LDAP connection problems.
How Various LDAP Actions Occur
This section describes what occurs during certain processes associated with LDAP authentication and authorization:
How LDAP Performs Authentication and Authorization
When a user attempts to authenticate to an instance of Caché that uses LDAP authentication, the process is:
-
The user is prompted for a user name and password. This user, who is trying to authenticate, is known as the target user.
-
Caché establishes a connection to the LDAP server using the values specified for the LDAP username to use for searches and LDAP username password. This user, who has privileges to search the LDAP database so that Caché can retrieve information, is known as the search user.
-
Once the connection is established, the next step is to look up the target user in the LDAP database using the LDAP Unique search attribute.
-
If the target user is found in the LDAP database, it retrieves the attributes associated with the user, such as the user’s roles, namespace, and routine.
-
Caché then attempts to authenticate the user to the LDAP database, using the user name and password provided in step 1.
-
If authentication succeeds, authorization occurs on the LDAP server (either via group assignment or attributes. The user can then interact with Caché based on the privileges associated with their roles and any publicly available resources. The user’s properties are displayed read-only in the Management Portal and are not editable from within Caché.
How LDAP Looks Up the Target User in Its Database
Once Caché has established a connection to the LDAP server as the search user, it next retrieves information about the target user. To do this, Caché checks the username provided at login against values in the LDAP database for the LDAP Unique search attribute. The name of this attribute is often “sAMAcccountName” for an Active Directory LDAP server and “uid” for an OpenLDAP server.
Once Caché has located the user, it retrieves attribute information. It retrieves information about every named attribute in the Caché LDAP configuration fields (described in “Specifying Configuration Information for LDAP in Caché”), and it retrieves all values associated with each attribute. Note that Caché retrieves all values associated with all attributes specified for the user in the Caché LDAP configuration fields; it is not possible to configure it to retrieve only a subset of these.