Which parameters do I need to toggle my Dekho into LDAP/NTLM authentication?

Further to our blog post on setting up authentication in Dekho (link) , we have found that customers sometimes struggle to identify the correct parameters required.
Before attempting to toggle your Dekho into LDAP or NTLM, you will need to get some information from yout IT department..

What do you need to ask your IT team?

1. The LDAP url , which is something like ldap://{ServerLdap}:389
2. The name of the Adctive Directory database (usually a host name or an IP address)
3. The LDAP Search string

How to test in isolation and work out the other parameters?

The easiest is to download a freeware called “ActiveDirectory Explorer”.  [download link]

Start ADexplorer and enter your login credentials and Active Directory URL.
A big tree-like window will open, try crawling through the most likely branches (sorry we can’t help you much here;) and locate your user group (ex : GIS Administrators)
Once you have found your login name, locate the “distinguishedName” entry.


Here are the steps to toggle to NTLM (from “anonymous”) in Dekho 4.1:

1. Go to Dekho 4.1 admin screen
2. Click on the “Authorization” menu
3. Toggle the Authentication to NTLM
4. Toggle the Authorization to LDAP Groups
Note : In Dekho 4.1 you can no longer run a hybrid of LDAP users with Dekho Groups.
5. Enter your Domain name :  services.yourcomany.com.au
6. Username = Enter your Windows login name (the one you use to log into your computer in the morning)
7. Password = Enter your password
8. Principal = The username of the user that will authenticate with the LDAP server (implementation dependant).
9. Credentials = your password.
10. Search = your search string s(see above)
11. URL = {ask your IT team}
12. user Search Filter = sAMAccountName={0}
13. User DN = use the string found above in “distinguishedName”
14. Group Role Attribute = cn
15. Group Search Filter = member={0}
16. click SAVE
17. The system will ask you which group do you want to allow as administrators.
18. <end>

OK, now your Dekho map access is restricted to your LDAP users and your Dekho Admin is restricted to the group you just chose in point (17)
The NTLM authentication does not ask you to type in any password; it uses the Windows logon details that are nested inside your operating system.

Important notes:

– If you use LDAP or NTLM, you must use LDAP roles too. You can no longer mix Dekho roles with LDAP roles.

– If you toggle to LDAP or NTLM the whole user base and all the roles will be re-read, and previous entries in your Dekho table will be overwritten.
– In previous version of Dekho, users were added as they were used (username added the first time you log into Dekho).  With Dekho 4.1 all users & roles are loaded in.



This entry was posted in Other. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *