In Siveillance Control, every user is assigned to a user group. A user group includes all employees, who are active in the same role, for example all operators being responsible for fire alarm technology. All members within a user group have the same rights. You can either create new users and user groups or import them with an LDIF file. The LDIF file is necessary to enable the login using the Windows authentication.

The LDIF File

The LDIF file is an ASCII file that contains information regarding users and user groups from an LDAP directory. Passwords are not contained in the LDIF file. You can display the information using a text editor. The following types of LDIF files exist:

User Groups in the LDIF File without Reference

If the LDIF file contains user groups that do not reference another user group, these are saved under the System > User node following the import.

dn: cn=Aloxerv,ou=DistributionGroups,ou=Managed

Objects,dc=TESTDOMAIN,dc=local

objectClass: top

objectClass: group

objectCategory:

CN=Group,CN=Schema,CN=Configuration,DC=TESTDOMAIN,DC=local

member: CN=Aloxerv-Tester,OU=DistributionGroups,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

member: CN=Barososo Josef,OU=ActiveEmployee,OU=User,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

...

User Groups in the LDIF File with Reference

If the LDIF file contains user groups that reference a user group, indicated by the memberOf attribute, these are saved under the System > User > [User Group] node.

dn: CN=Aloxerv-Tester,OU=DistributionGroups,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

objectClass: top

objectClass: group

objectCategory:

CN=Group,CN=Schema,CN=Configuration,DC=TESTDOMAIN,DC=local

member: CN=Kegler Martin,OU=ActiveEmployee,OU=User,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

memberOf: CN=Aloxerv,OU=DistibutionGroups,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

...

Users in the LDIF File

Users in the LDIF file are referenced to a user group by using the memberOf attribute. Therefore, a user can be referenced to several user groups among which not all are existent in the LDIF file. The following options are available:

If a user is referenced to a user group that is not contained in the LDIF file, the reference is ignored and a warning message for each missing reference is displayed. The user is nevertheless imported.

If a user has no or no valid reference to a user group from the LDIF file, the user is saved under the System > Users node.

If a user is imported with reference to a user group, the user is saved under the corresponding tree node for this user group.

dn: CN=Kegler Martin,OU=ActiveEmployee,OU=User,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

mailNickname: mkr

objectClass: organizationalPerson

objectClass: top

objectClass: person

objectClass: user

objectCategory:

CN=Person,CN=Schema,CN=Configuration,DC=TESTDOMAIN,DC=local

memberOf: CN=Aloxerv-

Tester,OU=DistributionGroups,OU=Managed

Objects,DC=TESTDOMAIN,DC=local

...

Providing LDIF Files

Providing the LDIF file is not a typical work done during the configuration phase, since the persons responsible often lack the authorization. However, you should have a basic understanding of this concept.

The LDIF file is exported from an LDAP directory on the AD server. Especially in large companies, user accounts are managed centrally in an Active Directory server, short AD server. The network administrator is authorized for the export. The following options to export the LDIF file are available:

 

Export of the LDIF File from the Command Line Using a Command

The first option is described using the specific example of a Microsoft Active Directory Server, short MSAD, based on Windows Server 2008. The following prerequisites apply:

  • Direct access to the Windows server with the option of opening an MSDOS console.
  • Administrator rights for reading contents on the MSAD server for users and user groups.

The command used on the console for the export looks as follows:

ldifde -f "ldif-file_name/-path" -d "start_node (OU notation)" -p subtree -ldistinguishedName,givenName,objectClass,sn,sAMAccountName,memberOf

The individual parameters have the following meaning:

-f: The file path to the LDIF file being created. Appropriate write access to the target path is required.

-d: The start node in the AD structure, from which the export is performed. The format must comply with the corresponding distinguished name in the AD notation, for example OU=[…].

The remaining parameters are always fixed and do not have to be specified or changed dynamically.

 

Export of the LDIF File Using Apache Directory Studio

The second option involves using the Apache Directory Studio software to export users by means of a user interface. The following steps are necessary for this option:

 

Installing the Apache Directory Studio Software

  1. Download the software in the current version under: http://directory.apache.org/studio/downloads.html
  1. Install the software with the default options.

 

Configuring the AD Server Connection

  • The IP address of the AD server is known.
  • You have a user account for the AD server.
  1. Start Apache Directory Studio.
  1. Right-click the Connections view and select New Connection.
  1. Enter a connection name. The connection is displayed subsequently under this name.
  1. Enter the network parameters:
  • Hostname: IP address of the AD server
  • Port: 389
  • Encryption method: No encryption
  • Provider: Apache Directory LDAP Client API
  1. Click Check Network Parameter.
  1. In case of an error message, check the network parameters.
  1. Click OK.
  1. Select Read-Only to prevent any additions, deletions, modifications or renamings.
  1. Click Next.
  1. Select Simple Authentication.
  1. Enter the authentication parameters:
  • Enter the user with the default domain.
  • Select Save password if necessary.
  1. Click Check Authentication.
  1. In case of an error message, check the authentication parameters.
  1. Click OK.
  1. Click Finish.

 

Exporting the LDIF File

  • Apache Directory Studio is displayed.
  1. In the Connections view, click New Connection.
  1. In the LDAP browser, select a node. You have the following options:
  • To select all included user groups and users for export, select the domain node.
  • To select a user group without users for export, select a user group below the domain.
  • To only select a user for export, select a user below the domain.
  1. Right-click and select Export > LDIF Export.
  • The Connection and Search Base are adopted automatically.
  1. Enter a Filter text using the following options:
  • To filter all user groups and users, use (|(objectClass=group)(objectClass=user))(|(objectClass=group)(objectClass=user)).
  • The filter searches for all entries for the group or user object class.
  • To filter all users in a user groups, use (&(objectClass=user)(memberOf=[your user group]))(&(objectClass=user)(memberOf=[your user group])).
  • The filter searches for all entries with the object class user and for the specified user group.
  • Create a filter to suit your requirements. You can find more information on the Internet when searching for ldap filter syntax.
  1. Keep the remaining default settings.
  1. Click Next.
  1. Select the target file.
  1. Enter the file name. Use Browse if necessary.
  1. To overwrite any existing file, select Overwrite existing LDIF file.
  1. Click Finish.
  • The LDIF file is saved.

Importing Users and User Groups Using the LDIF File

  • The AD server has been started.
  • Siveillance Control has been released for authentication on the AD server.
  • The Windows user groups and users are available in LDIF files.
  • The LDIF file has been created from one source only.
  1. Open the Engineering perspective.
  1. Click  Import Data.
  1. Select LDIF-Import.
  1. Click Next.
  1. Select the file you want to import.
  1. Click Next.
  1. Select the advanced settings. You have the following options:
  • To import the LDIF file for the first time, keep the default settings.
  • To reimport and delete users that no longer exist in the new LDIF file, select Orphan > Delete.
  1. Click Next.
  • Import warnings can be displayed. These are of informative nature. The users are nevertheless imported.
  1. Click Next.
  1. Keep the default settings.
  1. Click Finish.
  • The imported users and user groups are displayed in the User and Authorization Management perspective.
  1. Check the rights of the imported users.
  1. In case of changes to the Windows user accounts, reimport the LDIF file.

Default User Groups

For the engineering client, the Administrator and Commissioning Engineer user groups are set by default. They can be found in the Permissionable Objects tree under System Engineering. Here, you can find the default users Admin and Engineer. For the runtime system, the user groups Administrator and Operator are set by default under System. Here, you can find the default user Admin.

Creating Users and User Groups

New users can only be created under a user group.

  • The User and Authorization Management perspective is displayed.
  1. In the Permissionable Objects tree, right-click Users and select New > Group of Users.
  1. Enter a user group name.
  1. Click Finish.
  1. In the Permissionable Objects tree, right-click the new user group and select New > User.
  1. Enter a username.
  1. Click Finish.