Downloaded 24 times
Uploaded byAVEVA
Security and LDAP integration in InduSoft Web Studio
The document provides an overview of a webinar by InduSoft covering key aspects of security using LDAP (Lightweight Directory Access Protocol) and Active Directory for managing user access in industrial automation projects. It explains various security modes available in InduSoft Web Studio, including local, distributed, and domain configurations, and emphasizes the importance of working with IT departments for secure implementations. The document also discusses authentication processes, rights configuration, and gives details about LDAP server settings and query syntax.
In this document
Powered by AI
Introduction to the Security/LDAP Webinar organized by Scott Kortier, outlining agenda including InduSoft overview and security.
Highlighting the importance of security and IT collaboration, emphasizing that the presentation is informational.
Overview of InduSoft Web Studio, a versatile HMI/SCADA software supporting various platforms and capabilities.
Introduction to security levels and modes available in InduSoft, emphasizing project-specific configurations.
Detailed descriptions of security modes: Local, Distributed, and Domain (LDAP), stressing centralized management advantages.
Explanation of Active Directory levels: forest, trees, and domains, detailing logical organization and structures.
Clarifying the differences between authentication processes and group rights configuration within InduSoft.
Details on LDAP server settings, including credentials management, connection methodologies, and saving rights.
Information on querying LDAP for users and groups, including syntax and practical considerations.
Concluding slides featuring a Q&A section and comprehensive contact details for InduSoft.
Security and LDAP integration in InduSoft Web Studio
- 1.
- 2. Introduction • Scott Kortier –Sr. Technical Sales
- 3. Agenda • Brief InduSoftOverview • InduSoft Security Overview • LDAP and Active Directory – What are they? And why do you need them? – How do I use it/them – Configuration Options
- 4. Security is important •This presentation is not meant to supersede your corporate policies. • Informational only. • Please make sure you refer to documentation and work with your IT group. • Changing all of the time.
- 5.
- 6. www.InduSoft.com | info@InduSoft.com ValueProposition InduSoft Web Studio is an easy-to-use, powerful, and affordable HMI/SCADA software for PCs, industrial panels, embedded & mobile devices Design the applications in an integrated development environment and deploy/run it on multiple platforms, including any current Microsoft Operating system - Windows CE/Mobile, Embedded, Desktop and Server Editions, Linux, VxWorks, among others.
- 7. www.InduSoft.com | info@InduSoft.com Comprehensiveset of tools for SCADA, HMI, and IoT solutions
- 8.
- 9. Access levels onmany items Project Screens Screen Objects Task Worksheets
- 10. Security Overview Security Modesin InduSoft
- 11. Security Overview Local Only Thisis the standard mode for most projects: users and groups are created in the project development environment, and they apply only to the project for which they are created. Distributed – Server This is similar to Local Only, except that the project's security system configuration is also made available to other projects (that are set to Distributed – Client) on the same network. Furthermore, if the project loses its security system configuration for some reason, it can reimport the configuration from one of its client projects. Distributed – Client When this mode is selected, the project gets its entire security system configuration from another project (that is set to Distributed – Server) on the same network. The project caches this configuration and can continue to run even if it loses communication with the server project. Domain (LDAP) The Lightweight Directory Access Protocol (LDAP) is a recognized standard for managing users and groups across many different applications on a network. When this mode is selected, the project gets its users and groups from an LDAP-compliant domain server, such as Microsoft Active Directory for Windows or OpenLDAP for Linux. However, only the user names, passwords, and group memberships are taken from the domain; specific rights for each group must still be configured within the project.
- 12. Difference between LDAPand AD • LDAP (Lightweight Directory Access Protocol) • AD is a directory services database • LDAP is one of the protocols you can use to talk AD
- 13. Why? • Centrally managed –Usually at the corporate level – By IT department (not Controls Engineers) • No need to duplicate users and managment
- 14. Active Directory Levels TheActive Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. – Forrest – Trees: Set of Trees make up Forrest – Domains: Set of Domains make up Trees Source: Wikipedia
- 15. Active Directory Levels Withina deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace. A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database. A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible. (Ref.: https://en.wikipedia.org/wiki/Active_Directory)
- 16. Authentication vs. Rights Authenticationis the process of verifying someone or something is who/what they say they are. Rights (within IWS): The specific rights that a member of the group has when they use a project thin client to access your project during run time
- 18. User and GroupConfigurations • Users about Authentication • Groups configure Rights (Authorization)
- 19.
- 20. LDAP Server Settings LDAPServer Credentials • Must have admin rights • Can be {stringTag} • Status tag Value Description 0 Connection timeout 1 Bind timeout 2 Query timeout 3 Disconnected 4 Connected 5 No users or groups returned by query 6 Invalid user or group
- 21. LDAP Server Settings LDAPAdvanced • If for some reason the LDAP server cannot be accessed using its domain name, then you can manually configure the server's IP address • Simple Bind (ADAM) – Credentials are sent in clear text, so you should secure the connection by other means such as VPN, TLS/SSL, or proxies. • Save Rights to server – Usually local, but can configure server to save those rights back to the LDAP server. Need to create Custom Attributes for the group security settings to accept these parameters
- 22. LDAP Server Settings LDAPQuery • By default, the LDAP server provides a list of all registered users and groups – Could be huge, thousands or millions – Provide a way to filter or isolate users – Could take a long time, longer than practical time out • Query syntax Queries ARE case sensitive •= (EQUAL TO) Example: (givenName=John) •& (logical AND) Example: (&(givenName=John)(l=Dallas)) Resources/References: https://technet.microsoft.com/en- us/library/aa996205(v=exchg.65).aspx http://ldapwiki.com/wiki/LDAP%20filters%20Syntax% 20and%20Choices
- 23.
- 24.
- 25. Licensing US and CanadaToll-Free: 855-274-8381 Direct dial from anywhere: 512-910-8044 Support US and Canada Toll-Free: 855-269-4489 Direct dial from anywhere: 512-879-4107 Additional New InduSoft Numbers
- 26. www.InduSoft.com | info@InduSoft.com Email (US)info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone +1 (512) 349-0334 (US) +55 (11) 3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax +1 (512) 349-0375 Contact InduSoft Today Germany USA Brazil
- 27.