Where are the usernames/pwds of an HMI stored via LDAP?

From what I understand, in an HMI user authentication context, LDAP reads the username & password and compares them for a match in a database.

I currently have no idea how the pathing to that database is done, nor how to find out where it is? I'm trying to make it so that the LDAP refers to a local server/laptop for the user ID comparison.

Anyone has insight on this? Thanks for taking the time.

That's a complicated question.

Short answer is the LDAP query is usually setup to point at the directory server. If you wanted to do this locally, you would need to be running a local directory server of some kind(and this is more complicated than it sounds) and then you would need to configure the authentication path to the right machine.

Sometimes, Software(on a windows box) you think is doing LDAP is actually leveraging the windows security API and looking at the domain the machine is attached too. In that case, you would have to rejoin the machine to the 'local' domain or force it(where possible) to use local user accounts.

What software are you using? I assume you want to point it 'locally' for testing in house?

Thanks for replying. I've seen your moniker on another LDAP related thread (around a decade old).

LDAP query is usually setup to point at the directory server

Click to expand...

Indeed, is there a way to check at which server it is currently pointing at?

you would need to be running a local directory server of some kind(and this is more complicated than it sounds) and then you would need to configure the authentication path to the right machine.

Click to expand...

This is exactly what I'm trying to figure out how to do.

I assume you want to point it 'locally' for testing in house?

Click to expand...

Exactly! The point of this is to be able to test a machine's LDAP locally before it's shipped and connected to a client's server. The software I'm using is FactoryTalk View Studio ME, RS Logix/Studio 5000 and working with a PanelView Plus 7.

Ah, so the PVP7, Do you have techconnect?

If so, answer id 609098 describes the process really well.

Also, answer 1053276 for troubleshooting.

If not, check out https://literature.rockwellautomation.com/idc/groups/literature/documents/um/viewme-um004_-en-e.pdf around page 258.

Thanks, I'm looking through the Rockwell literature on p.258, but I'm not sure how I'm supposed to use the 609098 and 1053276 answer ids? I've tried a search on plctalk and on google, nothing came up besides this thread.

Oh, those are on the rockwell knowledge base. https://rockwellautomation.custhelp.com

You'll have to sign up for acct if you don't have one, but I think those answers are open to all.

Those articles are pretty helpful, thanks!
After reading, I'm figuring what I need to do looks like this:

1- Install OpenLDAP for windows on my laptop to create my own directory containing user accounts, user groups and whatnot.

2- Configure the PvP7's LDAP with my own laptop's DN.

3- Install Wireshark to monitor the LDAP exchanges between the client (PvP7) and the server (my laptop).

But before getting to step 1, I need to figure out what DN the PvP7's LDAP is currently querying for the users ID search. Is there a way to access that information?

Well, the domain name is part of the username and should be part of the factorytalk directory associated w/ the project, So if you load that AND the directory you should be able to see those

This is how I'm currently logging to the PvP7 (with my .mer program running in) :

User Name: admin
Password: dummypwd

Other user names are maint, oper, super...etc. I'm not sure I follow how the domain name could be part of a username? I'm probably referring to the wrong kind of username.

the domain name is part of the username and should be part of the factorytalk directory associated w/ the project, So if you load that AND the directory you should be able to see those.

Click to expand...

How do I find the location of the FT directory associated w/ the project?

No knowledge of LDAP but any domain username is in the format: domain_name\user_name

Right, that helps clarify the domain username part, thanks!

Now I'm trying to figure out where the FT directory is currently located. Everything I find on the net is explaining how to reconfigure it or how to set up a new one, but I'm just trying to read where it is at the moment.

Well, and they may not have setup individual users in the directory. They may just be referencing windows-linked groups which may or may not display the domain.

Honestly, I would look at the currently configured LDAP server in the Panelview, that shold be a FQND(Fully qualified domain name) and will tell you what the domain is.

I would look at the currently configured LDAP server in the Panelview, that shold be a FQND(Fully qualified domain name) and will tell you what the domain is.

Click to expand...

In the PanelView, I accessed Terminal Settings > Networks and Communications > LDAP Configuration. This is the screen it's leading me to:



I can only see a default Port Number there.

Other information menus like Networks and Communications > Network connections >Network Identification display all empty fields (User Name, Password, Domain).

Then I have the Network Diagnostics menu displaying nothing in front of Primary and Secondary DNS:



Which I'm assuming means that the LDAP isn't currently connected to any domain name or directory to query for authentication. And yet, authentication works.

I'm guessing that authentication only works for user accounts that have already been added while the connection to a domain was still on.

I tested adding a new user & password (from FT Studio) and running the updated program, and the authentication expectedly didn't work, since this is a user I added with no connection to a domain.

So...Going from here, I'm going to establish an LDAP local connection from the Panelview to my laptop. I plan on writing an LDAP directory using OpenLDAP for Windows.

Ahh fun, yeah if no server is listed, no ldap funtimes.

I'd guess the username/passwords you have are actually local users. So yeah, those would work w/out the connection.

I don't think these panels cache accounts, so a domain acct shouldn't work at ALL w/out the ldap server configured.