Overview
Useful Links:
KB0014625 IAM - LDAP Authentication
KB0019418 All Michigan Medicine Approved Standards for Authentication
KB0014745 Identity and Access Management Services
KB0014349 IAM Developer Resources
Related Information
Introduction
Michigan Medicine (Identity and Access Management (IAM)) provides two options for resources (user accounts, system accounts, applications, processes, devices, etc.) to authenticate using LDAP (Lightweight Directory Access Protocol).
- authenticate via ldap.ent.med.umich.edu based on eDirectory.
- authenticate via umhs.med.umich.edu based on Active Directory.
Differences between the two:
ldap.ent.med.umich.edu is preferred due to better redundancy.
umhs.med.umich.edu may be necessary for applications that are required to use Active Directory LDAP; refer to your documentation to be sure.
Options
Authenticating via eDir (ldap.ent.med.umich.edu)
|
Parameter |
Pre-Prod |
Prod |
|
DNS Name |
ldap.p-ent.med.umich.edu |
ldap.ent.med.umich.edu |
|
Base DN: |
dc=med,dc=umich,dc=edu |
dc=med,dc=umich,dc=edu |
|
Base user DN: |
ou=people,dc=med,dc=umich,dc=edu |
ou=people,dc=med,dc=umich,dc=edu |
|
Base group DN: |
ou=groups,dc=med,dc=umich,dc=edu |
ou=groups,dc=med,dc=umich,dc=edu |
|
Port |
636 |
636 |
|
Principle |
cn = {System Account} Contact Account Admin to have the account created and IDM to have appropriate rights set-up. |
cn = {System Account} Contact Account Admin to have the account created and IDM to have appropriate rights set-up. |
|
SSL |
Yes |
Yes |
Authenticating via Microsoft Active Directory (umhs.med.umich.edu)
|
Parameter |
Pre-Prod |
Prod |
|
DNS Name |
p-umhs.med.umich.edu |
umhs..med.umich.edu |
|
Base DN: |
DC=p-umhs,DC=med,DC=umich,DC=edu |
DC=umhs,DC=med,DC=umich,DC=edu |
|
Base user DN: |
CN=Users,DC=p-umhs,DC=med,DC=umich,DC=edu |
CN=Users,DC=umhs,DC=med,DC=umich,DC=edu |
|
Base group DN: |
OU=UMHS Groups,DC=p-umhs,DC=med,DC=umich,DC=edu |
OU=UMHS Groups,DC=p-umhs,DC=med,DC=umich,DC=edu |
|
Port |
636 |
636 |
|
Principle |
cn = {System Account} Contact Account Admin to have the account created and IDM to have appropriate rights set-up. |
cn = {System Account} Contact Account Admin to have the account created and IDM to have appropriate rights set-up. |
|
SSL |
Yes |
Yes |
As of 22 March 2023, resources must employ LDAP channel binding and signing per CHG0152788 (LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. This change is necessary to meet Information Assurance cyber security standards and requirements: unsigned network traffic is susceptible to replay and Man-in-the-Middle attacks.
Resources that are built on .NET Framework, Active Directory Service Interfaces (ADSI), or make LDAP calls into WLDAP32 will automatically handle LDAP signing and channel binding.
Resources that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection could fail to authenticate. Please check your documentation or vendor for non- windows device O/S, service, and applications.
To be certain about whether or not your resource will successfully authenticate via Microsoft Active Directory (umhs.med.umich.edu), the best course of action is to test in pre-prod (p-umhs.med.umich.edu:636).