Configuring LDAP Authentication in Niagara 4

Centralized authentication through LDAP lets you manage Niagara user accounts from Active Directory instead of maintaining separate credentials on every station. This eliminates password sprawl and simplifies user onboarding and offboarding.

Prerequisites

Requirement	Details
Niagara version	4.6 or later
License	LDAP module included in station license
Network	Station must reach domain controller on port 389 (LDAP) or 636 (LDAPS)
AD service account	Read-only account for directory queries
TLS certificate	Required for LDAPS (strongly recommended)

Architecture Overview

User Browser → Niagara Station → LDAP Query → Active Directory
                    ↓                              ↓
              Local Auth (fallback)          AD Groups → Niagara Roles

Step 1: Install the LDAP Module

1. Open Niagara Workbench
2. Connect to the target station
3. Open the Software Manager
4. Install the ldap module if not already present
5. Restart the station

Step 2: Add the LDAP User Service

1. Navigate to Config > Services > UserService
2. Right-click and select Add > LdapUserService
3. The LDAP User Service will appear alongside the existing local UserService

Step 3: Configure the LDAP Connection

Open the LdapUserService properties:

LDAP Configuration:
  Server URL: ldaps://dc01.company.com:636
  Base DN: DC=company,DC=com
  Bind DN: CN=NiagaraSvc,OU=Service Accounts,DC=company,DC=com
  Bind Password: ********
  User Search Filter: (&(objectClass=user)(sAMAccountName={0}))
  Search Subtree: true
  Connection Timeout: 5000 ms
  Read Timeout: 10000 ms

Connection URL Options

Protocol	Port	Security	Recommendation
ldap://	389	None	Development only
ldaps://	636	SSL/TLS	Production use
ldap:// + StartTLS	389	TLS upgrade	Alternative to LDAPS

Step 4: Configure TLS Certificate Trust

For LDAPS connections, the station must trust the AD certificate:

1. Export the AD CA certificate (Base64 .cer format)
2. Import into the Niagara station's trust store:

Workbench > Platform > Trust Store Manager
  → Import Certificate
  → Select the AD CA certificate
  → Restart station

Step 5: Map AD Groups to Niagara Roles

Map Active Directory groups to Niagara roles:

Group Mappings:
  CN=BAS-Admins,OU=Groups,DC=company,DC=com → admin
  CN=BAS-Operators,OU=Groups,DC=company,DC=com → operator
  CN=BAS-Viewers,OU=Groups,DC=company,DC=com → viewer

AD Group	Niagara Role	Access Level
BAS-Admins	admin	Full configuration access
BAS-Operators	operator	Read + command, no config
BAS-Viewers	viewer	Read-only monitoring

Step 6: Set Authentication Order

Configure the station to try LDAP first, then fall back to local:

Authentication Order:
  1. LdapUserService (primary)
  2. UserService (fallback)

Keep at least one local admin account as a fallback in case the domain controller is unreachable.

Step 7: Enforce Secure Transport

LDAP credentials travel over the network, so enforce HTTPS:

1. Navigate to Config > Services > WebService
2. Set Https Only to true
3. Configure FOXS for Workbench connections

Troubleshooting

Bind Failures

Symptom	Cause	Fix
"LDAP error code 49"	Invalid credentials	Verify bind DN and password
"Connection refused"	Wrong port or firewall	Check port 636 is open
"Certificate not trusted"	Missing CA cert	Import AD CA into trust store
"Timeout"	DNS or routing issue	Verify station can ping DC

Password Expiration Lockouts

If the AD service account password expires, all LDAP authentication fails:

• Set the service account to Password Never Expires in AD
• Or implement a password rotation procedure with scheduled maintenance
• Local fallback admin account prevents complete lockout

Users Cannot Log In After AD Migration

• Verify the User Search Filter matches your AD schema
• Check that sAMAccountName is correct (some environments use userPrincipalName)
• Enable LDAP debug logging: LdapUserService > Log Level = Fine

Security Considerations

• Always use LDAPS (port 636) in production
• Use a dedicated read-only service account with minimal permissions
• Restrict the Base DN to the specific OU containing BAS users
• Audit LDAP login events through Niagara's audit log
• Rotate the service account password on a regular schedule

References

• Tridium Niagara 4 LDAP Integration Guide
• Microsoft Active Directory LDAP reference
• ASHRAE Guideline 13: Specifying DDC Systems

Proper LDAP integration means one less password for technicians to remember and one less account for IT to manage when someone leaves the organization.