Web-based Management 2:
Security - LDAP configuration
Valid from firmware release 2025.0 - for earlier firmware see WBM LDAP Configuration
In this WBM 2 page you can activate or deactivate the use of a central management of the users in a network (e.g. a Microsoft Active Directory). Note: More background information on configuration attributes and their default values can be found in the LDAP connection configuration topic.
Please note the guidelines in our PLCnext Technology ‑ Security Info Center.For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the Security context.
The overview page shows a table of existing LDAP configurations containing these columns:
| Column | Description |
| Seq. (sequence) | Sequence number of the LDAP server (the LDAP servers are contacted in this order) |
| Host Name | Host name or IP address of the LDAP server |
| Port | TCP port of the LDAP server |
| Base DN | DN (Distinguished Name) where the LDAP search for users starts. |
| Bind DN | DN (Distinguished Name) of the user with which the search in the LDAP directory is performed (optional). |
| Comment | Local user specific comment |
Around the table you will find the buttons to 
add, 
remove, or 
edit an LDAP server configuration, and arrow buttons to moves a selected LDAP server configuration row upwards/downwards.
Basic configuration
In the Basic Configuration area you have the following setting options:
General configuration
| Option | Description |
| Seq. | Sequence number of the LDAP server configuration (automatically assigned by the WBM 2) |
| Hostname | DNS name or IP address of the LDAP server |
| Port | TCP port of the LDAP server (optional). The port is chosen automatically, port 389 for connections without TLS or StartTLS and port 636 for TLS connections. If necessary you can specify the port where the LDAP server can be reached. |
| Timeout | Timeout after a connection attempt to the server failed. Enter an integer value in the input field and choose a unit from the drop-down list. |
Security options
| Option | Description |
| TLS mode | Select the TLS mode from the drop-down list:
|
| Trust Store | Select the Trust Store that is used for verification by entering a Trust Store name in the input field. All Trust Stores that match or start with the entry can be selected from the drop-down list. If you leave the input field empty, you can select from all existing Trust Stores. |
| Cipher list | List of permitted TLS cipher suites for the LDAP connection. See Cipher lists for details. |
Search options
| Option | Description |
| Base DN | The LDAP DN (Distinguished name) that serves as starting point for the search for users over all child nodes. |
| Search filter | LDAP search filter that is used for the search for users. The variable "$$USER$$" is automatically replaced with the login. |
Login options
| Option | Description |
| Bind DN | Enter the Distinguished Name of the user the search in the LDAP directory is performed with. |
| Bind password | Enter the password of the Bind DN user in the LDAP server. |
| Confirm bind password | Confirm the password of the Bind DN. |
Local options
| Option | Description |
| Comment | Optional: Enter a comment on the LDAP server configuration. |
Enhanced Configuration
In the Enhanced configuration area you have the following setting options.
Group Attributes
In this area you can add, remove, or edit Group Attributes of the LDAP server configuration.
Note: A group attribute for the initial group is mandatory. As long as this name is missing, the Enhanced configuration heading is red and the new configuration cannot be added permanently.
LDAP Group Mappings
In this area you can manage a list of LDAP Group Mappings to user roles. This setting is optional.