Remove Active Directory Username and Password When Configuring LDAP for InsightCM

Updated Mar 31, 2020

Issue Details

I need to configure my InsightCM Server to use my Windows Active Directory for user authentication using LDAP. When following the InsightCM manual for how to configure LDAP, it says I need to put my Active Directory username and password in a text file that is stored on the server machine. Storing a password in plaintext is a security concern and against our IT/cyber security protocols. Is it necessary to save the password in this file?

Solution

When configuring LDAP so that InsightCM can communicate with your active directory, the active directory service account's username and password is put into the LoginAuth.json file located at C:\Program Data\National Instruments\InsightCM 3.0\Auth

These credentials are necessary only while adding roles and permissions in the InsightCM web application. Specifically, they are used so that you can use the Browse LDAP by user for groups button to search for active directory users and their associated groups. After you have finished adding user group permissions to the InsightCM roles, you can remove the credentials from the LoginAuth.json file by following these steps:
  1. After configuring the InsightCM roles and permissions and associating the corresponding active directory groups, open the LoginAuth.json file located at C:\Program Data\National Instruments\InsightCM 3.0\Auth.
  2. Delete the values  for LdapServiceAccountUserName and LdapServiceAccountPassword. Do not change any other lines in this file since that information is still necessary for you to log in to the InsightCM web application using Windows credentials. After making these changes, those lines should look like the following:
 "LdapServiceAccountUserName": "",
 "LdapServiceAccountPassword": ""
  1. Save the LoginAuth.json file.

Additional Information

With the active directory credentials removed, you will still be able to log into the InsightCM web application using your Windows credentials. However, if you want to make changes to the InsightCM roles and permissions and browse for active directory groups from the InsightCM web application in the future, you will need to put the LDAP service account username and password back in the file.