Security Profile: Configuring Active Directory Connection 

Replacing the local user management with LDAP while maintaining IEC 62443‑4-2 compliance

PLCnext Control‘s User Manager is compliant according to IEC 62443‑4-2 and includes a compliant local user management system. If this local user management is replaced by a central, LDAP based directory service (for example, Microsoft® Active Directory), the LDAP configuration must fulfil specific requirements to preserve compliance with the IEC 62443‑4-2 standard.
The standard defines the necessary capabilities for secure user identification, authentication, authorization, secure communication, and auditability. Therefore, the LDAP configuration must implement the required feature set to ensure that the system continues to meet these security objectives when operated with a central directory service.
The following sections describe the essential LDAP configuration requirements needed to maintain an IEC 62443‑4-2–compliant user management solution.

Secure Communication

All communication between the device and the LDAP server must be protected against unauthorized access, manipulation, and credential disclosure.

To ensure this:

• LDAP connections must use TLS or StartTLS.
• A valid Trust Store must be configured to verify the LDAP server certificate.
• Only strong TLS cipher suites must be used.
• Unencrypted LDAP connections are not allowed, as they do not provide sufficient protection for authentication data or directory queries.

User Authentication

The LDAP server must provide strong authentication of human users.

The following conditions must be fulfilled:

• A dedicated Bind DN and Bind password must be configured. Anonymous binding is not permitted.
• The LDAP directory must enforce password policies, such as minimum password strength, expiration, and lockout for repeated failed attempts.
• The search filter must ensure that only valid, active user accounts can authenticate.
• The Base DN must restrict authentication queries to the organizational units intended for device access.

These measures ensure that only authorized users can authenticate and that authentication data is handled securely.

Role-Based Access Control

The system uses role-based access control. When LDAP is enabled, authorization continues to be enforced locally, while group membership is obtained from the LDAP directory.

To maintain compliance:

• At least one mandatory group attribute must be configured.
• LDAP groups must be mapped to device roles such as Administrator, Engineer, Maintenance, or Viewer.
• Group membership must reflect the user’s actual responsibilities, ensuring that privileges follow the principle of least privilege.

Roles must not be assigned to users directly but derived from their LDAP group membership.

Unique Identification of Users

Each LDAP user account must represent a single individual.

To ensure accountability:

• Every user must have a unique identifier in the directory.
• The identifier must be transmitted consistently to the device during authentication.
• Shared accounts must not be used.

This ensures that each action performed on the device can be traced back to an individual user.

Auditability

Even when identity management is delegated to LDAP, the device must maintain a complete record of authentication events and user actions.

To support this:

• Authentication attempts (successful or failed) must be logged.
• Logged events must include the user identifier obtained from LDAP.
• Changes on the LDAP server, such as account deactivation or lockout, must take effect on the device during subsequent login attempts.

These logs support traceability and security incident analysis.

Summary

To maintain an IEC 62443‑4-2-compliant user management system when using LDAP, the following feature set must be configured:

• Secure TLS or StartTLS communication with trusted certificates
• Strong user authentication using a Bind DN
• Enforced password rules, secure policies, and controlled directory search scopes
• Role based access control via LDAP group mappings with mandatory group attributes
• Unique, individual user identities without shared accounts
• Complete auditability, including authentication and authorization logging

Correctly configuring these features ensures that centralized LDAP based user management provides the same security level as the certified local user management while fully meeting the requirements of IEC 62443‑4-2.