MLDAP Server Installation and

Configuration Guide
Intellectual Property Statement
SHENZHEN MINDRAY BIO-MEDICAL ELECTRONICS CO., LTD. (hereinafter called
Mindray) owns the intellectual property rights to this Mindray product and this manual. This
manual may refer to information protected by copyrights or patents and does not convey any
license under the patent rights of Mindray, nor the rights of others.

Mindray intends to maintain the contents of this manual as confidential information.

Disclosure of the information in this manual in any manner whatsoever without the written
permission of Mindray is strictly forbidden.
Release, amendment, reproduction, distribution, rental, adaption and translation of this
manual in any manner whatsoever without the written permission of Mindray is strictly
forbidden.

, , and are the registered trademarks or trademarks owned

by Mindray in China and other countries. All other trademarks that appear in this manual are
used only for editorial purposes without the intention of improperly using them. They are the
property of their respective owners.

Contents of this manual are subject to changes without prior notice.

For this manual, the issued Date is 2018-12 (Version: 1.0).

©Copyright 2016-2018 Shenzhen Mindray Bio-Medical Electronics Co., Ltd. All rights
reserved

I
Manufacturer’s Responsibility
Contents of this manual are subject to changes without prior notice.

All information contained in this manual is believed to be correct. Mindray shall not be liable
for errors contained herein nor for incidental or consequential damages in connection with the
furnishing, performance, or use of this manual.

Mindray is responsible for safety, reliability and performance of this product only in the
condition that:
All installation operations, expansions, changes, modifications and repairs of this
product are conducted by Mindray authorized personnel; and
The electrical installation of the relevant room complies with the applicable national and
local requirements; and
This product is operated under strict observance of this manual

II
Warranty
THIS WARRANTY IS EXCLUSIVE AND IS IN LIEU OF ALL OTHER WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR ANY PARTICULAR PURPOSE.

Exemptions
Mindray's obligation or liability under this warranty does not include any transportation or
other charges or liability for direct, indirect or consequential damages or delay resulting from
the improper use or application of the product or the use of parts or accessories not approved
by Mindray or repairs by people other than Mindray authorized personnel.

This warranty shall not extend to

Malfunction or damage caused by improper use or man-made failure.
Malfunction or damage caused by unstable or out-of-range power input.
Malfunction or damage caused by force majeure such as fire and earthquake.
Malfunction or damage caused by improper operation or repair by unqualified or
unauthorized service people.
Malfunction of the instrument or part whose serial number is not legible enough.

III
Customer Service Department
Manufacturer: Shenzhen Mindray Bio-Medical Electronics Co., Ltd.
Address: Mindray Building,Keji 12th Road South,Hi-tech industrial
park,Nanshan,Shenzhen 518057,P.R.China
Website: www.mindray.com
E-mail Address: service@mindray.com
Tel: +86 755 81888998
Fax: +86 755 26582680

Distributor(North Mindray DS USA, Inc.

America):
Address: 800 MacArthur Boulevard Mahwah, New Jersey 07430 USA
Tel: 1.800.288.2121, 1.201.995.8000
Website: www.mindraynorthamerica.com

EC-Representative: Shanghai International Holding Corp. GmbH (Europe)

Address: Eiffestraβe 80, 20537 Hamburg, Germany

Tel: 0049-40-2513175
Fax: 0049-40-255726

IV
Preface
Manual Purpose
This manual contains the instructions necessary to operate the product safely and in
accordance with its function and intended use. Observance of this manual is a prerequisite for
proper product performance and correct operation and ensures patient and operator safety.
This manual is based on the maximum configuration and therefore some contents may not
apply to your product. Features described in this manual cover a global release and may not
be applicable in the all markets the product is sold in. If you have any question, please
contact us.

Intended Audience
This manual is geared for clinical professionals who are expected to have a working
knowledge of medical procedures, practices and terminology as required for monitoring of
critically ill patients.

Illustrations
All illustrations in this manual serve as examples only. They may not necessarily reflect the
setup or data displayed on your patient monitor.

Conventions
Italic text is used in this manual to quote the referenced chapters or sections.
The terms danger, warning, and caution are used throughout this manual to point out
hazards and to designate a degree or level or seriousness.

V
FOR YOUR NOTES

VI
 Contents
Intellectual Property Statement ............................................................................................. I

Manufacturer’s Responsibility ..............................................................................................II

Preface ..................................................................................................................................... V

Contents ................................................................................................................................... 1

1 Safety ................................................................................................................................. 1-1

1.1 Safety Information .......................................................................................................... 1-1
1.2 Dangers ........................................................................................................................... 1-2

2 Planning Your Deployment.............................................................................................. 2-1

2.1 Overview ......................................................................................................................... 2-1
2.2 Network Design and Software Installation Requirements .............................................. 2-1
2.2.1 Network Design ................................................................................................. 2-1
2.2.2 Software Installation Requirements ................................................................... 2-3
2.2.3 Operating System ............................................................................................... 2-4

3 Installing the MLDAP Server.......................................................................................... 3-1

3.1 Install MLDAP Server .................................................................................................... 3-1
3.1.1 Install MLDAP Server software ......................................................................... 3-1
3.2 Installing MLDAP Config Tool....................................................................................... 3-3
3.3 License ............................................................................................................................ 3-5
3.3.1 Import software license ...................................................................................... 3-5
3.3.2 Load Hardware license ....................................................................................... 3-6
3.4 Configuring the IP Address to Connect to MLDAP Service ........................................... 3-7

4 Configuring MLDAP Server ........................................................................................... 4-1

4.1 MLDAP System introduction.......................................................................................... 4-1
4.1.1 MLDAP System Components ............................................................................ 4-1
4.1.2 User/Role/Unit ................................................................................................... 4-2
4.1.3 Operating Privilege ............................................................................................ 4-2
4.1.4 Local Directory (LD) and Active Directory (AD).............................................. 4-5
4.1.5 Location in MLDAP Client ................................................................................ 4-5
4.1.6 How the MLDAP System Work ......................................................................... 4-5
4.1.7 Default Roles in MLDAP Server ....................................................................... 4-6
4.2 Configuring the MLDAP Server ..................................................................................... 4-7
4.2.1 Change the Clinician ID mapping ...................................................................... 4-7
4.2.2 Assign a LD User as the Global Admin ............................................................. 4-7
4.2.3 Add Windows AD Server ................................................................................... 4-7

1
 4.2.4 Assign privilege to user ...................................................................................... 4-8
4.3 Basic function of the MLDAP Server ............................................................................. 4-8
4.3.1 Login .................................................................................................................. 4-8
4.3.2 Add LDAP Server .............................................................................................. 4-8
4.3.3 Test the LDAP Server ......................................................................................... 4-8
4.3.4 Delete the LDAP Server ................................................................................... 4-10
4.3.5 Add Facility and Department ............................................................................4-11
4.3.6 Delete Facility and department ........................................................................ 4-12
4.3.7 Add Role .......................................................................................................... 4-13
4.3.8 Delete Role ....................................................................................................... 4-14
4.3.9 Assign Operates for the Role............................................................................ 4-14
4.3.10 Import User from AD ..................................................................................... 4-14
4.3.11 Import User group from AD ........................................................................... 4-15
4.3.12 Add LD User .................................................................................................. 4-16
4.3.13 Assign Roles for User..................................................................................... 4-17
4.3.14 Delete User ..................................................................................................... 4-17
4.3.15 Map the Clinician ID to another property of the User in AD ......................... 4-18
4.3.16 Change Password ........................................................................................... 4-20
4.3.17 Reset Password............................................................................................... 4-20
4.3.18 Import Permission File ................................................................................... 4-22
4.4 Troubleshooting ............................................................................................................ 4-23
4.4.1 AD User account cannot login on MLDAP Client ........................................... 4-23
4.4.2 Error message is shown when trying to import user from AD: "Over Maximum
number of users" ....................................................................................................... 4-23
4.4.3 On the client, the authentication is unsuccessful .............................................. 4-23

5 Password and folders ....................................................................................................... 5-1

5.1 User and Password .......................................................................................................... 5-1
5.2 Log folder and files ......................................................................................................... 5-1
5.3 Configuration Files.......................................................................................................... 5-1
5.3.1 MLDAP Service Configuration File .................................................................. 5-2

2
1 Safety
1.1 Safety Information

DANGER
Indicates an imminent hazard situation that, if not avoided, will result in death
or serious injury.

WARNING
Indicates a potential hazard situation or unsafe practice that, if not avoided,
could result in death or serious injury.

CAUTION
Indicates a potential hazard or unsafe practice that, if not avoided, could result
in minor personal injury or product/property damage.

NOTE
Provides application tips or other useful information to ensure that you get the
most from your product.

1-1
1.2 Dangers
There are no dangers that refer to the product in general. Specific "Danger" statements may
be given in the respective sections of this manual.

1-2
2 Planning Your Deployment
2.1 Overview
The MLDAP Server is responsible for importing the User Information from Windows Active
Directory(AD) to the Mindray Monitoring System. It is also responsible for managing the
access privilege of User to Mindray devices.

The MLDAP Server has two main components:

MLDAP Service – The MDAP Service is a background service. It is responsible for
connect to Windows AD to get all user information from AD and control the
privilege of each user.
MLDAP Config Tool– The MLDAP Config Tool is a tool used to configure the
MLDAP Service.

MLDAP Server supports multiple installation methods:

■Integration with Central Station: When installing the central station, MLDAP Server is
installed by default.
■Install separately
In both installations, the software is the same and there are no functional differences.

2.2 Network Design and Software Installation

Requirements

2.2.1 Network Design

This section covers the network design requirements and recommendations for the
connection between the Hospital Network(Windows AD) and the Mindray Monitoring
Network. The Mindray Monitoring Network refers to the network that includes the Mindray
patient monitoring network and central monitoring system network.

Restrict dataflow between the Mindray Monitoring Network and the Hospital Network to
only what is required for MLDAP Server to operate:
The TCP ports listed in the following table shall be allowed for MLDAP Server.

Protocol MLDPA Server Remote Port Description

Port
TCP 6664 Any Mindray devices connect to 6664
(default) to authenticate the user and
determine if a user is authorized to
perform an action. The default

2-1
 port used by MLDAP Service, it is
configurable in the MLDAP
Service configuration file.
TCP Any 389 MLDAP Server connect to the 389
port of Windows AD using
Kerberos
TCP Any 636 MLDAP Server connects to the
(default) 636 port of Windows AD using
LDAPS. This port is configurable
on the Windows AD.

Block all communications to/from IP addresses not in the specified list on the Mindray
Monitoring network.
Block application level broadcast communication between the hospital network and
Mindray Monitoring Network
MLDAP Server does not use UDP communication. Block multicast communication
between the Hospital Network and Mindray Monitoring Network

Two network diagrams are shown based on the number of network interfaces used by the
MLDAP Server.
For a signal network interface installation, the hospital Network is connected to the
Mindray Monitoring network via a router.

Hospital Network
(L2 and L3)

Windows AD

Central Stations Firewall

Mindray Monitoring
Network
Work Stations
Routing Infrastructure
MLDAP Server

Monitors

Figure 2-1 Network Topology of MLDAP Server (Single Network Card)

For a dual network interface installation, the MLDAP Server is connected to the
Mindray monitoring network and hospital network respectively via two network cards.

2-2
 Hospital Network
(L2 and L3)

Windows AD

Central Stations Firewall

Mindray Monitoring
Network
Work Stations
Routing Infrastructure
MLDAP Server

Monitors

Figure 2-2 Network Topology of MLDAP Server (Dual Network Card)

2.2.2 Software Installation Requirements

2.2.2.1 Software Requirements When installing on a Physical PC
The computer of the MLDAPServer should be highly reliable and stable.
The minimum requirements for the hardware component are as below:

Item Requirement

CPU 2.9GHz or above, quad core or above

Memory 4G DDRIII 1600MHz or above

Hard disk Free memory space of 10GB or above

Network adapter: 100Mbps, Ethernet 802.3

Table 2-1 Basic Hardware Requirements for the MLDAP Server

2.2.2.2 Software Requirements When installing on a Virtual Machine

The MLDAP Server is qualified to support running in a VMware virtualized environment.
VMware ESXi5.1 is qualified. The customer provides a virtual environment and ensures the
efficient and stable operation of the virtual machine.
The customer needs to prepare a virtual machine according to the following requirements.
Mindray recommends creating a new virtual machine.

Component Requirement

vCPU 2.4GHz *4Core

vRAM 4GB
Disk Free memory space of 10GB or above

2-3
 NICs 100 Mbps

Table 2-2 Basic VMware Requirements for the MLDAP Server

2.2.3 Operating System

The following operating systems are supported in both the physical PCs and in the virtual
machines when the MLDAP Server software is installed:
Windows Server 2008 R2 Standard SP1 64bit
Windows Server 2008 Standard SP2 32bit
Windows Server 2012 R2
Windows Server 2016 Standard

The following operating systems are supported in both the physical PCs and in the virtual
machines when install the CMS software:
Windows 7 Professional SP1 32bit
Windows 7 Professional SP1 64bit
Windows Server 2008 R2 Standard SP1 64bit
Windows 10 Professional SP1 64bit 1607
Windows Server 2012 R2
Windows Server 2016 Standard

2-4
3 Installing the MLDAP Server
MLDAP Server supports multiple installation methods:
■Integration with Central Station: When installing the central station, MLDAP Server
is installed by default.
■Install separately
In both installations, the software is the same and there are no functional differences. The
installation process of the central station refers to the central station manual. This chapter
only describes the steps for installing and using the MLDAP server separately.
In general, there is no need to install it separately. A separate installation is only required
when it affects the performance of the central station or the primary server.

Note
The installation should be performed under a user with administrator privilege.
Please preparea software license or hardware dongle before installation.

3.1 Install MLDAP Server

3.1.1 Install MLDAP Server software
1. Double Click MLDAPServerSetup.exe

2. Choose the folder in which to install Mindray MLDAP Server if necessary, then click
"Next"

3-1
3. Choose the folder in which to save data for Mindray MLDAP Server if necessary, then
click "Install"

4. Wait the installation to be complete, and then click "Finish"., then reboot now.

3-2
3.2 Installing MLDAP Config Tool
The MLDAP configuration tool is integrated in the master server (MasterServerUIClient).
1. Double click the MasterServerUIClientSetup.exe, then select language

2. Click "Next".

3-3
3. Change the installation folder if necessary, then click "Install"

4. Wait the installation to be complete, and then click "Finish".

3-4
3.3 License
3.3.1 Import software license
1. Open the LicenseConfig tool

2. Click the import button to brower to the file path of the license file(.key file).

3. Click OK button.

3-5
3.3.2 Load Hardware license
1. Double click the MicroDogInstdrv.exe
2. click "Install Driver"

3. click "Exit" when the driver has been installed successfully

3-6
3.4 Configuring the IP Address to Connect to MLDAP
Service
1. Go to the master server installation directory and open the masterserver.ini file.
2. Modify the IP value of [MLDAP] to the IP address of the host where the MLDAP
Server service is installed.
installed

3-7
FOR YOUR NOTES

3-8
4 Configuring MLDAP Server
4.1 MLDAP System introduction
The MLDAP System is intended to authenticate and authorize users against the Windows
Active Directory.

4.1.1 MLDAP System Components

Figure 4-1Mindray LDAP System

MLDAP System Components:

MLDAP Client – The MLDAP Client is the Mindray device that protects the access to the
device by authenticate and authorize users through MLDAP Service. These devices
include the BeneVision CMS, Mobile Server, Mindray patient monitors. When the user
wants to access the User Maintenance settings of the BeneVision CMS, The BeneVision
CMS popup a Window to ask the user to input the user name and password. The
BeneVision CMS then connects to the MLDAP Service; authenticate the user by the user
name and password. If authentication successful, it then retrieves all the privileges of
this user for the location (Facility and Department) of the device, to determine if the
user has the correct privileges to access the User Maintenance settings.
MLDAP Server – The responsibility of the MLDAP Server are: 1) Import user information
from Windows AD, 2) Process requests from the MLDAP clients to authenticate users
and supply to the client the privileges a user has.

The MLDAP Server has two components:

MLDAP Service– the MDAP Service is a background service. It is responsible for

4-1
 connect to Windows AD to get all user information from AD and control the
privilege of each user.
MLDAP Config Tool– The MLDAP Config Tool is a tool to configure the MLDAP
Service.

4.1.2 User/Role/Unit

There are some basic concepts that used in MLDAP Server:

Unit– for MLDAP, we use at most two layer structures: Facility -> Department.
User–A User has the following properties: User Name, Password, First Name, Last
Name, and Clinician ID. The User Name/Password is used to authenticate the user. By
default, the Clinician ID in the MLDAP Server will use the value of displayName
attribute of the User in AD.
Role –A Role is a group of users that have the same operating privileges in a particular
Unit. For example, the Role "Nurse" may have the privilege: Alarm Settings in the Unit
"ICU", if the user Michel is a Nurse in ICU, then she can change the Alarm Settings on all
MLDAP Client in ICU.

The Mapping relation of MLDAP Server and Windows AD is shown below:

4.1.3 Operating Privilege

On the MLDAP Client, the following Operates are protected by MLDAP:

Remote bed control

If this Operate is assigned to a Role, the user of this Role is possible to control the remote bed.
If the user does not have this Operate privilege, then the user cannot change the settings of
the remote bed, and only can view the remote bed. For example, if the user want to change
the patient demographic of the bed on WorkStation, he(or she) should first have the Remote
bed control privilege.

4-2
 Remote Alarm Pause/Reset:

If this Operate is assigned to a Role, the user of this Role can pause the Alarm and reset the
Alarm remotely. For example, the user of this Role has this operate privilege can pause the
alarm of the online patient in the Central Station.

Care Group Assignment:

If this Operate is assigned to a Role, the user of this Role can set the Care Group settings on
the Central Station.

System Setup

If this Operate is assigned to a Role:

For Central Station, the user of this Role can view and modify the clinical settings and
Network Setup page in the System Setup dialog.
For N Series, the user of this Role can view and modify the clinical settings and Network
Setup page in the Maintenance dialog.

Send Data to EMR/Export EMR

Send Data to EMR: If this Operate is assigned to a Role, the user of this Role can send vital
sign data to EMR on Vital Sign monitors.
Export EMR: If this Operate is assigned to a Role, the user of this Role can export 12-lead
report to EMR.

Export Discharge Patient :

If this Operate is assigned to a Role, the user of this Role can export historical data of
discharged patient.

Remote View Patient

If this Operate is assigned to a Role, the user of this Role can view patient on CMSViewer
and Mobile Viewer.

Remote Arrh. Alarm Settings

If this Operate is assigned to a Role, the user of this Role can view and modify the
Arrhythmia Alarm Settings remotely. For example, the user of this Role can change the
Arrhythmia Alarm Settings of the online patient from Central Station.

Remote Alarm Settings

If this Operate is assigned to a Role, the user of this Role can view and modify the Alarm
Settings remotely. For example, the user can change the Alarm Settings of the online patient
from Central Station.

4-3
 Arrh. Alarm Settings

If this Operate is assigned to a Role, the user of this Role can view and modify the
Arrhythmia Alarm Settings locally. For example, the user can change the Arrhythmia Alarm
Settings on the monitors.

Alarm Settings

If this Operate is assigned to a Role, the user of this Role can view and modify the Alarm
Settings locally. For example, the user can change the Alarm Settings on the monitors.

User Maintenance

If this Operate is assigned to a Role:

For Central Station, the user of this Role can view and modify the clinical settings in the
System Setup dialog.
For N Series, the user of this Role can view and modify the clinical settings in the
Maintenance dialog.
For other monitors, the user of this Role can access the User Maintenance dialog.

Device Management

If the device management privilege is assigned to some role, users under this role can view
the device information at the server.

Configuration Management

If the configuration management privilege is assigned to some role, users under this role can
upload one patient monitor’ configuration files to the master server. These configuration files
can be synchronized to other patient monitors via the master server.

Version Upgrade Management

If the version upgrade privilege is assigned to some role, users under this role can upload one
patient monitor’s version upgrade files to the master server. These version upgrade files can
be used to upgrade other patient monitors collectively via the master server

Export Log

If a role is already assigned the device management privilege, then assign the export log
privilege to this role, users under this role can export logs of patient monitors and the CMS
via the master server

Service Address Management

If the service address management privilege is assigned to some role, users under this role
can configure the MLDAP address and ADT server address. These addresses can be
synchronized to patient monitors and the CMS via the master server

4-4
 Score System Management

If the score system management is assigned to some role, users under this role can configure
and export the EWS scoring protocol. This protocol can be synchronized to patient monitors
via the master server.

4.1.4 Local Directory (LD) and Active Directory (AD)

You can create the User in Local Directory (LD) of MLDAP Server, and also can import
Users from Active Directory. The differences of these two sources are:
1) The User from LD is changeable, you can edit them;

You cannot edit users if they are imported from AD.

2) The passwords of LD User are stored in LD; MLDAP Server does not import the
passwords of the AD Users, and it also cannot change the password in AD. The MLDAP
Server can only change the password of an LD User.

4.1.5 Location in MLDAP Client

The MLDAP Client has two location settings that affect privileges: Facility and Department.
These location settings will map to the Unit structure: Facility->Department in the MLDAP
Server.
The user should add the Facility->Department Units (two layers) to the MLDAP Server that
matches their departmental structure. The MLDAP Client should set the Facility and
Department values to match those on the MLDAP Server. The naming of the facility and
departments should match those used in their EMR system to assign patient locations.

4.1.6 How the MLDAP System Work

The following figure shows how the MLDAP System works:

MLDAP Client MLDAP Server MLDAP Server itself will

LD User
authenticate the User
1. Authentication

MLDAP Server will send the user

AD User
name/password to AD, and get the result

Facility\Department,
User,Password, Operate

1) Find the matched Unit

2) Get the role of this User in the Unit

2. Authorization

3) Get the operate privileges of the

role on the Unit, and judge if the user
have the request operate privilege

1. When the user want to access the protected UI of MLDAP Client, then the login dialog
will popup to make the user input the User Name and Password.

4-5
 2. The MLDAP Client will connect to MLDAP Server, and send the following information to
MLDAP Server:
Location information: Facility, Department
Account: User Name, Password
Operate: If the user wants to access a protected UI, then he must have the
appropriate privilege to access the UI.
3. The MLDAP Server will then authenticate the user, and authorize the user if the
authenticate is successful.
1) Authentication: The MLDAP Server will first determine if the user is from the LD or
AD. If the user is an LD User, then the MLDAP Server will find the user in the LD,
and check the User Name and Password for a match; If the user is an AD User, the
MLDAP Server will send the User Name and Password to the AD, and return the
AD authenticate result.
2) Authorization: First the MLDAP Server will find the appropriate Unit based on the
location information from the MLDAP Client. It will then look to see if the user has
been assigned a role in the Unit. If the user has a role in the Unit, it will then
determine if the role has the privilege that the user is requesting. If the role has the
privilege the MLDAP client is notified that the user can perform the requested
action, if not the actions is denied.

4.1.7 Default Roles in MLDAP Server

There are two Roles that created by MLDAP Server by Default.

Role Name Role Description
Department Administrators This role has the administrative
responsibility for a department.
Administrators This role has the administrative
responsibility for the whole hospital or
MLDAP Server

If the user is Department Administrators in Facility and Department (NanshanHospital\ICU),

then he can administer the users in a Unit, and can assign operating privilege of the Unit to
roles. When this user login, he can only view and manage the Users Management and
Modify Password (if it is a LD User) tabs.
If the user is an Administrator, then he has the administrators privileges for all Units. When
this user logs in, he can view and manage the Users Management, Role Management,
Dept. Management, LDAP Management, Modify Password (if it is a LD User), and
Advanced Setting tabs.

4-6
4.2 Configuring the MLDAP Server
To configure the MLDAP system, the Hospital IT department first needs to add the OUs and
Groups in the AD Domain. Please contact the IT department before installing the MLDAP
System.

4.2.1 Change the Clinician ID mapping

By default, the Clinician ID in MLDAP Server will use the value of the displayName
attribute of the User in AD. The Clinician ID is used by VS900 and Accutorr7 vital signs
monitors. If the Hospital desires to uses another attribute, you should change the mapping
by following the steps in section 4.3.15.

4.2.2 Assign a LD User as the Global Admin

1. Login with the administrator account. Please refer to section 4.3.1 on how to login.
2. Add an LD User and assign this User the Role: Administrators. Please refer to
section4.3.12 and 4.3.13 on how to add an LD user and assign the role for User.
3. Login using the new added account (The default password is "888888") and change the
password.

4.2.3 Add Windows AD Server

1. Login using a Global Admin account.
2. Add an LDAP Server of the hospital. Please refer to section 4.3.2 for details on how to do
this.
3. Test the LDAP Server. Please refer to section 4.3.3 for details on how to do this.

4-7
4.2.4 Assign privilege to user
1. Create hospitals and departments, refer to section 4.3.5
2. Create a role, refer to section 4.3.7
3. Assign the operation rights to the role, refer to section 4.3.9
4. Import the user or user group; refer to sections 4.3.10 and 4.3.11
5. Assign roles to users, refer to section 4.3.13

4.3 Basic function of the MLDAP Server

4.3.1 Login
1. Open the MLDAP Config Tool, input the master IP,

Input the User Name and Password. For the first installation, you should use the
administrator account to login and initialize the system.
User name administrator
Password Mindray99!
Click the button "Login"

4.3.2 Add LDAP Server

Click the "LDAP Management"

1. Click the "+"

2. Input the Server Address of the Windows AD Server.

3. Input the User Name and Password that has the privilege to access the AD.

NOTE
Be sure this user accounts is set to Password Never Expires in the AD Domain.
Otherwise future synchronization will fail when the password expires.

4. Choose the Sync Time. The MLDAP Server will synchronize with the AD once every 24
hours. You should choose the time that the hospital has least MLDAP Clients connect to
the MLDAP Server.
5. Click "OK"

4.3.3 Test the LDAP Server

1. Click the " LDAP Management"
2. Click the Edit icon of the AD Server that just created.

4-8
3. Click the "Network Test" button to test the connection between the MLDAP Server and the
AD Server

4-9
 4. If connection is good, the success message will be shown. If an error happens, please
check with the IT department of the hospital to confirm the Server Address, User Name
and Password are correct.

4.3.4 Delete the LDAP Server

1. Click the " LDAP Management"
2. Click the delete icon to delete the LDAP Server.

CAUTION
When the LDAP Server is deleted, the user from this LDAP Server will be
deleted from the MLDAP Server, and these users will no longer be able to use
any MLDAP Client device.

4-10
4.3.5 Add Facility and Department
1. Click the "Dept. Management"

Click the "+"

Enter the "Name", " Description", click the "OK"..

NOTE
Please check "Default" if all the MLDAP clients locate in the hospital.

2. Click the "+ Add Dept."

3. Enter the "Name", "Description", click the "OK".

4-11
 4. Click the "Dept. Management" to view all Facility and department.

4.3.6 Delete Facility and department

Click the "Dept. Management"
1. Select the facility and department you want to delete in the department page.
2. Click the "Delete " button

4-12
 3. Click "OK" in the popup warning dialog

4.3.7 Add Role

Click the "Role Management"
Click the "Add" button in the bottom area.
Input the "Name" and "Description", and then click the "OK" button.

4-13
4.3.8 Delete Role
1. Click the "Role Management"

Select the Role you want to delete, then click "Delete" button.
Click "OK" in the warning dialog.

4.3.9 Assign Operates for the Role

1. Click the "Role Management"

2. Select the Role, and then check the Operates on the right panel. You can assign different
operates to this Role in different Units.

In the above example, the Nurse has been assigned three operates ( alarm setup, remote view
patient and send Data to EMR/Export EMR)

4.3.10 Import User from AD

It is recommend to import user automatically by importing the Group which the user belong

4-14
 to.
Following steps are for importing a single user from AD.
Click "Users Management", click the "Add " button.
1. Select the source as "LDAP", and enter the user name, then click the search button. If you
do not know the exact name of the user, enter the part you know and the MLDAP Server
will return all the users that contain that text.

2. Check the user, then click "Import" button.

Note: the Source of the item in the search result is the IP address of the Windows AD.

4.3.11 Import User group from AD

It is recommend to import user automatically by importing the Group which the user belong
to.
Following steps are for importing user group from AD.
1. Click "Users Management"; click the "Add" button.
2. Select the source as "LDAP", and enter the user group name, then click the search button.
If you do not know the exact name of the user group, enter the part you know and the
MLDAP Server will return all the user groups that contain that text.

4-15
 3. Check the user group, then click "Import" button. All users belong to user group can be
imported automatically.

Note: the Source of the item in the search result is the IP address of the Windows AD.

4.3.12 Add LD User

Click "Users Management", click the "Add " button.
1. Select the source as "Local"

2. Enter the User Name, First Name, Last Name, Clinical ID, and select the Unit that this user
belongs to. Click the "Confirm" button.

Note: The default password for the user in LD is "888888", the user should login and change
the password to a secure one.

4-16
4.3.13 Assign Roles for User
Click "Users Management"
1. Select the user, and check the role in the Unit.

In this example, we have assigned the Nurse role in the NashanHospital\ICU to J.Born.
J.Born now has all the operate privilege of the Nurse role in the NashanHospital\ICU.
.

4.3.14 Delete User

1. Click "Users Management"

2. Select the user, and then click the "Delete" button.

4-17
 3. Click "OK" in the Warning dialog.

4.3.15 Map the Clinician ID to another property of the User in

AD
By default, the Clinical ID in MLDAP Server will use the value of displayName attribute of
the User in AD. This can be changed to meet the users need.
1. Open the MLDAP Service installation folder; find the config file named "MLDAPCfg.ini".
2. Open this config file with Notepad, and then change the value of Clinical ID to any attribute
of the User in AD.

4-18
3. Restart the MLDAP Service.
1. In the command line window, input the services.msc, and enter.
2. In the Services, right click the MLDAPServerServiceCtrl, then click "Restart"

4-19
4.3.16 Change Password
Only the User in the LD can change the password.
1. Open the MLDAP Config Tool
2. Login by entering the User Name and Password

Click the "Modify Password" Icon.

3. Enter the Old Password, New Password, and then click the "Confirm" button.

If you have forgotten the password, please ask the MLDAP administrator who has been
assigned the role ("administrators" or "Department administrators") to reset the
password.

4.3.17 Reset Password

Only the administrator (("administrators" or "Department administrators") can reset the
password of LD User.
1. Login as the administrator
2. In the User Manager, select the LD User you want to reset password. Then click the
"Modify User" button.

4-20
3. Click the "Reset Password" button. The password will be reset to the default password
"888888".

4-21
4.3.18 Import Permission File
If users need to add new operation permission, the users need to import the permission file.
1. Click "Advanced Settings" icon
2. Click "…" button select the file from Mindray Company
3. Click "import" button, the message display when import successfully and fail

4-22
4.4 Troubleshooting

4.4.1 AD User account cannot login on MLDAP Client

Possible causes are:
1. This User is not imported to MLDAP Server
2. This User is new created in AD, and the attribute "User must change password at next
logon" is checked. Then the user must change the password first, and then they can
login on the MLDAP Client using the new password.

4.4.2 Error message is shown when trying to import user from

AD: "Over Maximum number of users"

The license imported in MLDAP has limited the maximum users. Please check the license.

4.4.3 On the client, the authentication is unsuccessful

Possible reason:
1. The IP address and port configuration of the MLDAP server on the client is incorrect.
2. User name or password is entered incorrectly
3. The hospital and department are configured incorrectly, or only the department is
configured, and the default hospital is not set on the MLDAP Server.
4. The user does not have the appropriate permissions

4-23
FOR YOUR NOTES

4-24
5 Password and folders
5.1 User and Password
When the MLDAP Service is installed successfully, the following user will be create:
User Password
administrator Mindray99!

5.2 Log folder and files

MLDAP Server：
Path Description
C:\ProgramData\mindray\MLDAP\MLDAPServer.log Log info for debugging. The
C:\ProgramData folder is hidden by
default

Integrate the MLDAP Server in CMS：

Path Description
D:\ProgramData\Log\CMSlog\MLDAPServer Log info for debugging. The
\MLDAPServer.log

5.3 Configuration Files

MLDAP Server：
Path Description
C:\ProgramFiles(x86)\Mindray\MLDAPServer\ This configuration file is for the MLDAP
MLDAPCfg.ini Service and located in the installation
folder. You can change the TCP port(6664
by default) and Clinician ID mapping in
this file. Any changes to this configuration
need to restart the MLDAP Service.

Integrate the MLDAP Server in CMS：

Path
C:\ProgramFiles(x86)\MindrayCMS
\MLDAPServer\MLDAPCfg.ini
Description
This configuration file is for the MLDAP
Service and located in the installation
folder. You can change the TCP port (6664
by default) and Clinician ID mapping in
this file. Any changes to this configuration
need to restart the MLDAP Service.

5-1
5.3.1 MLDAP Service Configuration File
Any changes to this configuration file need to restart the MLDAP Service for the changes to
take effect.

You can change the following:

MDListenPort: Mindray Devices use the MD Protocol. The TCP port used by MLDAP
Service. If you change this port to other value, all the MLDAP Client and MLDAP Web
connect to this service need to be set the right TCP port accordingly.
MD2ListenPort: Mindray Devices use the MD2 Protocol. The TCP port used by MLDAP
Service. If you change this port to other value, all the MLDAP Client and MLDAP Web
connect to this service need to be set the right TCP port accordingly.
Clinical ID: By default, the Clinical ID in MLDAP Server will use the value of
displayName attribute of the User in AD. This can be changed to meet the users need.
DBPATH: The path of MLDAP database。
FIREWALL: MLDAP Server MD Listen=6664, MLDAP Server MD2 Listen=6665 和
MLDAP Server can be added the firewall after the MLDAP Server has been installed.

5-2
PN: H-046-013840-00 (1.0)