Versions Compared

Old Version 24

changes.mady.by.user Anna Kryzhanovskaya

Saved on

compared with

New Version 25

changes.mady.by.user Anna Kryzhanovskaya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Merged branch "DOC0000059" into parent

The The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry-standard application standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

LDAP integration allows connecting your instance to LDAP or AD server and using it as a source of the user data. It  It provides the ability to connect to directory service storing the authentication data, such as usernames, passwords, user home directories used for keeping business and other data, etc. The global objective of the LDAP engine is importing users into the system. And through this, synchronization with various corporate services can be achieved, and one account can be used to authorize in all corporate services, such as email, website, VoIP, and so on.

Image Added

The RDN (relative distinguished name) is the attribute defining the search directory like this: dc=instance,dc=com

In this client-server infrastructure scheme, the SimpleOne instance has to be a client connecting to the LDAP server.

Configuring an LDAP connection

Specifying an LDAP server

To configure an LDAP connection, you need to set up in the system first. For this, please complete the steps below:

  1. Navigate to System LDAP → LDAP Servers.
  2. Click New and fill in the fields.
  3. Click Save or Save and Exit to apply changes.

LDAP Server form fields

FieldMandatoryDescriptionNameYEnter the server name.Root DirectoryY

Enter the RDN (relative distinguished name) of the search directory.

Example: dc=simpleone, dc=ru.

ActiveNSelect this checkbox to make the server active or inactive.UsernameYSpecify the username authenticating the LDAP connection.

The system synchronizes with the LDAP server in two ways:

  • via the Schedule Jobs (automatic) – scheduled script defining periods of synchronization (for example, every 3 hours). See the Scheduled Script article to learn more.
  • via the Autoprovision (triggered by logging in) – when user logs in, the system updates the requested data. Configure this way of synchronization via theuser.ldap_autoprovision property.
Tip

You can also use third-party authorization services on your instance. See the Single Sign-On article to learn more.

Establishing LDAP connection

To establish the connection between your SimpleOne instance and the LDAP server, complete the following steps:

  1. Specify the LDAP server.
  2. Define the LDAP URL.
  3. Set up the LDAP Definition.
  4. Check settings.
  5. (Optional) Data import.

Additional tools for setting up LDAP connection:

Specifying an LDAP server 
Anchor
LDAP server
LDAP server

To configure an LDAP connection, complete the steps below:

  1. Navigate to System LDAP → LDAP Servers.
  2. Click New and fill in the fields.
  3. Click Save to apply changes.
  4. Copy the current record ID
PasswordNSpecify the server's password
  1. .


Info

If the RDN attribute is not specified, then during the authorization process LDAP server will attempt to reach the server root directory during the authorization process. If the user logging in   is not authorized to access this directory, so the authorization process will be interrupted.

Specifying


Defining an LDAP URL
Anchor
LDAP url
LDAP url

Sometimes, customer infrastructure may contain more than one LDAP server, as an for example, for fault toleranceas a standby (reserve) server. In this case, you may need to specify some particular server used for authorization on the SimpleOne instanceby arranging the URL order. If you have more than one server, create a separate LDAP URL for each of them.

To perform thiscreate a URL, please complete the steps below:

  1. Navigate to System LDAP → LDAP URL.
  2. Click New and fill in the fields.
  3. Click Save or Save and Exit to apply changes.

LDAP URL form fields

FieldMandatoryDescriptionURLY

Enter the LDAP URL there. Here's an example:

ldaps://192.168.1.12:363

ActiveNSelect this checkbox to make the URL active or inactive.OrderNSpecify the order of this URL if there are more than one similar items. In this case, they will be processed in the descending order.Operational StatusN
  • Ready to connect
  • Connected
  • Disconnected
  • Error.
ServerYSpecify the appropriate LDAP server (choose it from the previously created). Tip

Adding a certificate
Anchor
create an LDAP certificate
create an LDAP certificate

If you want to establish a secure LDAP connection (LDAP over SSL, LDAPS) via port 636,

then

you need to provide the SSL

-

certificate.

For this, please complete the steps below:

  1. Navigate to
 
  1. System
Security →
  1. LDAP → Certificates.
Click 
  1. Click New
 to
  1.  to create a new record
;
  1. .
  2. Attach your SSL-
certificate 
  1. certificate (.crt or .ca-bundle) file here
;
  1. .
Click Save or 
  1. Click Save or Save and Exit
 to
  1.  to apply changes.

The form will get information from your certificate and place it into relevant fields.

Otherwise, your LDAP connection will proceed insecurely; generally, port 389 (TCP/UDP) is used in this case.

SSL Certificate form fields

Field

Description


Tip

When the certificate record is created, it will be referenced in the relevant LDAP Server record. Click Certificates list to see the related certificates.

LDAP Definition 
Anchor
LDAP definition
LDAP definition

After configuring

NameSpecify record name.SubjectCertificate issuing attributes. This field is populated automatically basing on the provided certificate data. For more information about these attributes, check for RFC 5280.IssuerThe certificate issuer. This field is populated automatically basing on the provided certificate data.Short descriptionSpecify brief description for the record.ActiveSelect this checkbox to make this certificate active or inactive.Valid fromThe date this certificate is valid from. This field is populated automatically basing on the provided certificate data.Valid toThe date this certificate is valid to. This field is populated automatically basing on the provided certificate data.

LDAP Definition

After you have configured an LDAP server and an LDAP URL and performed performing all necessary customer infrastructure preparations, then you are ready to arrange set up an LDAP Definition. This is a formalized query to the Active Directory server containing the following information: Excerpt IncludeImporting using LDAPImporting using LDAP

LDAP System Properties

Some of the LDAP abilities can be configured on the client-side using the System Properties engine. These properties are listed below.

Property nameTypeDefault valueDescriptionuser.authorization_when_no_ldap_connectionBooleanTrueEnables authorization if there's no LDAP connection. In this case, locally created credentials are used.user.ldap_authenticationBooleanTrueEnables or disables LDAP authentication.user.ldap_autoprovisionBooleanTrueEnables the automatic creation of users in the user table in the case of the user is created in LDAP but not created on the instance. 

LDAP Log

definition.

To configure the LDAP definition, perform the following steps:

  1. Navigate to System LDAP → LDAP Definition.
  2. Click New and fill in the fields.
  3. Click Save or Save and Exit to apply changes.


You can check the LDAP structure by clicking the Browse LDAP on the corresponding LDAP Server record.

Image Added

Checking settings 
Anchor
check LDAP connection
check LDAP connection

Make sure that the connection is set up by performing the following steps:

  1. Navigate to System LDAP → LDAP Servers.
  2. Open the record you need.
  3. Click Test connection. The system will check the first URL connection defined by the order. If the connection is fine, you will see the Successfully connected message.
  4. Click Test all connections. The system will check all defined connections. If the connections are fine, you will see the All connections are checked message.

If an error is thrown, check LDAP Log records.

LDAP Import
Anchor
LDAP import
LDAP import

Import all necessary data from your LDAP server to the instance. 

To complete the data import using LDAP, you will need to set up the following system elements:

  • LDAP Definition – specifies filters for retrieving data from a defined LDAP table.
  • Import Source – loads row data for further processing and transformation.

The scheme below illustrates the process of data import from an LDAP server.

Image Added

See the Importing using LDAP article to learn more.

LDAP Log 
Anchor
LDAP log
LDAP log

In case the system threw an errorIn the case of necessity of any troubleshooting with your LDAP integration, you can check the log messages to find the fault causes. For example, cause. In the LDAP Log, you can find records of failed authorization attempts , or authorization policy avoidance attempts, all this information will be displayed here. In fact, all these messages are written into the Logs (sys_log) table.

To use see the LDAP logs, please complete the steps below:

Navigate

navigate to System LDAP → LDAP log.

  • Find the records you need using the Condition Builder, and other filtering tools, such as Show Matching or Filter Out functionality.


    • LDAP System Properties
    Anchor
    LDAP system properties
    LDAP system properties

    Some of the LDAP abilities can be configured on the client-side using the System Properties engine. These properties are listed below.

    Property nameTypeDefault valueDescription

    user.authorization_when_no_ldap_connection

    		BooleantrueEnables authorization if there's no LDAP connection.

    user.ldap_authentication

    		BooleantrueEnables or disables LDAP authentication.

    user.ldap_autoprovision

    		BooleantrueEnables the automatic creation of users in the User table if there is no such record on the instance.


    LDAP Log form fields

    FieldMandatoryDescriptionSourceYDisplays the source from where this log record comes from (LDAP Authorization or LDAP Autoprovision, as an example).MessageNThe log record message text.LevelY

    This field specifies the error level. Available options:

    • Info
    • Error
    • Warning
    • Debug.
    UsernameNReference to the user initiated this record creation

    .

    Table of Contents
    absoluteUrltrue
    classfixedPosition


    Panel