Versions Compared

Old Version 7

changes.mady.by.user Igor Shakhbazyan

Saved on

compared with

New Version Current

changes.mady.by.user Dina Baksheeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

LDAP integration allows connecting your instance using your to LDAP or AD server and using it as the a source of the user data. It provides the ability to connect to a directory service storing the authentification authentication data, such as usernames, passwords, user home directories used for keeping business and other data, etc. The global objective of the LDAP engine is importing users into the system. And through this, synchronization with various corporate services can be achieved, and one account can be used to authorize in all corporate services, such as email, website, VoIP, and so on.

Image Added

The RDN (relative distinguished name) is the attribute defining the search directory like this: dc=instance,dc=com

In this client-server infrastructure scheme, the SimpleOne instance has to be a client connecting to the LDAP server. 

Configuring an LDAP connection

The system synchronizes with the LDAP server in two ways:

  • via the Schedule Jobs (automatic) – scheduled script defining periods of synchronization (for example, every 3 hours). See the Scheduled Script article to learn more.
  • via the Autoprovision (triggered by logging in) – when user logs in, the system updates the requested data. Configure this way of synchronization via theuser.ldap_autoprovision property.
Tip

You can also use third-party authorization services on your instance. See the Single Sign-On article to learn more.

Establishing LDAP connection

To establish the connection between your SimpleOne instance and the LDAP server, complete the following steps:

  1. Specify the LDAP server.
  2. Define the LDAP URL.
  3. Set up the LDAP.
  4. Check settings.
  5. (Optional) Data import.

Additional tools for setting up LDAP connection:

Specifying an LDAP server 
Anchor
LDAP server
LDAP server

To configure an LDAP connection, To configure an LDAP connection, you need to set up in the system first. For this, please complete the steps below:

  1. Navigate to System to LDAP → LDAP Servers;.
  2. Click New and fill Click New, fill in the fields and click Save..
  3. Click Save to apply changes.
  4. Copy the current record ID.

LDAP Server form fields

Root directory
FieldMandatoryDescription
NameYEnter the server name.
UsernameSpecify the username authenticating the LDAP connection.
PasswordSpecify the server's password.
Root DirectoryN

Enter the RDN (relative distinguished name) of the search directory.

Example: dc=simpleoneinstance,dc=ru.

ActiveNSelect this checkbox to make the server active or inactive.
UsernameYSpecify the username authenticating the LDAP connection.
PasswordNSpecify the server password.


Info

If the RDN attribute is not specified, then during the authorization process LDAP server will endeavour attempt to reach the server root directory ; if during the authorization process. If the user logging on to in is not authorized to access this directory, so the authorization process will be interrupted.

Specifying the LDAP server

Defining an LDAP URL
Anchor
LDAP url
LDAP url

Sometimes, customer infrastructure may contain more than one LDAP server, as an for example, for fault toleranceas a standby (reserve) server. In this case, you may need to specify some particular server used for authorization on the SimpleOne instanceby arranging the URL order. If you have more than one server, create a separate LDAP URL for each of them.

To perform thiscreate a URL, please complete the steps below:

  1. Navigate to System to LDAP → LDAP URL;Click New, fill .
  2. Click New and fill in the fields
    3. and click Save
  3. .
  4. Click Save or Save and Exit to apply changes.

LDAP URL form fields

FieldMandatoryDescription
URLY

Enter the LDAP URL there. Here's an example:

ldaps

ldap://

192

123.

168

456.1.12:363

ActiveNSelect this checkbox to make the URL active or inactive.
OrderNSpecify the order of this URL if there are more than one similar items. In this case, they will be processed in
the
descending order.
Operational
status
  • Error;
  • Disconnected;
  • Connected.
StatusN

State of the LDAP connection. Available options:

  • Ready to connect – backup server is set up and ready to be used.
  • Connected – connection is established.
  • Disconnected – the system will not synchronize with this server.
  • Error – something went wrong. Check LDAP Logs.
ServerY
Server
Specify the appropriate LDAP server
(choose it from the previously created).
Tip

If you want to establish a secure LDAP connection via port 363, then you need to provide the SSL-certificate.

For this, please complete the steps below:

  1. Navigate to System LDAP → Certificates;
  2. Click New to create a new record;
  3. Attach your certificate (.crt or .ca-bundle) file here;
  4. Click Save.

The form will get information from your certificate and place it into relevant fields.

Для чего используется

Это настроенное подключение используется для авторизации на портале или для того, чтобы синхронизироваться с порталом. Вот у нас тут LDAP Definition.

LDAP Definition - это именно твой запрос на сервер Active Directory, это запрос, по которому ты будешь тянуть пользователей оттуда. Указывается LDAP сервер. Этот LDAP definition потом используется в Import source.

Фильтр - это выборка, по которой мы указываем адрес, с которого мы начинаем тянуть, указываем фильтр, и с указываемыми параметрами у нас подтягиваются все пользователи. И дальше этот перечень пользователей мы можем синхронизировать со своим списком юзеров. Это идет через импорт. 

Query field - это поле, с помощью которого будет определяться идентификация в системе, т.е. атрибут.

Есть три проперти:

user.ldap_autoprovision - когда мы логинимся, и если нас нет в системе, он слазил в лдап, проверил, что наш юзер и пароль имеет креденшиалы реальные, он создаст нашего пользователя. Всем созданным таким образом пользователям проставляется LDAP-сервер, через который они созданы, и source - вот этот адрес, в котором они живут. LDAP адрес к этому пользователю.

user.authorization_when_no_ldap_connect - использование локальных учетных данных в случае, если LDAP сервер недоступен.

user.ldap_authentication - включает саму возможность LDAP аутентификации.

Глобальная цель механизма LDAP - импорт юзеров в систему. И тем самым мы синхронизируемся и с аутлуком, и с учетной записью эксчейнджа, у нас учетная запись на все. 

LDAP log

System LDAP → LDAP Log

можем смотреть, кто логинится, через какой сервер; можем посмотреть ошибки, кто ломился неправильно. 

Логи на самом деле пишутся в sys_log. Здесь они выводятся из этой же таблицы, просто настроен фильтр

LDAP

Server

URL

Certificates

Вариант

Выделить две части:

  • Настройка коннекта (указание авторизационных данных, серверов, указывание сертификатов (про них можно чуть подробнее, если получится).
    • .

    LDAP Settings
    Anchor
    LDAP definition
    LDAP definition

    After configuring an LDAP server and an LDAP URL and performing all necessary customer infrastructure preparations, you are ready to set up an LDAP.

    To configure the LDAP, perform the following steps:

    1. Navigate to LDAP → LDAP Settings.
    2. Click New and fill in the fields.
    3. Click Save or Save and Exit to apply changes.

    Excerpt Include
    Importing using LDAP
    Importing using LDAP
    nopaneltrue

    You can check the LDAP structure by clicking the Browse LDAP on the corresponding LDAP Server record.

    Image Added

    Checking settings 
    Anchor
    check LDAP connection
    check LDAP connection

    Make sure that the connection is set up by performing the following steps:

    1. Navigate to LDAP → LDAP Servers.
    2. Open the record you need.
    3. Click Test connection. The system will check the first URL connection defined by the order. If the connection is fine, you will see the Successfully connected message.
    4. Click Test all connections. The system will check all defined connections. If the connections are fine, you will see the All connections are checked message.

    If an error is thrown, check LDAP Log records.

    LDAP Import
    Anchor
    LDAP import
    LDAP import

    Import all necessary data from your LDAP server to the instance. 

    To complete the data import using LDAP, you will need to set up the following system elements:

    • LDAP Settings – specifies filters for retrieving data from a defined LDAP table.
    • Import Source – loads row data for further processing and transformation.

    The scheme below illustrates the process of data import from an LDAP server.

    Image Added

    See the Importing using LDAP article to learn more.

    Example of the integration with AD

    The "out-of-the-box" solution contains an example of the connection to the Active Directory (AD) service. 

    Check out the examples mentioned below before setting up the LDAP import on an instance. The settings of the examples are protected from changes. In the hamburger menu of each record, click Make a copy to copy the example setting and change their values.

    The following records are created and configured:

    • the Demo_Active_Directory LDAP Server with the LDAP URL example. In your copy, specify the parameters of the server.

    • the SimpleOneCourses1 and SimpleOneCourses2 LDAP Settings. Use one of these definitions as an example to create a working connection to the AD service.

      Expand
      titleThe description of the field values


      FieldValueDescription
      Filter


      Section


      Column
      width50%


      Panel
      titleSimpleOneCourses1

      (&

       (objectClass=person)

      (sn=*)

      )



      Column
      width50%


      Panel
      titleSimpleOneCourses2

      (&

       (objectClass=person,top)

      (sn=*)

      )




      		The defined filter selects user records with any username to import from the AD service. 
      Query FieldsAMAccountNameThe field that is used for connecting with the AD and querying the records.
      Attribute Listsamaccountname,sn,givenname,distinguishedname,msDS-cloudExtensionAttribute6,telephonenumber, mobile,mail,manager,company,useraccountcontrol,thumbnailphotoThe attributes the LDAP query returns.



    • the LDAP Users Import Source. Use one import source for the same LDAP settings.
    • the Daily Import SimpleOne Employees and Daily Import SimpleOne Employees 2 scheduled imports. The AD data is imported daily at a specific time. Use one of the imports as an example to create your scheduled import.
    • the Daily Deletion of Obsolete Import Sets scheduled script. The script deletes inactive import sets. When an import set is deleted, a cascading deletion occurs for the Import Set column of the Import Set Row table.

    To connect and import users from the AD service, complete the following steps:

    1. Create a local pack in the Simple application for the LDAP import settings.
    2. Create copies of the records mentioned above and set up the LDAP integration by changing the field values to the required ones.
    3. Click Test connection in the LDAP Server record. If the connection is established successfully, click Browse LDAP to check the LDAP structure.
    4. After you checked the structure, go to the LDAP Setting you need and open the related import source.
    5. (optional) Click Test Load (20 records) to create a test import set.
    6. Click Load all records.
    7. Click View Transform Map to create a Transform Map record. The Target Table value should match the value of the Table field in the LDAP Settings record.
    8. On the Transform Map create Field Maps through the related list. The Login and Email field map records should have the selected Coalesce checkbox. The parameter defines the fields of the target table that will be used to search for the records based on the imported data. If a record is found in the target table, it will be updated. Otherwise, the system creates a new record.
    9. Go back to the Import Source record and open the Import Set record via the related list.
    10. Click Transform to import data from the AD service. 
    11. Configure the copy of the Daily Import SimpleOne Employees scheduled import. Add the reference to the created Import Source.
    12. Configure the copy of the Daily Deletion of Obsolete Import Sets scheduled script and select the Active checkbox. Copy the ID of the Import Source to the import_source_id variable of the script.

    LDAP Log 
    Anchor
    LDAP log
    LDAP log

    In case the system troughs an error, you can check the log messages to find the cause. In the LDAP Log, you can find records of failed authorization attempts or authorization policy avoidance attempts. In fact, all these messages are written into the Logs (sys_log) table.

    To see the LDAP logs, navigate to LDAP → LDAP log.

    LDAP Log form fields

    FieldMandatoryDescription
    SourceYDisplays the source from where this log record comes from (LDAP Authorization or LDAP Autoprovision, as an example).
    MessageNThe log record message text.
    LevelY

    This field specifies the error level. Available options:

    • Info
    • Error
    • Warning
    • Debug
    UsernameNReference to the user initiated this record creation.

    LDAP System Properties
    Anchor
    LDAP system properties
    LDAP system properties

    Some LDAP abilities can be configured on the client-side using the System Properties engine. These properties are listed below.

    Property nameTypeDefault valueDescription

    user.authorization_when_no_ldap_connection

    		BooleantrueEnables authorization if there's no LDAP connection.

    user.ldap_authentication

    		BooleantrueEnables or disables LDAP authentication.

    user.ldap_autoprovision

    		BooleantrueEnables the automatic creation of users in the User table if there is no such record on the instance.


    .

    Использование настроенного коннекта: LDAP Definition, например, в импорте, ну и ссылку на импорт можно. Упомянуть про проперти

    Table of Contents
    absoluteUrltrue
    classfixedPosition


    Panel