You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

LDAP integration allows you to connect the instance to LDAP or AD server and using it as a source of the user data. It provides the ability to connect to a directory service storing the authentication data, such as usernames, passwords, user home directories used for keeping business and other data, etc. The global objective of the LDAP engine is importing users into the system. And through this, synchronization with various corporate services can be achieved, and one account can be used to authorize in all corporate services, such as email, website, VoIP, and so on.

The RDN (relative distinguished name) is the attribute defining the search directory, like this: dc=instance,dc=com

In this client-server infrastructure scheme, the SimpleOne instance has to be a client connecting to the LDAP server.

The system synchronizes with the LDAP server in two ways:

  • via the Schedule Jobs (automatic) – scheduled script defining periods of synchronization (for example, every 3 hours). See the Scheduled Script article to learn more.
  • via the Autoprovision (triggered by logging in) – when user logs in, the system updates the requested data. Configure this way of synchronization via the user.ldap_autoprovision property.

You can also use third-party authorization services on your instance. See the Single Sign-On article to learn more.

Establish an LDAP connection


To establish the connection between your SimpleOne instance and the LDAP server, complete the following steps:

  1. Specify the LDAP server.
  2. Define the LDAP URL.
  3. Set up the LDAP Definition.
  4. Check settings.
  5. (Optional) Data import.

Additional tools for setting up LDAP connection:

Specify an LDAP server

To configure an LDAP connection, complete the steps below:

  1. Navigate to System LDAP → LDAP Servers.
  2. Click New and fill in the fields.
  3. Click Save to apply changes.
  4. Copy the current record ID.

If the RDN attribute is not specified, then the LDAP server will attempt to reach the server root directory during the authorization process. If the user logging in is not authorized to access this directory, the authorization process will be interrupted.

Define an LDAP URL

Sometimes, customer infrastructure may contain more than one LDAP server, for example, as a standby (reserve) server. In this case, you may need to specify some particular server used for authorization by arranging the URL order. If you have more than one server, create a separate LDAP URL for each of them.

To create a URL, complete the steps below:

  1. Navigate to System LDAP → LDAP URL.
  2. Click New and fill in the fields.
  3. Click Save or Save and Exit to apply the changes.

LDAP Definition

After you configured an LDAP server and an LDAP URL and performed all necessary customer infrastructure preparations, set up an LDAP definition.

To configure the LDAP definition, perform the following steps:

  1. Navigate to System LDAP → LDAP Definition.
  2. Click New and fill in the fields.
  3. Click Save or Save and Exit to apply the changes.

Error rendering macro 'excerpt-include'

No link could be created for 'Importing using LDAP'.

You can check the LDAP structure by clicking the Browse LDAP on the corresponding LDAP Server record.

Check settings 

Make sure that the connection is set up by performing the following steps:

  1. Navigate to System LDAP → LDAP Servers.
  2. Open the record you need.
  3. Click Test connection. The system will check the first URL connection defined by the order. If the connection is fine, you will see the Successfully connected message.
  4. Click Test all connections. The system will check all defined connections. If the connections are fine, you will see the All connections are checked message.

If an error is thrown, check LDAP Log records.

LDAP Import

Import all necessary data from your LDAP server to the instance. 

To complete the data import using LDAP, you will need to set up the following system elements:

  • LDAP Definition – specifies filters for retrieving data from a defined LDAP table.
  • Import Source – loads row data for further processing and transformation.

The scheme below illustrates the process of data import from an LDAP server.

See the Importing using LDAP article to learn more.

LDAP Log 


If an error occurred in the system, you can check the log messages to find the cause. In the LDAP Log, you can find records of failed authorization attempts or attempts to bypass authorization policy. In fact, all these messages are recorded into the Logs (sys_log) table.

To see the LDAP logs, navigate to System LDAP → LDAP log.

LDAP System Properties


Some of the LDAP abilities can be configured on the client-side using the system properties. Available properties are listed below.

Property nameTypeDefault valueDescription

user.authorization_when_no_ldap_connection

BooleantrueEnables authorization if there's no LDAP connection.

user.ldap_authentication

BooleantrueEnables or disables LDAP authentication.

user.ldap_autoprovision

BooleantrueEnables the automatic creation of users in the User table if there is no such record on the instance.


.


  • No labels

© 2019-2024, SimpleOne

https://simpleone.ru