The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
LDAP integration allows connecting your instance to LDAP or AD server and using it as a source of the user data. It provides the ability to connect to directory service storing the authentication data, such as usernames, passwords, user home directories used for keeping business and other data, etc. The global objective of the LDAP engine is importing users into the system. And through this, synchronization with various corporate services can be achieved, and one account can be used to authorize in all corporate services, such as email, website, VoIP, and so on.
The RDN (relative distinguished name) is the attribute defining the search directory like this: dc=instance,dc=com
In this client-server infrastructure scheme, the SimpleOne instance has to be a client connecting to the LDAP server.
The system synchronizes with the LDAP server in two ways:
- via the Schedule Jobs (automatic) – scheduled script defining periods of synchronization (for example, every 3 hours). See the Scheduled Script article to learn more.
- via the Autoprovision (triggered by logging in) – when user logs in, the system updates the requested data. Configure this way of synchronization via the user.ldap_autoprovision property.
You can also use third-party authorization services on your instance. See the Single Sign-On article to learn more.
Establishing LDAP connection
To establish the connection between your SimpleOne instance and the LDAP server, complete the following steps:
- Specify the LDAP server.
- Define the LDAP URL.
- Set up the LDAP Definition.
- Check settings.
- (Optional) Data import.
Additional tools for setting up LDAP connection:
Specifying an LDAP server
To configure an LDAP connection, complete the steps below:
- Navigate to System LDAP → LDAP Servers.
- Click New and fill in the fields.
- Click Save to apply changes.
- Copy the current record ID.
If the RDN attribute is not specified, then LDAP server will attempt to reach the server root directory during the authorization process. If the user logging in is not authorized to access this directory, the authorization process will be interrupted.
Defining an LDAP URL
Sometimes, customer infrastructure may contain more than one LDAP server, for example, as a standby (reserve) server. In this case, you may need to specify some particular server used for authorization by arranging the URL order. If you have more than one server, create a separate LDAP URL for each of them.
To create a URL, complete the steps below:
- Navigate to System LDAP → LDAP URL.
- Click New and fill in the fields.
- Click Save or Save and Exit to apply changes.
Adding a certificate
If you want to establish a secure LDAP connection (LDAP over SSL, LDAPS) via port 636, you need to provide the SSL certificate.
For this, please complete the steps below:
- Navigate to System LDAP → Certificates.
- Click New to create a new record.
- Attach your SSL-certificate (.crt or .ca-bundle) file here.
- Click Save or Save and Exit to apply changes.
The form will get information from your certificate and place it into relevant fields. Otherwise, your LDAP connection will proceed insecurely; generally, port 389 (TCP/UDP) is used in this case.
When the certificate record is created, it will be referenced in the relevant LDAP Server record. Click Certificates list to see the related certificates.
LDAP Definition
After configuring an LDAP server and an LDAP URL and performing all necessary customer infrastructure preparations, you are ready to set up an LDAP definition.
To configure the LDAP definition, perform the following steps:
- Navigate to System LDAP → LDAP Definition.
- Click New and fill in the fields.
- Click Save or Save and Exit to apply changes.
You can check the LDAP structure by clicking the Browse LDAP on the corresponding LDAP Server record.
Checking settings
Make sure that the connection is set up by performing the following steps:
- Navigate to System LDAP → LDAP Servers.
- Open the record you need.
- Click Test connection. The system will check the first URL connection defined by the order. If the connection is fine, you will see the Successfully connected message.
- Click Test all connections. The system will check all defined connections. If the connections are fine, you will see the All connections are checked message.
If an error is thrown, check LDAP Log records.
LDAP Import
Import all necessary data from your LDAP server to the instance.
To complete the data import using LDAP, you will need to set up the following system elements:
- LDAP Definition – specifies filters for retrieving data from a defined LDAP table.
- Import Source – loads row data for further processing and transformation.
The scheme below illustrates the process of data import from an LDAP server.
See the Importing using LDAP article to learn more.
LDAP Log
In case the system threw an error, you can check the log messages to find the cause. In the LDAP Log, you can find records of failed authorization attempts or authorization policy avoidance attempts. In fact, all these messages are written into the Logs (sys_log) table.
To see the LDAP logs, navigate to System LDAP → LDAP log.
LDAP System Properties
Some of the LDAP abilities can be configured on the client-side using the System Properties engine. These properties are listed below.
| Property name | Type | Default value | Description |
|---|---|---|---|
user.authorization_when_no_ldap_connection | Boolean | true | Enables authorization if there's no LDAP connection. |
user.ldap_authentication | Boolean | true | Enables or disables LDAP authentication. |
user.ldap_autoprovision | Boolean | true | Enables the automatic creation of users in the User table if there is no such record on the instance. |
.
