LDAP integration allows your instance using your LDAP or AD server as the source of the user data. It provides the ability to connect to directory service storing the authentification data, such as usernames, passwords, user home directories used for keeping business and other data, etc. The global objective of the LDAP engine is importing users into the system. And through this, synchronization with various corporate services can be achieved, and one account can be used to authorize in all corporate services, such as email, website, VoIP, and so on.
In this client-server infrastructure scheme, the SimpleOne instance has to be a client connecting to the LDAP server.
Configuring an LDAP connection
Specifying an LDAP server
To configure an LDAP connection, you need to set up in the system first. For this, please complete the steps below:
- Navigate to System LDAP → LDAP Servers;
- Click New, fill in the fields and click Save.
LDAP Server form fields
| Field | Description |
|---|---|
| Name | Enter the server name. |
| Username | Specify the username authenticating the LDAP connection. |
| Password | Specify the server's password. |
| Root directory | Enter the RDN (relative distinguished name) of the search directory. Example: dc=simpleone, dc=ru. |
| Active | Select this checkbox to make the server active or inactive. |
If the RDN is not specified, then during the authorization process LDAP server will attempt to reach the server root directory; if the user logging on to is not authorized to access this directory, so the authorization process will be interrupted.
Specifying the LDAP server
Sometimes, customer infrastructure may contain more than one LDAP server, as an example, for fault tolerance. In this case, you may need to specify some particular server used for authorization on the SimpleOne instance.
To perform this, please complete the steps below:
- Navigate to System LDAP → LDAP URL;
- Click New, fill in the fields and click Save.
LDAP URL form fields
| Field | Description |
|---|---|
| URL | Enter the LDAP URL there. Here's an example:
|
| Active | Select this checkbox to make the URL active or inactive. |
| Order | Specify the order of this URL if there are more than one similar items. In this case, they will be processed in the descending order. |
| Operational status |
|
| Server | Specify the appropriate LDAP server (choose it from the previously created). |
If you want to establish a secure LDAP connection via port 363, then you need to provide the SSL-certificate.
For this, please complete the steps below:
- Navigate to System LDAP → Certificates;
- Click New to create a new record;
- Attach your SSL-certificate (.crt or .ca-bundle) file here;
- Click Save.
The form will get information from your certificate and place it into relevant fields.
LDAP Definition
After you have configured an LDAP server and an LDAP URL and performed all necessary customer infrastructure preparations, then you are ready to arrange an LDAP Definition. This is a formalized query to the Active Directory server containing the following information:
| Field | Mandatory | Description |
|---|---|---|
| Name | Y | Specify the LDAP definition name. The name you enter here becomes a target in the Import Sources record. |
| Active | N | Select this checkbox to activate the LDAP definition and to allow data import. |
| Relative Distinguished Name (RDN) | N | Enter the relative distinguished name (RDN) of the subdirectory to search through. |
| Server | Y | Specify the LDAP server containing users and groups directory and other information related to LDAP. To configure the server, navigate to System LDAP → LDAP Servers and perform the needed actions. |
| Table | Y | Select the target table that will store data from your LDAP server. For users, select the Users (sys_user) table. The target table specified is used for LDAP auto-provisioning (automatic creation of users in the Users (sys_user) table). This feature can be enabled or disabled by setting the user.ldap_autoprovision property. |
| Filter | N | Enter a filter string to select specific records to import from the OU (organizational unit). For example, this filter specifies the excerpt, as shown below:
For more information about LDAP filter syntax, refer to the appropriate RFC. |
| Query Field | N | Specify the attribute name within the LDAP server for querying the records. Active Directory mostly uses the sAMAccountName attribute. Other LDAP servers tend to use the cn attribute. Note that the Query Field is temporarily not working correctly – our team is working on its logic improvement to make it more efficient and secure. We will inform you about changes in the next releases. |
| Attribute List | N | Use the Attribute List field to specify (include and limit) the attributes the LDAP query returns. This approach is preferable for large LDAP imports in terms of timing. |
LDAP System Properties
Some of the LDAP abilities can be configured on the client-side using the System Properties engine. These properties are listed below.
| Property name | Type | Default value | Description |
|---|---|---|---|
| user.authorization_when_no_ldap_connection | Boolean | True | Enables authorization if there's no LDAP connection. In this case, locally created credentials are used. |
| user.ldap_authentication | Boolean | True | Enables or disables LDAP authentication. |
| user.ldap_autoprovision | Boolean | True | Enables the automatic creation of users in the user table in the case of the user is created in LDAP but not created on the instance. |
LDAP Log
In the case of necessity of any troubleshooting with your LDAP integration, you can check the log messages to find the fault causes.
For example, failed authorization attempts, or authorization policy avoidance attempts, all this information will be displayed here.
In fact, all these messages are written to the Logs (sys_log)
To use LDAP logs, please complete the steps below:
- Navigate to System LDAP → LDAP log;
- Find the records you are interested in using the Condition Builder, and other filtering tools, such as List layout#ShowMatching or List layout#FilterOut functionality.
LDAP Log form fields
| Field | Description |
|---|---|
| Source | Displays the source from where this log record comes from (LDAP Authorization, for example) |
| Level | This field specifies the error level. Available options:
|
| Message | The log record message text. |
| Created by | Reference to the user who has added the record. |
| Created at | The date and time when the record was added. |
