...
The goal of the LDAP synchronization module is to apply a nearly random group- and user structure from an LDAP-service and to feed it with the necessary information in order to use this as a basis for the system's group-/user structure. The foundation for this module constitutes the TimedService component via which the synchronization is run time-controlled.
The module consists of two essential parts, which together allow the synchronization of nearly random LDAP-structures. In order to establish LDAP-module, several steps are necessary, which are explained in this entry.
Infonote |
---|
ATTENTION! These settings and methods should only be applied by experienced users. |
...
Basic configuration LDAP
In order to enable the system to access to an LDAP-server, the following file has to be adapted:
...
Expand |
---|
|
Code Block |
---|
#Here, the BaseDN is given, onto which the system builds the connection. This "index" is not changeable
basedn=DC=system,DC=local
#The host name or the IP of the LDAP server
host=salvator
#Denotes the port of the LDAP server
port=389
#Denotes the use, with which the connection should be made. This requires only reading rights in LDAP
username=ldapsync
#The appropriate user password
password=secret
#Here, the type of authorization may be denoted
authentication=simple
#The number of milliseconds elapsed until the connection should be broken
timeout=60000
#### Entries for the LDAP-Sync ####
# === Group entries ===
#Here the user may define the appearance of the groups that the system works through in the LSAP sync. Example: (member=TEST-*) searches for all groups beginning with "TEST-"
group.search=(member=*)
#Denotes which attribute of the acticedirectory group should be used for the group name
group.name=cn
#This should remain "member" because this attribute is interpreted as the user in the system
group.member=member
# === User-Entries ===
#Denotes which class of objects (contacts, global groups, etc.) should be searched for by the system in LDAP. Generally remains as "user"
user.search=(objectClass=user)
#Here the LDAP attribute, which is to be used for the E-mail address, may be selected
user.mail=mail
#Here the LDAP attribute, which is to be used for the first name, may be selected
user.firstname=givenName
#Here the LDAP attribute, which is to be used for the surname, may be selected
user.lastname=sn
#Here the LDAP attribute, which is to be used for the user name, may be selected
user.name=samaccountname
#Here the LDAP attribute, which is to be used for the manager, may be selected
user.supervisor=manager
#OPTIONAL: Here the LDAP attribute, which is to be used for the password, may be selected
#user.password=cn
# ===Technical entries ===
#Must be set, may NOT be changed!
contextfactory=com.sun.jndi.ldap.LdapCtxFactory |
|
...
Test LDAP connection
In order to test elemental LDAP connections, some settings have to be applied in the tenant profile. For this, the following merits are required:
...
Info |
---|
The password is displayed in clear text! |
...
Establish an LDAP lookup
LDAP lookup means that the system forwards authentication requests to the LDAP server and inquires if the user has the right to register himself.
Info |
---|
As the rights management is currently deposited in the system, the user has to be registered in the system! The rights of the user are managed in the system. An e-mail address has to be deposited in the User profile. The log-in is not permitted as long as the user has to change his password in the AD. |
...
LDAP Sync
The LDAP Sync gives the possibility to create users in the system and to apply attributes from the LDAP. How LDAP attributes are linked to system-attributes can be looked upon the following page.
In order to activate the LDAP-Sync, the following timer is required: CreateUsersFromLdapGroup.
...