LDAP
The goal of the LDAP synchronization module is to apply a nearly random group- and user structure from an LDAP-service and to feed it with the necessary information in order to use this as a basis for the system's group-/user structure. The foundation for this module constitutes the TimedService component via which the synchronization is run time-controlled.
The module consists of two essential parts, which together allow the synchronization of nearly random LDAP-structures. In order to establish LDAP-module, several steps are necessary, which are explained in this entry.
ATTENTION! These settings and methods should only be applied by experienced users.
Basic configuration LDAP
In order to enable the system to access to an LDAP-server, the following file has to be adapted:
jboss\standalone\configuration\tim-ldap.properties
These settings apply to all tenants! For a detailed description of the single lines, you can get further information here:
Configuring multiple LDAP endpoints
Supporting multiple LDAP endpoints for synchronization and authentication by tim-ldap.properties
It is possible to configure multiple LDAP endpoints for different tenants such as:
tenant A uses LDAP endpoint 1 for synchronization and authentication
tenant B uses LDAP endpoint 2 for synchronization and authentication
tenant C uses LDAP endpoint 1 for synchronization and authentication
This can be achieved by changing two of the tim-ldap.properties
basedn-[TENANT_NAME]=...
host-[TENANT_NAME]=...
where the [TENANT_NAME]
is replaced by your tenant name (i.e 1. basedn-tenantA=...
2. basedn-tenantB=...
) and the rest of ldap.properties remain as specified in the previous point.
Test LDAP connection
In order to test elemental LDAP connections, some settings have to be applied in the tenant profile. For this, the following merits are required:
Attribute | Description |
---|---|
Authentication | Can stay empty |
LDAP-Host | Host or IP of the LDAP server |
LDAP-Port | Port which the LDAP server responds to (Standard 389) |
Factory Initial | Must contain the following merit “com.sun.jndi.ldap.LdapCtxFactory” |
Kind of authentication | Can be “simple” or “digest-md5” (Standard “simple”) |
DNS Prefix | Can stay empty |
DNS Suffix | Here, the DNS suffix of the firm has to be deposited |
Afterward, an LDAP-lookup can be initiated via the button “Test LDAP connection”. For this, you simply enter an LDAP user and password.
The password is displayed in clear text!
Establish an LDAP lookup
LDAP lookup means that the system forwards authentication requests to the LDAP server and inquires if the user has the right to register himself.
As the rights management is currently deposited in the system, the user has to be registered in the system! The rights of the user are managed in the system.
An e-mail address has to be deposited in the User profile.
The log-in is not permitted as long as the user has to change his password in the AD.
LDAP Sync
The LDAP Sync gives the possibility to create users in the system and to apply attributes from the LDAP. How LDAP attributes are linked to system-attributes can be looked upon the following page.
In order to activate the LDAP-Sync, the following timer is required: CreateUsersFromLdapGroup.
© TIM Solutions GmbH | AGB | Datenschutz | Impressum