LDAP

1 Basic configuration LDAP
2 Test LDAP connection
3 Establish an LDAP lookup
4 LDAP Sync

The goal of the LDAP synchronization module is to apply a nearly random group- and user structure from an LDAP-service and to feed it with the necessary information in order to use this as a basis for the system's group-/user structure. The foundation for this module constitutes the TimedService component via which the synchronization is run time-controlled.

The module consists of two essential parts, which together allow the synchronization of nearly random LDAP-structures. In order to establish LDAP-module, several steps are necessary, which are explained in this entry.

ATTENTION! These settings and methods should only be applied by experienced users.

Basic configuration LDAP

In order to enable the system to access to an LDAP-server, the following file has to be adapted:

jboss\standalon\configuration\tim-ldap.properties

These settings apply to all tenants! For a detailed description of the single lines, you can get further information here:

#Here, the BaseDN is given, onto which the system builds the connection. This "index" is not changeable 
basedn=DC=system,DC=local
#The host name or the IP of the LDAP server
host=salvator
#Denotes the port of the LDAP server
port=389
#Denotes the use, with which the connection should be made. This requires only reading rights in LDAP
username=ldapsync
#The appropriate user password
password=secret
#Here, the type of authorization may be denoted
authentication=simple
#The number of milliseconds elapsed until the connection should be broken  
timeout=60000
#### Entries for the LDAP-Sync ####
# === Group entries ===
#Here the user may define the appearance of the groups that the system works through in the LSAP sync. Example: (member=TEST-*) searches for all groups beginning with "TEST-"
group.search=(member=*)
#Denotes which attribute of the acticedirectory group should be used for the group name 
group.name=cn
#This should remain "member" because this attribute is interpreted as the user in the system
group.member=member
 
# === User-Entries ===
#Denotes which class of objects (contacts, global groups, etc.) should be searched for by the system in LDAP. Generally remains as "user" 
user.search=(objectClass=user)
#Here the LDAP attribute, which is to be used for the E-mail address, may be selected
user.mail=mail
#Here the LDAP attribute, which is to be used for the first name, may be selected
user.firstname=givenName
#Here the LDAP attribute, which is to be used for the surname, may be selected
user.lastname=sn
#Here the LDAP attribute, which is to be used for the user name, may be selected
user.name=samaccountname
#Here the LDAP attribute, which is to be used for the manager, may be selected
user.supervisor=manager
#OPTIONAL: Here the LDAP attribute, which is to be used for the password, may be selected 
#user.password=cn
 
# ===Technical entries ===
#Must be set, may NOT be changed!
contextfactory=com.sun.jndi.ldap.LdapCtxFactory

Test LDAP connection

In order to test elemental LDAP connections, some settings have to be applied in the tenant profile. For this, the following merits are required:

Attribute	Description

Attribute	Description
Authentication	Can stay empty
LDAP-Host	Host or IP of the LDAP server
LDAP-Port	Port which the LDAP server responds to (Standard 389)
Factory Initial	Must contain the following merit “com.sun.jndi.ldap.LdapCtxFactory”
Kind of authentication	Can be “simple” or “digest-md5” (Standard “simple”)
DNS Prefix	Can stay empty
DNS Suffix	Here, the DNS suffix of the firm has to be deposited

Afterward, an LDAP-lookup can be initiated via the button “Test LDAP connection”. For this, you simply enter an LDAP user and password.

The password is displayed in clear text!

Establish an LDAP lookup

LDAP lookup means that the system forwards authentication requests to the LDAP server and inquires if the user has the right to register himself.

As the rights management is currently deposited in the system, the user has to be registered in the system! The rights of the user are managed in the system.

An e-mail address has to be deposited in the User profile.

The log-in is not permitted as long as the user has to change his password in the AD.

LDAP Sync

The LDAP Sync gives the possibility to create users in the system and to apply attributes from the LDAP. How LDAP attributes are linked to system-attributes can be looked upon the following page.
In order to activate the LDAP-Sync, the following timer is required: https://tim-doc.atlassian.net/wiki/spaces/eng/pages/227739910.