LDAP


The goal of the LDAP synchronization module is to apply a nearly random group- and user structure from an LDAP-service and to feed it with the necessary information in order to use this as a basis for the system's group-/user structure. The foundation for this module constitutes the TimedService component via which the synchronization is run time-controlled.

The module consists of two essential parts, which together allow the synchronization of nearly random LDAP-structures. In order to establish LDAP-module, several steps are necessary, which are explained in this entry.

ATTENTION! These settings and methods should only be applied by experienced users.


Basic configuration LDAP

In order to enable the system to access to an LDAP-server, the following file has to be adapted:

jboss​\standalone\configuration\tim-ldap.properties

 

These settings apply to all tenants! For a detailed description of the single lines, you can get further information here:

#Here, the BaseDN is given, onto which the system builds the connection. This "index" is not changeable basedn=DC=system,DC=local #The host name or the IP of the LDAP server host=myHostName #Denotes the port of the LDAP server port=389 #Denotes the use, with which the connection should be made. This requires only reading rights in LDAP username=ldapsync #The appropriate user password password=secret #Here, the type of authorization may be denoted authentication=simple #The number of milliseconds elapsed until the connection should be broken timeout=60000 #### Entries for the LDAP-Sync #### # === Group entries === #Here the user may define the appearance of the groups that the system works through in the LSAP sync. Example: (member=TEST-*) searches for all groups beginning with "TEST-" group.search=(member=*) #Denotes which attribute of the acticedirectory group should be used for the group name group.name=cn #This should remain "member" because this attribute is interpreted as the user in the system group.member=member # === User-Entries === #Denotes which class of objects (contacts, global groups, etc.) should be searched for by the system in LDAP. Generally remains as "user" user.search=(objectClass=user) #Here the LDAP attribute, which is to be used for the E-mail address, may be selected user.mail=mail #Here the LDAP attribute, which is to be used for the first name, may be selected user.firstname=givenName #Here the LDAP attribute, which is to be used for the surname, may be selected user.lastname=sn #Here the LDAP attribute, which is to be used for the user name, may be selected user.name=samaccountname #Here the LDAP attribute, which is to be used for the manager, may be selected user.supervisor=manager #OPTIONAL: Here the LDAP attribute, which is to be used for the password, may be selected #user.password=cn # ===Technical entries === #Must be set, may NOT be changed! contextfactory=com.sun.jndi.ldap.LdapCtxFactory

 

Configuring multiple LDAP endpoints

Supporting multiple LDAP endpoints for synchronization and authentication by tim-ldap.properties

It is possible to configure multiple LDAP endpoints for different tenants such as:

  1. tenant A uses LDAP endpoint 1 for synchronization and authentication

  2. tenant B uses LDAP endpoint 2 for synchronization and authentication

  3. tenant C uses LDAP endpoint 1 for synchronization and authentication

 

This can be achieved by changing two of the tim-ldap.properties

basedn-[TENANT_NAME]=... host-[TENANT_NAME]=...

where the [TENANT_NAME] is replaced by your tenant name (i.e 1. basedn-tenantA=... 2. basedn-tenantB=...) and the rest of ldap.properties remain as specified in the previous point.


Test LDAP connection

In order to test elemental LDAP connections, some settings have to be applied in the tenant profile. For this, the following merits are required:

Attribute

Description

Attribute

Description

Authentication

Can stay empty

LDAP-Host

Host or IP of the LDAP server

LDAP-Port

Port which the LDAP server responds to (Standard 389)

Factory Initial

Must contain the following merit “com.sun.jndi.ldap.LdapCtxFactory”

Kind of authentication

Can be “simple” or “digest-md5” (Standard “simple”)

DNS Prefix

Can stay empty

DNS Suffix

Here, the DNS suffix of the firm has to be deposited

 

Afterward, an LDAP-lookup can be initiated via the button “Test LDAP connection”. For this, you simply enter an LDAP user and password.

The password is displayed in clear text!


Establish an LDAP lookup

LDAP lookup means that the system forwards authentication requests to the LDAP server and inquires if the user has the right to register himself.

As the rights management is currently deposited in the system, the user has to be registered in the system! The rights of the user are managed in the system.

An e-mail address has to be deposited in the User profile.

The log-in is not permitted as long as the user has to change his password in the AD.


LDAP Sync

The LDAP Sync gives the possibility to create users in the system and to apply attributes from the LDAP. How LDAP attributes are linked to system-attributes can be looked upon the following page.
In order to activate the LDAP-Sync, the following timer is required: CreateUsersFromLdapGroup.