Difference between revisions of "LDAP Configuration"

From AgileApps Support Wiki
imported>Aeric
 
(59 intermediate revisions by one other user not shown)
Line 1: Line 1:
'''[[File:GearIcon.png]] > Administration > Account Management > LDAP Configuration'''
'''[[File:GearIcon.png]] > Administration > Account Management > LDAP Configuration'''


If the enterprise has an {{^LDAP}} server, the platform can be configured to automatically recognize selected users when they log in.
If the enterprise has an {{^LDAP}} server, the platform can be configured to automatically authenticate users against the LDAP Server when they log in.
__TOC__
__TOC__
==How LDAP Works==
==How LDAP Works==
Line 13: Line 13:
:* Thereafter, when the user logs in, their password is validated against the LDAP directory.
:* Thereafter, when the user logs in, their password is validated against the LDAP directory.
:* At the same time, any changes made to the user's LDAP settings are synchronized with the platform.
:* At the same time, any changes made to the user's LDAP settings are synchronized with the platform.
:* During the LDAP user creation process in AgileApps platform, the following information is synchronized to the platform: '''first name''', '''last name''', '''email''', and '''username'''. This setting is limited for security purposes.


As far as the user is concerned, therefore, they simply log in to the platform using the same
As far as the user is concerned, therefore, they simply log in to the platform using the same
Line 24: Line 25:


In particular:
In particular:
:* In the initial dialog a user sees when they log in, the '''Reset Password''' option is disabled.
:* In the user's [[Personal Settings]] page, only the user's [[Team]] affiliation and default [[Application]] can be modified. Other settings can be viewed, but not changed.
:* In the user's [[Personal Settings]] page, only the user's [[Team]] affiliation and default [[Application]] can be modified. Other settings can be viewed, but not changed.
:* In the admin's [[User Settings]] page, only the user's [[Team]] affiliation and default [[Application]] can be modified. Other settings can be viewed, but not changed.
:* In the admin's [[Access Management]] > [[Users]] page:
:* In the initial dialog a user sees when they log in, the '''Reset Password''' option is disabled.
::* The option to [[Users#Reset a User Password|Reset Password]] is disabled for LDAP users.
:* In the admin's [[Access Management]] > [[Users]] page, the option to [[Users#Reset a User Password|Reset Password]] is disabled for LDAP users.
::* The user's [[Team]] affiliation and default [[Application]] can be modified. Other settings can be viewed, but not changed.


===LDAP Address Expressions===
===LDAP Address Expressions===
Line 44: Line 46:
::: For example: <tt>CN=users</tt>, which corresponds to the final directory in the URL.  
::: For example: <tt>CN=users</tt>, which corresponds to the final directory in the URL.  
::: Within that directory, the entry <tt>yourLDAPdata</tt> can be found.
::: Within that directory, the entry <tt>yourLDAPdata</tt> can be found.
===Secure LDAP Server===
A secure LDAP server is now supported with the protocol LDAPs, and with the port number 636.
:Points to note:
:*To connect to the LDAPs, it is recommended to upload valid certificate.
:*Connection to LDAP server will fail if SSL connection is enabled and an invalid certificate is provided.
:*Proper port should be used for SSL (ldaps://) and without SSL (ldap://) connection, else the LDAP server will not be reachable and AgileApps will deny the access.
:*The SSL connection is disabled by default in the LDAP configuration screen and no modification is needed in existing configuration if you want to continue working with the plain LDAP (~without SSL).


===Considerations and Limitations===
===Considerations and Limitations===
:* '''Active Directory''' is currently supported. '''Open LDAP''' is under development.
:* '''Active Directory''' is currently supported as server type.
:* A single LDAP server is supported, for now.
:* A single LDAP server is supported, for now.
:* The search for a matching user does not yet span multiple groups, so a <tt>CN</tt> entry must be included either in the specification of the search directory, one of the group designations, or in a filter. The search path cannot terminate at an <tt>OU</tt> or at a higher-level <tt>DC</tt> (Domain Controller) entry. (These terms are defined below.)
:* The search for a matching user does not yet span multiple groups, so a <tt>CN</tt> entry must be included either in the specification of the search directory, in the user or group directory designation, or in one of their filters. The search path cannot terminate at an Organizational Unit (<tt>OU</tt>) directory, as that would require searching the multiple subdirectories it contains.
:* The user's Team cannot currently be configured using LDAP attributes. The default team is always used.
:* The user's Team cannot currently be configured using LDAP attributes. The default team is always used for a new user.<br>(The team setting can be changed in the platform after the user logs in.)
:* Similarly, to give a user access to multiple applications, or to change the user's initial application modify the [[Application Access]] settings after the user has logged in to the platform.


==Working with LDAP ==
==Working with LDAP ==
Line 64: Line 75:


:*'''Server Type -''' The type of LDAP server. '''Active Directory''' is the default.
:*'''Server Type -''' The type of LDAP server. '''Active Directory''' is the default.
:*'''Server URL -''' The server domain and optional portal. Secure portal #636 is the default.
:*'''Server URL -''' The server domain and optional port. Port number 389 is the default port, used by the LDAP server.
::: For example: <tt>our.LDAPserver:998</tt>
::: For example: <tt>our.LDAPserver:998</tt>
::: For Secure LDAP server, the default Port number 636 is used.


::<hr width="500">
:* '''Login DN -''' The ''Distinguished Name'' of a user that has admin privileges.
:* '''Login DN -''' The ''Distinguished Name'' of a user that has admin privileges.
:* '''Password -''' The admin user's password.
:* '''Password -''' The admin user's password.


::<hr width="500">
:* '''Starting Search Directory'''
:* '''Starting Search Directory'''
::: A comma-separated list of <tt>DC</tt> and <tt>OU</tt> expressions (and, optionally, a <tt>CN</tt> expression) that leads to the start of the search path, or which leads directly to the group to be searched.
::: A comma-separated list of <tt>DC</tt> and <tt>OU</tt> expressions that leads to the start of the search path.
::: Optionally, include a <tt>CN</tt> directive as well, to completely specify the directory to be searched.


:* '''User DN -'''  
::<hr width="500">
::: Optional. An LDAP expression that designates a path to an LDAP user directory, starting from the initial directory.
:* '''User DN -''' Optional. An LDAP expression that designates a path to an LDAP user directory, starting from the initial directory.
:* '''User DN Filter -'''  
:* '''User DN Filter -''' Optional. An expression that limits the LDAP entries that will be examined.
::: Optional. {{TBD|}}
::: For example, use a setting like this one to exclude disabled users: <tt>!(userAccountControl=514)</tt>
::: For example, use a setting like this one to exclude disabled users: <tt>!(userAccountControl=514)</tt>
::: '''Note:''' The <tt>(objectCategory=person)</tt> and <tt>(objectClass=user)</tt> parameters do not need to be specified. They are included automatically.
::: '''Note:''' The <tt>(objectCategory=person)</tt> and <tt>(objectClass=user)</tt> parameters do not need to be specified. They are included automatically.
::<hr width="500">
:* '''Group DN -''' Optional. An LDAP expression that designates a path to an LDAP "group" (distribution list) directory, starting from the initial directory.
:* '''Group DN Filter -''' Optional. An expression that limits the LDAP entries that will be examined.
::: For example, use a setting like this to exclude entries that include the word "test": <tt>!(mail=*test*)</tt>
::: '''Note:''' The <tt>(objectCategory=group)</tt> parameter does not need to be specified. It is included automatically.
::<hr width="500">
:*'''Read Timeout -''' Optional. This field contains a timeout duration in milliseconds.
:::It is a time to reconnect to the server when the server is busy, or the network is slow. When the time mentioned exceeds, an error will appear.
::<hr width ="500">
:*'''Enable SSL -''' To have a secure LDAP server, this checkbox is enabled. Two additional fields appear on checking this field.
:::*'''Paste SSL Certificate -''' Paste the valid SSL certificate to access the secure LDAP server. Alternatively,
:::*'''Upload SSL Certificate -''' Upload a valid SSL certificate through a file to access the secure LDAP server in the section SSL Certificate. (with extension like - pem, cert etc.)
::When field Enable SSL is disabled, no certificate is needed. You will be able to connect to the unsecure LDAP server.
::<hr width="500">
{{:Common:SAML_LDAP_Settings}}
<noinclude>
[[Category:Installable Version]]
</noinclude>
===Synchronisation of the User state with the Platform===
When the user is no longer active in the LDAP server or the user is removed, then this API is used to deactivate those users in AgileApps.


:* '''Group DN -'''
This is achieved by calling the JAVA API in Schedule rules or Macros in AgileApps.  
::: Optional. An LDAP expression that designates a path to an LDAP "group" (distribution list) directory, starting from the initial directory.
:* '''Group DN Filter -'''
::: Optional. {{TBD|}}
::: For example: <tt>{{TBD|}}</tt>
::: '''Note:''' The <tt>(objectCategory=group)</tt> parameter does not need to be specified. It is included automatically.


:* '''Default Team -''' A new user's default [[Team]].
To do this, you need to create a custom class similar to the below code snippet.  


:* '''Default Access Profile -''' A new user's default [[Access Profile]].
::<syntaxhighlight lang="java" enclose="div">
:* '''LDAP Attribute for Access Profile -'''
package com.platform.mynamespace.example;
::: The name of an LDAP field that designates the user's access profile.
::: The LDAP attribute must contain the profile's ''record ID'', not the name of the access profile.


:* '''Default Application -''' A new user's default [[Application]].
import com.platform.api.*;
:* '''LDAP Attribute for Application -'''
::: The name of an LDAP field that designates the user's application.  
::: The LDAP attribute must contain the application's ''record ID'', not the name of the application.


:* '''Default Role -''' The new user's [[Role]] in the application.
public class LDAPSyncHandler {
:* '''LDAP Attribute for Role -'''
public void syncLDAPUser(Parameters p) throws Exception {
::: The name of an LDAP field that designates the user's role in the application.  
      try {
::: The LDAP attribute must contain the role's ''record ID'', not the name of the role.
        Logger.info("Invoking LDAP user sync", "LDAP User Sync");
        Result r = Functions.syncUsersStateWithLDAP(p);
        if (r.getCode() < 0) {
            Logger.error("Sync failed\n" + r.getMessage(), "LDAP User Sync Error");     
        }else{
          Logger.info("Sync successful\n" + r.getMessage(), "LDAP User Sync Success!"); 
        }
      } catch (Exception e) {
          Logger.error("Sync failed\n" + e.getMessage(), "LDAP User Sync Error");     
      }
    }
}
</syntaxhighlight>


{{Tip|To get record IDs, use the following procedure:
{{Note|  
# Navigate to the object in question (Access Profiles, Applications, or Roles)
# You need to have the manage user permission enabled in your access profile, in order to use this API.
#: '''[[File:GearIcon.png]] > Objects > {object}'''
# You also need to have LDAP configuration enabled for this tenant.
# Edit the default view or create a new view for your use.
# SSO must be disabled for this tenant.
# Modify the view to include the Record ID field.
# For any errors or success messages look into the Debug Log. [ [[File:GearIcon.png]]> Customization > Developer Resources > Debug Log]
# View the entries in that object
|info}}
# Take the record ID from the column you added to the view.}}

Latest revision as of 08:42, 27 March 2024

GearIcon.png > Administration > Account Management > LDAP Configuration

If the enterprise has an LDAP server, the platform can be configured to automatically authenticate users against the LDAP Server when they log in.

How LDAP Works

Platform Behavior, User Experience and Administration

When a user logs in, the platform carries out the following sequence of activities:

  • If their User record was created in the platform, they log in with those settings.
  • If the user is not known to the platform, the LDAP directory is searched for a matching entry.
  • If none is found, access is denied.
  • If a matching entry exists, a new LDAP-enabled User record is created.
  • Thereafter, when the user logs in, their password is validated against the LDAP directory.
  • At the same time, any changes made to the user's LDAP settings are synchronized with the platform.
  • During the LDAP user creation process in AgileApps platform, the following information is synchronized to the platform: first name, last name, email, and username. This setting is limited for security purposes.

As far as the user is concerned, therefore, they simply log in to the platform using the same credentials they use everywhere else.

And as far as admins are concerned, user information is maintained in one place--the LDAP server. Any changes made there are automatically seen by the platform.

Effect on User Profiles

When a user has an entry in an LDAP directory, most of their profile information is maintained in the LDAP server. The platform reads that information from the server. It can no longer be modified in the platform. The exception is profile information that is specific to the platform.

In particular:

  • In the initial dialog a user sees when they log in, the Reset Password option is disabled.
  • In the user's Personal Settings page, only the user's Team affiliation and default Application can be modified. Other settings can be viewed, but not changed.
  • In the admin's Access Management > Users page:
  • The option to Reset Password is disabled for LDAP users.
  • The user's Team affiliation and default Application can be modified. Other settings can be viewed, but not changed.

LDAP Address Expressions

In its simplest form, LDAP can be thought of as a hierarchy of directories, each of which contains entries for users and other entities. But instead of using a URL to address those directories, you use a combination of syntax elements.

For example, consider the URL http://yourCompany.com/united_states/california/users/yourLDAPdata.
That path is specified in LDAP elements using the elements below:

  • DC (Domain Controller) Used to specify the LDAP domain.
For example: DC=yourCompany, DC=com, which corresponds to yourCompany.com in the URL.
  • OU (Organizational Unit) A group that can contain other groups. (Effectively, an "intermediate" group.)
For example: OU=california, OU=united_states, which corresponds to the URL path /united_states/california.
  • CN (Common Name) A group that can contain individual entries, but which cannot contain subgroups.
For example: CN=users, which corresponds to the final directory in the URL.
Within that directory, the entry yourLDAPdata can be found.

Secure LDAP Server

A secure LDAP server is now supported with the protocol LDAPs, and with the port number 636.

Points to note:
  • To connect to the LDAPs, it is recommended to upload valid certificate.
  • Connection to LDAP server will fail if SSL connection is enabled and an invalid certificate is provided.
  • Proper port should be used for SSL (ldaps://) and without SSL (ldap://) connection, else the LDAP server will not be reachable and AgileApps will deny the access.
  • The SSL connection is disabled by default in the LDAP configuration screen and no modification is needed in existing configuration if you want to continue working with the plain LDAP (~without SSL).

Considerations and Limitations

  • Active Directory is currently supported as server type.
  • A single LDAP server is supported, for now.
  • The search for a matching user does not yet span multiple groups, so a CN entry must be included either in the specification of the search directory, in the user or group directory designation, or in one of their filters. The search path cannot terminate at an Organizational Unit (OU) directory, as that would require searching the multiple subdirectories it contains.
  • The user's Team cannot currently be configured using LDAP attributes. The default team is always used for a new user.
    (The team setting can be changed in the platform after the user logs in.)
  • Similarly, to give a user access to multiple applications, or to change the user's initial application modify the Application Access settings after the user has logged in to the platform.

Working with LDAP

Configuring LDAP

  1. Examine the configuration settings below to see which individual-user attributes can be populated from LDAP.
  2. If desired, create attributes for those settings in your LDAP server.
    (If all users will have the same settings, this step is not necessary. They'll use the default settings you configure below.)
  3. Go to GearIcon.png > Administration > Account Management > LDAP Configuration
  4. Fill in the configuration settings
  5. Click [Save]

Configuration Settings

  • Server Type - The type of LDAP server. Active Directory is the default.
  • Server URL - The server domain and optional port. Port number 389 is the default port, used by the LDAP server.
For example: our.LDAPserver:998
For Secure LDAP server, the default Port number 636 is used.

  • Login DN - The Distinguished Name of a user that has admin privileges.
  • Password - The admin user's password.

  • Starting Search Directory
A comma-separated list of DC and OU expressions that leads to the start of the search path.
Optionally, include a CN directive as well, to completely specify the directory to be searched.

  • User DN - Optional. An LDAP expression that designates a path to an LDAP user directory, starting from the initial directory.
  • User DN Filter - Optional. An expression that limits the LDAP entries that will be examined.
For example, use a setting like this one to exclude disabled users: !(userAccountControl=514)
Note: The (objectCategory=person) and (objectClass=user) parameters do not need to be specified. They are included automatically.

  • Group DN - Optional. An LDAP expression that designates a path to an LDAP "group" (distribution list) directory, starting from the initial directory.
  • Group DN Filter - Optional. An expression that limits the LDAP entries that will be examined.
For example, use a setting like this to exclude entries that include the word "test": !(mail=*test*)
Note: The (objectCategory=group) parameter does not need to be specified. It is included automatically.

  • Read Timeout - Optional. This field contains a timeout duration in milliseconds.
It is a time to reconnect to the server when the server is busy, or the network is slow. When the time mentioned exceeds, an error will appear.

  • Enable SSL - To have a secure LDAP server, this checkbox is enabled. Two additional fields appear on checking this field.
  • Paste SSL Certificate - Paste the valid SSL certificate to access the secure LDAP server. Alternatively,
  • Upload SSL Certificate - Upload a valid SSL certificate through a file to access the secure LDAP server in the section SSL Certificate. (with extension like - pem, cert etc.)
When field Enable SSL is disabled, no certificate is needed. You will be able to connect to the unsecure LDAP server.


  • Default Team - A new user's default Team.
The team assignment can be changed in the platform after the user logs in.
The user can change it in their Personal Settings. An admin can do so in the Users page.

The user's access profile is fully determined by the configuration.
  • LDAP Attribute for Access Profile - The name of the LDAP attribute that designates the user's access profile.
The attribute must contain an access profile's record ID.
To get a record ID:
a. Go to GearIcon.png > Access Management > Access Profiles
b. Modify the view to display Record IDs, and copy the ones you need.

  • Default Application - The initial Application the user sees when they log in.
That setting can be changed in the platform after the user logs in.
The user can change it in their Personal Settings. An admin can do so in the Users page.
To grant access to additional applications:
a. When the user logs in, a User record is created for them in the platform.
b. You can then use the Application Access page to specify the applications the user can access.
  • LDAP Attribute for Application - The name of the LDAP attribute that designates the user's application.
The attribute must contain the application's record ID.
To get a record ID:
a. Go to GearIcon.png > Access Management > Application Access
b. Modify the view to display Record IDs, and copy the ones you need.

  • Default Role - The new user's Role in the application.
That setting can be changed in the platform after the user logs in.
The user can change it in their Personal Settings. An admin can do so in the Users page.
  • LDAP Attribute for Role - The name of the LDAP attribute that designates the user's role in the application.
The attribute must contain the role's record ID.
To get a record ID:
a. Open the application, if it is not already running.
b. Go to GearIcon.png > Customization > Application Roles
c. Modify the view to display Record IDs, and copy the ones you need.


Synchronisation of the User state with the Platform

When the user is no longer active in the LDAP server or the user is removed, then this API is used to deactivate those users in AgileApps.

This is achieved by calling the JAVA API in Schedule rules or Macros in AgileApps.

To do this, you need to create a custom class similar to the below code snippet.

<syntaxhighlight lang="java" enclose="div">

package com.platform.mynamespace.example;

import com.platform.api.*;

public class LDAPSyncHandler { public void syncLDAPUser(Parameters p) throws Exception {

      try {
        Logger.info("Invoking LDAP user sync", "LDAP User Sync");
        Result r = Functions.syncUsersStateWithLDAP(p);
        if (r.getCode() < 0) {
           Logger.error("Sync failed\n" + r.getMessage(), "LDAP User Sync Error");      
        }else{
         	Logger.info("Sync successful\n" + r.getMessage(), "LDAP User Sync Success!");  
        }
      } catch (Exception e) {
         Logger.error("Sync failed\n" + e.getMessage(), "LDAP User Sync Error");      
      }
   }

} </syntaxhighlight>

Notepad.png

Note:

  1. You need to have the manage user permission enabled in your access profile, in order to use this API.
  2. You also need to have LDAP configuration enabled for this tenant.
  3. SSO must be disabled for this tenant.
  4. For any errors or success messages look into the Debug Log. [ GearIcon.png> Customization > Developer Resources > Debug Log]