LDAP Configuration

From AgileApps Support Wiki
Revision as of 01:38, 21 November 2013 by imported>Aeric (→‎Configuration Settings)

GearIcon.png > Administration > Account Management > LDAP Configuration

If the enterprise has an LDAP server, the platform can be configured to automatically recognize selected users when they log in.

Considerations and Limitations

  • Active Directory is currently supported. Open LDAP is under development.
  • A single LDAP server is supported, for now.
  • The search for a matching user does not currently span multiple groups, so a CN entry must be included either in the search DN or in the filter. The search path cannot terminate at an OU or at a higher-level DC (Domain Controller) entry. (These terms are defined below.)
  • The user's Team cannot currently be configured using LDAP attributes. The default team is always used.

How LDAP Works

User Experience

Effect on Platform Operations

Addresses of LDAP Entries

In its simplest form, LDAP can be thought of as a hierarchy of directories, each of which contains entries for users and other entities. But instead of using a URL to address those directories, you use a combination of syntax elements.

For example, consider the URL http://yourCompany.com/united_states/california/users/yourLDAPdata.
That path is specified in LDAP elements using the elements below:

  • DC (Domain Controller) Used to specify the LDAP domain.
For example: DC=yourCompany, DC=com, which corresponds to yourCompany.com in the URL.
  • OU (Organizational Unit) A group that can contain other groups. (Effectively, an "intermediate" group.)
For example: OU=california, OU=united_states, which corresponds to the URL path /united_states/california.
  • CN (Common Name) A group that can contain individual entries, but which cannot contain subgroups.
For example: CN=users. It corresponds to the final directory in the URL.
Within that directory, the entry yourLDAPdata can be found.

Working with LDAP

Configuring LDAP

  1. Examine the configuration settings below to see which individual-user attributes can be populated from LDAP.
  2. If desired, create attributes for those settings in your LDAP server. (If all users will have the same settings, it's necessary. The'll use the default settings you configure below.)
  3. Go to GearIcon.png > Administration > Account Management > LDAP Configuration
  4. Fill in the configuration settings
  5. Click [Save]

Configuration Settings

  • Server Type - The type of LDAP server. Active Directory is the default.
  • Server URL - The server domain and optional portal. Secure portal #636 is the default.
For example: our.LDAPserver:998
  • Login DN - The Distinguished Name of a user that has admin privileges.
  • Password - The admin user's password.
  • Starting Search Directory -
  • User DN -
  • User DN Filter -
The (objectCategory=person) and (objectClass=user) parameters do not need to be specified. They are included automatically.
  • Group DN -
  • Group DN Filter -
The Group search:
The (objectCategory=group) parameter does not need to be specified. It is included automatically.
  • Default Team -
  • Default Access Profile -
  • LDAP Attribute for Access Profile -
The LDAP attribute must contain the role's record ID, not the name of the role.
  • Default Application -
  • LDAP Attribute for Application -
The LDAP attribute must contain the role's record ID, not the name of the role.
  • Default Role -
  • LDAP Attribute for Role - The name of an LDAP field that designates the user's role in the default application.
The LDAP attribute must contain the role's record ID, not the name of the role.

Thumbsup.gif

Tip: To get record IDs, use the following procedure:

  1. Navigate to the object in question (Access Profiles, Applications, or Roles)
    GearIcon.png > Objects > {object}
  2. Edit the default view or create a new view for your use.
  3. Modify the view to include the Record ID field.
  4. View the entries in that object
  5. Take the record ID from the column you added to the view.