What is LDAP?

LDAP can hold any kind of data, but it is usually used to provide a central repository of user information and passwords. This allows other enterprise applications to check passwords against a single LDAP repository, rather than each application storing them individually. This reduces maintenance costs and improves security.

In addition to login names and passwords, allows other information such as email addresses, groups, teams and custom fields to be mapped between LDAP attributes and their equivalents in .

The use of LDAP for more than login/passwords provides some interesting challenges for as detailed below:
Both LDAP and may contain custom attributes - fields. Unfortunately, there is no way to find all the custom attributes in an LDAP database, other than by reading the users one-by-one and noting their attributes. For LDAP databases with hundreds of thousands of users, this could take hours.

resolves this problem by searching the first 1,000 users for attributes, and asking the administrator to nominate one user that contains the additional attributes that must be mapped. The actual values of the attributes in this user do not matter, they just need to exist. For example, if the user has a Telephone Number attribute of 0, the system will add Telephone Number to the list of mappable attributes.

Workflow rules that send email to a Team need to know which users are part of which teams. The system can instantly search its own tables with an SQL query to find all the matching users, but there is no way to perform an equivalent search on the LDAP database. Instead it would be necessary to read every LDAP user in turn to determine whether they were a member of that team. For large LDAP repositories, this would be very slow.

This class of issues is resolved as follows: When a user logs into using LDAP authentication, a dummy entry is created for them in the user table and the data cached in this entry is refreshed from LDAP each time they subsequently login. This allows the system to rapidly find Team members and avoid unnecessary calls to the LDAP server. Of course, password information is not cached, so centralized password control is maintained.

This strategy allows to automatically restrict Team emails to those LDAP users who actually use . If you want all users to receive email, you can set it up to automatically sync with LDAP at regular intervals and use it at least once, but some administrators see this as an advantage since users who do not use may not expect to receive email from it.

LDAP Integration

LDAP can be used by in three ways:

LDAP Mapping Wizard

uses the standard LDAP v2 protocol to connect and query an LDAP/AD server through simple Bind authentication. It does not add any proprietary extensions to it.

If an LDAP sync through does not return an entity/attribute that you are looking for, please download a third-party LDAP client like Jxplorer from http://jxplorer.org and test through it using the same base DN and query filter.

If the entity/attribute returns through a third-party client but not through , then please report the incident to support through https://www.agiloft.com/support-login.htm for further investigation. Otherwise, it is more likely that the LDAP user specified on the Login tab of the LDAP wizard is missing necessary permissions to view the entity/attribute.  The user must have view access to all records you want to synchronize or authenticate against.  The problem may also be caused by an incorrect filter in the LDAP query.

Related articles