Before configuring LDAP with , keep in mind a few basic points:
LDAP can hold any kind of data, but it is usually used to provide a central repository of user information and passwords. This allows other enterprise applications to check passwords against a single LDAP repository, rather than each application storing them individually. This reduces maintenance costs and improves security.
In addition to login names and passwords, allows other information such as email addresses, groups, teams, and custom fields to be mapped between LDAP attributes and their equivalents in . However, the use of LDAP for more than login and password information provides some challenges for .
Both LDAP and may contain custom attributes, or fields. Unfortunately, there is no way to find all the custom attributes in an LDAP database, except by reading the users one-by-one and noting their attributes. For LDAP databases with hundreds of thousands of users, this could take hours.
resolves this problem by searching the first 1,000 users for attributes and referencing one specific user that contains the additional attributes that must be mapped. The actual values of the attributes in this user do not matter; they just need to exist. For example, if the user has a Telephone Number attribute of 0, the system adds Telephone Number to the list of mappable attributes.
Workflow rules that send email to a team need to know which users are part of which teams. can instantly search its own tables with an SQL query to find all the matching users, but there is no way to perform an equivalent search on the LDAP database. Instead, the system would need to read every LDAP user in turn to determine whether they were a member of a given team. For large LDAP repositories, this could take a very long time.
To resolve this, when a user logs into using LDAP authentication, the system creates a dummy entry for them in the People table. The system then syncs with LDAP to refresh the cached data in this entry each time the user subsequently logs in. This allows the system to rapidly find team members and avoid unnecessary calls to the LDAP server. Of course, password information is not cached, so centralized password control is maintained.
This strategy allows to automatically restrict team emails to those LDAP users who actually use . If you want all users to receive email, you can configure the system to automatically sync with LDAP at regular intervals. However, some administrators see the restriction as an advantage because users who do not use may not expect to receive email from it.
LDAP can be used by in three ways:
LDAP configuration is completed with the LDAP wizard. To access the wizard, click the Setup gear in the top-right corner and go to Access > LDAP/AD Authentication.
Follow these steps to begin configuring LDAP with your system:
Complete the settings on the Server tab:
Enter the name of your company's LDAP server, port, and the base directory. The standard LDAP TCP port is 389, and the standard LDAP SSL port is 636.
These are common schemes for base directories:
|
Once you're connected to the server, you can begin specifying the data and mapping settings:
On the Object Class Field tab, select the object class that stores user authentication data, as well as the object classes that represent groups and teams. Multiple user authentication classes can be selected by holding the CTRL key. Notice that several new tabs appear when you move to the Object Class Field tab.
Object classes separate LDAP attributes into logical categories. The "user" class is often used for entries that have the appropriate user authentication attributes. If you want to restrict logins to certain users, you could add a custom objectClass such as "EWusers" to these users and specify it here. |
Specify mappings between system fields and a corresponding LDAP attribute. Fields in the Employees table are populated by LDAP attributes according to these mappings. It's a good idea to add custom LDAP attributes to your user entries for this purpose. In particular, make sure you do not map directly to a linked field; if you need to sync with a linked field, create an intermediary field with a rule to keep the two in step, and then sync to the intermediary field. These are some common mappings:
LDAP | |
---|---|
Login | cn |
First Name | givenName |
Last Name | sn (surname) |
Full Name | name |
After configuring the mapping between and LDAP, set the remaining options for the LDAP server and its synchronization:
To manually sync LDAP users with , go to Setup > Access and click Synchronize LDAP/AD users after completing the LDAP configuration. |
If syncs occur automatically, select the start time of the sync.
Click Finish to complete the LDAP configuration.
If an LDAP sync through does not return a particular entity or attribute, first make sure you aren't attempting to sync with a linked field. If you need to sync to a linked field, you can create an intermediary field and sync to that, and then set up a rule that keeps the linked field and the intermediary field in step with each other.
If that isn't the issue, download a third-party LDAP client and use it to test the same base DN and query filter. If the entity or attribute returns through a third-party client but not through , report the incident to support for further investigation.
If the entity or attribute is not returned through a third-party client or , the LDAP user specified on the Login tab of the LDAP wizard probably lacks the necessary permissions to view it. The user must have view access to all records you want to synchronize or authenticate against.
The problem might otherwise be caused by an incorrect filter in the LDAP query.
Related articles |