Set up LDAP synchronization

PDF
Products
All Creatio products

LDAP directory synchronization lets you automate user account administration in Creatio. Users synchronized with LDAP can log in to Creatio with their domain credentials.

Creatio supports synchronization with Active Directory and OpenLDAP.

The synchronization procedure consists of three stages:

  1. LDAP integration setup. Performed once, unless the LDAP directory structure changes. This step is required to enable the LDAP synchronization features. You will also need to set up Active Directory user filtering to define synchronization parameters. Read more: Set up Active Directory filters.

  2. Connecting Creatio items (i. e. users and organizational structure elements) with the respective items in the LDAP directory. Performed when adding new users or organizational roles. You can connect existing Creatio user accounts or import users from Active Directory.

  3. Synchronization of Creatio users and organizational structure elements with the connected LDAP directory elements. Required to update Creatio data so that it reflects changes to the LDAP directory since the previous synchronization. Creatio performs this step regularly. You can also synchronize data manually by clicking Synchronize with LDAP in the Organizational roles section.

    Note. Each organizational role is an element in a tree-like structure of roles, where each element is an organization or a department.

Users will be able to log in with LDAP after the synchronization. Read more: Set up LDAP authentication.

Set up LDAP integration 

To set up LDAP integration, connect LDAP directory elements with Creatio users and roles. Basic knowledge about the structure of the relevant LDAP directory is required to set up the integration.

This article contains LDAP setup examples for Active Directory and OpenLDAP.

Attention. Depending on the structure of each LDAP directory, LDAP element attributes in your directory may differ from the attributes specified as examples.

  1. Click the btn_system_designer.png button to open the System Designer.
  2. Click the “LDAP integration setup” link in the “Import and integration” block. The setup page will open. Fill out the highlighted fields. You can keet the default values in the other fields.
Fig. 1 LDAP integration setup page for Active Directory
chapter_ldap_synchronization_setup.png
Fig. 2 LDAP integration setup page for Open LDAP
chapter_openldap_synchronization_setup.png

1. Set up the connection to the server 

Specify the general server connection settings:

  1. Enter the LDAP server name or the IP address in the Server name field.

  2. Select the LDAP server connection protocol in the Authentication type field. The authentication type depends on your LDAP server and the authentication security requirements. For example, select the “Ntlm” type to authenticate “NT LanManager” supported by Windows.

    Note. If you select the “Kerberos” authentication type, the Server name and Key Distribution Center fields will only support URLs, not IP addresses. Your Creatio application server has to be joined to the same domain as the LDAP server and the key distribution center.

  3. Specify administrator credentials in the Administrator login and Password fields. If your Creatio server is installed on Linux, use the “domain\login” format.

    Note. Make sure that the administrator has sufficient permissions to read the user and group information.

  4. Specify the automatic LDAP synchronization interval in the Synchronization interval (hours) field. Read more: Run the LDAP syncrhonization.

  5. Select the Synchronize only groups checkbox to automatically deactivate and activate Creatio users that are manually excluded from and included in the synchronized groups in the LDAP catalog.

  6. Select the Grant licenses checkbox to grant licenses to users on LDAP synchronization automatically.

  7. Select the Use SSL checkbox to enable SSL for the synchronization. If you select the checkbox, specify the value of the Server name field in the “server:port” format.

    The default port value is “636” for the LDAPS connection. Only Creatio on Windows supports LDAPS synchronization.

    The default port value for the LDAP connection is “389.”

    Note. If you use a self-signed certificate in Creatio cloud, use the extracted block service and send the certificate to Creatio support so that they can mark it as trusted.

2. Set up the user synchronization 

To set up the user synchronization, specify the attributes of the LDAP directory elements that contain the user data you need to import.

  1. Map the required attributes:

    1. Specify the the unique name of the LDAP organizational structure element that contains the synchronized users in the Domain name field. You will only be able to synchronize users subordinate to the specified LDAP element, either directly or to its child elements. For example, if you specify the root element of the directory structure, you will be able to synchronize all users in the directory.

    2. Specify the the LDAP attribute that contains the full name of an LDAP user in the User name field. Creatio populates the Full name field on the contact page with the attribute's value during import. For example, the “name” or “cn” (Common Name) attributes can contain the full name of the user.

    3. Specify the attribute that contains the LDAP username used for login in the Username field. The synchronized LDAP user will log in to Creatio with this name. For example, “sAMAccountName.”

    4. Specify a unique user ID in the User Id field. The value of this attribute must be unique for each user.

    5. Specify the attribute that stores the time and date of the last change to the LDAP element in the Modification date attribute field.

    Attention. If any of these attributes are missing, LDAP synchronization will throw an error.

  2. You can also map optional attributes Creatio will use to populate the user contact page:

    1. Specify the attribute that contains the name of the user's employer in the Company name field. Populates the Account field on the contact page. If an account name matches the value of the specified attribute verbatim, Creatio will link the user's contact to that account during synchronization

    2. Specify the attribute that contains the user's job title in the Job title field. Populates the Job title field on the contact page. If an existing job title matches the value of the specified attribute verbatim, Creatio will select this job title for the user during synchronization.

      Note. If the value of the corresponding attribute does not match any existing accounts and job titles verbatim, Creatio ignore such values during the synchronization and leave the corresponding fields on the user's contact page empty, rather than create new entries.
    3. Specify the attribute that contains the user's phone number in the Phone number field. Populates the Business phone field on the contact page.

    4. Specify the attribute that contains the user's email address in the Email field. Populates the Email field on the contact page.

    Attention. If you leave any additional attribute fields empty, Creatio will not populate them when importing users from an LDAP directory.

3. Set up synchronization between LDAP user groups and Creatio roles 

Group synchronization settings let you link LDAP groups to Creatio organizational structure elements. To set up the synchronization, map the attributes of the LDAP directory elements that contain the user data to be imported.

  1. Specify the attribute that contains the name of the user group in LDAP in the LDAP group name field. For example, the “cn” (“Common Name”) attribute.

  2. Specify the attribute to use as a unique group ID in the Group Id field. The value of this attribute must be unique for each group. For example, you can use the “objectSid” attribute.

  3. Specify the unique name of the LDAP element that contains all synchronized user groups in the Groups domain name field. All user groups subordinate to the specified LDAP element, directly or to its child elements, will be available for synchronization. For example, if you specify the root element of the LDAP directory, all user groups in the directory will be available for synchronization.

Note. Creatio verifies users included in the synchronization groups during the synchronization process. If the date stored in the modification date LDAP user attribute is later than the last synchronization date, Creatio will update this user entry in Creatio organizational structure.

Attention. If any of these attributes are missing, LDAP synchronization will throw an error.

4. Set up the filter conditions 

Filter conditions determine which criteria to use to include LDAP elements in the list of synchronized groups and users. Set up the general server connection settings for Active Directory:

  1. Specify the elements to synchronize with Creatio users from the general LDAP element catalog in the List of users field. The search filter must select active elements only.

  2. Specify the LDAP elements to synchronize with Creatio organizational roles (user groups) in the List of groups field. The search filter must select active elements only.

  3. Build a list of users included in the LDAP group in the List of group users field. One or more attributes determine whether a user is a member of a group. For example, most directories use the “memberOf” attribute. The (memberOf=[#LDAPGroupDN#]) filter contains a Creatio macro and will filter out all objects (users) included in the [#LDAPGroupDN#] group.

Note. Enclose each logical expression in brackets () to ensure the filter works correctly both on Windows and Linux. Read more: Set up Active Directory filters.

Link LDAP elements to Creatio users and roles 

In Creatio, you can synchronize the organizational and functional user roles with the Active Directory groups.

You can transfer the company organizational structure and role settings from Active Directory to Creatio after the LDAP synchronization.

Set up the synchronization between Creatio organizational roles and Active Directory groups 

  1. Click the btn_system_designer.png button to open the System Designer.

  2. Click “Organizational roles” in the “Users and administration” block.

  3. Select the needed role from the organizational tree on the newly-opened page (Fig. 3).

    If there is no such role, click New and select “Organization” or “Division” depending on the type of role you need to add. Specify the group name on the newly-opened page.

    Fig. 3 Selecting the organizational role for the synchronization setup
    chapter_ldap_synchronization_roles_choosing.png
  4. Select the Synchronize with LDAP checkbox in the Users tab. Select the Active Directory group that corresponds to this Creatio organizational role in the LDAP element field (Fig. 4).

    Fig. 4 Selecting the Active Directory group for the synchronization setup
    chapter_ldap_synchronization_set_group.png
  5. If necessary, add new users by clicking the btn_add_ke.png button on the Users detail.

    To synchronize large numbers of users not yet registered in Creatio, import these users from the LDAP directory. Read more: Import new users and roles from Active Directory.

  6. Click Save.

As a result, Creatio will synchronize the selected organizational role during the next synchronization session.

Set up the synchronization between Creatio functional roles and Active Directory groups 

  1. Click the btn_system_designer.png button to open the System Designer.

  2. Click “Functional roles” in the “Users and administration” block.

  3. Repeat steps 3 through 5 of the Creatio organizational roles and Active Directory groups synchronization setup, described above.

Connect Creatio user accounts with LDAP users 

  1. Click the btn_system_designer.png button to open the System Designer.

  2. Click “Organizational roles” or “Functional roles” in the “Users and administration” block, depending on what user groups you would like to synchronize.

  3. Select the relevant user's role on the newly-opened page.

  4. Go to the Users tab, select the relevant user, and double-click the row to open the record page.

  5. Select the LDAP authentication option in the General information tab.

  6. Select the relevant LDAP user in the Login field.

  7. Click Save (Fig. 5).

    Fig. 5 Connecting a user
    chapter_ldap_synchronization_user_connect.png

This will connect the Creatio user with the LDAP user. The user will be able to log in to Creatio with credentials stored in the LDAP directory, such as the domain login and password.

Creatio will apply all changes made to users and groups in the LDAP directory to the connected user accounts and Creatio organizational structure elements during the synchronization session.

Run the LDAP synchronization 

Set up the automatic synchronization 

  1. Click the btn_system_designer.png button in the top right to open the System Designer.

  2. Click “LDAP integration setup” in the “Import and integration” block.

  3. Fill out the Synchronization interval (hours) field on the newly-opened page. Creatio will automatically synchronize users with LDAP after every specified interval.

    Note. Learn more about filling out other fields on the LDAP integration setup page: Set up LDAP integration.

  4. Click Save (Fig. 6).

    Fig. 6 Save the filled out LDAP integration setup page
    scr_chapter_ldap_synchronization_save_ldap_integr_setup.png

After you save the LDAP integration setup page, Creatio will automatically start the synchronization by running the “Run LDAP import” process (Fig. 7).

Fig. 7 The “Run LDAP import” process
scr_chapter_ldap_synchronization_process_log_launch_import.png

Run the synchronization manually 

  1. Click the btn_system_designer.png button in the top right to open the System Designer.

  2. Click the “Organizational roles” link in the “Users and administration” block.

  3. Select the Synchronize with LDAP action in the section menu (Fig. 8). This will run the “Run LDAP synchronization” process, which will, in turn, call the “Synchronize user data with LDAP” process (Fig. 9).

    Fig. 8 The Synchronize with LDAP action
    scr_chapter_ldap_synchronization_process_org_roles_ldap_sync.png
Fig. 9 The “Synchronize user data with LDAP” and “Run LDAP synchronization” processes
scr_chapter_ldap_synchronization_process_process_log_sync_users_data.png

Creatio will notify you when the synchronization is complete.

Note. Should the number of synchronized users exceed the number of active licenses, Creatio will notify the system administrators via the communication panel and email.

Synchronization results 

  • If an LDAP user is no longer among the active users, Creatio will clear the Active checkbox on the corresponding Creatio user page, and the user will not be able to log in.

  • If you activate a previously inactive LDAP user, Creatio will select the Active box on the corresponding Creatio user page.

  • If you rename an LDAP user or a group of users, Creatio will rename the synchronized Creatio users and roles as well.

  • If you select the Synchronize only groups checkbox and exclude an LDAP user from the LDAP group connected with a Creatio organizational structure element, Creatio will deactivate the corresponding user and exclude them from the organizational structure element.

  • If you select the Synchronize only groups check box and include a user to the LDAP group connected with a Creatio organizational structure element, Creatio will activate the corresponding user and include them in the organizational structure element.

  • If you add new unsynchronized users to the synchronized LDAP element, Creatio will import the users.

  • If there are Creatio users whom you did not import from LDAP yet their names match LDAP user names, Creatio will not synchronize them.

  • If you delete a synchronized LDAP user from a group connected with a Creatio organizational structure element, the user will remain active in Creatio but will not be able to log in.

  • Creatio will grant licenses to all synchronized users if you select the corresponding checkbox. Read more: Set up the connection to server.