Set up LDAP synchronization

PDF
Products
All Creatio products

LDAP directory synchronization lets you automate user account administration in Creatio. Users synchronized with LDAP can log in to Creatio with their domain credentials.

Creatio supports synchronization with Active Directory and OpenLDAP.

The synchronization procedure consists of three stages:

  1. LDAP integration setup. Performed once, unless the LDAP directory structure changes. This step is required to enable the LDAP synchronization features. You will also need to set up Active Directory user filtering to define synchronization parameters. Read more: Set up Active Directory filters.

  2. Connecting Creatio items (i. e. users and organizational structure elements) with the respective items in the LDAP directory. Performed when adding new users or organizational roles. You can connect existing Creatio user accounts or import users from Active Directory.

  3. Synchronization of Creatio users and organizational structure elements with the connected LDAP directory elements. Required to update Creatio data so that it reflects changes to the LDAP directory since the previous synchronization. Creatio performs this step regularly. You can also synchronize data manually by clicking Synchronize with LDAP in the Organizational roles section.

    Note. Each organizational role is an element in a tree-like structure of roles, where each element is an organization or a department.

Users will be able to log in with LDAP after the synchronization. Read more: Set up LDAP authentication.

Set up LDAP integration 

To set up LDAP integration, connect LDAP directory elements with Creatio users and roles. Basic knowledge about the structure of the relevant LDAP directory is required to set up the integration.

This article contains LDAP setup examples for Active Directory and OpenLDAP.

Attention. Depending on the structure of each LDAP directory, LDAP element attributes in your directory may differ from the attributes specified as examples.

  1. Click the button to open the System Designer.
  2. Click the “LDAP integration setup” link in the “Import and integration” block. The setup page will open. Fill out the highlighted fields. You can keet the default values in the other fields.
Fig. 1 LDAP integration setup page for Active Directory
Fig. 2 LDAP integration setup page for Open LDAP

1. Set up the connection to the server 

Specify the general server connection settings:

  1. Server name – enter the LDAP server name or the IP address.

  2. Authentication type – select the LDAP server connection protocol. The authentication type depends on your LDAP server and the authentication security requirements. For example, select the “Ntlm” type to authenticate “NT LanManager” supported by Windows.

    Note. If you select the “Kerberos” authentication type, the Server name and Key Distribution Center fields will only support URLs, not IP addresses. Your Creatio application server has to be joined to the same domain as the LDAP server and the key distribution center.

  3. Administrator login, Password – administrator credentials. If your Creatio server is installed on Linux, use the “domain\login” format.

    Note. Make sure that the administrator has sufficient permissions to read the user and group information.

  4. Synchronization interval (hours) – the automatic LDAP synchronization interval. Read more: Run the LDAP syncrhonization.

  5. Select the Synchronize only groups checkbox to deactivate and activate Creatio users excluded from and included in the synchronized groups in the LDAP catalog automatically.

  6. Select the Grant licenses checkbox to grant licenses to users on LDAP synchronization automatically.

  7. Select the Use SSL checkbox to enable SSL for the synchronization. If you select the checkbox, specify the value of the Server name field in the “server:port” format.

    The default port value is “636” for the LDAPS connection. Only Creatio on Windows supports LDAPS synchronization.

    The default port value for the LDAP connection is “389”.

2. Set up the user synchronization 

To set up the user synchronization, specify the attributes of the LDAP directory elements that contain the user data you need to import.

  1. Specify the required attributes:

    1. Domain name – the unique name of the LDAP organizational structure element that contains the synchronized users. You will only be able to synchronize users subordinate to the specified LDAP element, either directly or to its child elements. For example, if you specify the root element of the directory structure, you will be able to synchronize all users in the directory.

    2. User name – the LDAP attribute that contains the full name of an LDAP user. Creatio populates the Full name field on the contact page with the attribute's value during import. For example, the “name” or “cn” (Common Name) attributes can contain the full name of the user.

    3. Username – the attribute that contains the LDAP username used for login. The synchronized LDAP user will log in to Creatio with this name. For example, “sAMAccountName”.

    4. User Id – a unique user Id. The value of this attribute must be unique for each user.

    5. Modification date attribute – the attribute that stores the time and date of the last change to the LDAP element.

    Attention. If any of these attributes are missing, LDAP synchronization will throw an error.

  2. You can also specify optional attributes Creatio will use to populate the user contact page:

    1. Company name – the attribute that contains the name of the user's employer. Populates the Account field on the contact page. If an account name matches the value of the specified attribute verbatim, Creatio will link the user's contact to that account during synchronization

    2. Job title – the attribute that contains the user's job title. Populates the Job title field on the contact page. If an existing job title matches the value of the specified attribute verbatim, Creatio will select this job title for the user during synchronization.

      Note. If the value of the corresponding attribute does not match any existing accounts and job titles verbatim, Creatio ignore such values during the synchronization and leave the corresponding fields on the user's contact page empty, rather than create new entries.
    3. Phone number – the attribute that contains the user's phone number. Populates the Business phone field on the contact page.

    4. Email – the attribute that contains the user's email address. Populates the Email field on the contact page.

    Attention. If you leave any additional attribute fields empty, Creatio will not populate them when importing users from an LDAP directory.

3. Set up synchronization between LDAP user groups and Creatio roles 

Group synchronization settings let you link LDAP groups to Creatio organizational structure elements. To set up the synchronization, specify the attributes of the LDAP directory elements that contain the user data to be imported.

  1. LDAP group name – the attribute that contains the name of the user group in LDAP. For example, you can specify the “cn” (“Common Name”) attribute.

  2. Group Id – the attribute to use as a unique group Id. The value of this attribute must be unique for each group. For example, you can use the “objectSid” attribute.

  3. Groups domain name – the unique name of the LDAP element that contains all synchronized user groups. All user groups subordinate to the specified LDAP element, directly or to its child elements, will be available for synchronization. For example, if you specify the root element of the LDAP directory, all user groups in the directory will be available for synchronization.

Note. Creatio verifies users included in the synchronization groups during the synchronization process. If the date stored in the modification date LDAP user attribute is later than the last synchronization date, Creatio will update this user entry in Creatio organizational structure.

Attention. If any of these attributes are missing, LDAP synchronization will throw an error.

4. Set up the filter conditions 

Filter conditions determine which criteria to use to include LDAP elements in the list of synchronized groups and users. Specify the general server connection settings for Active Directory:

  1. List of users – selects the elements to synchronize with Creatio users from the general LDAP element catalog. The search filter must select active elements only.

  2. List of groups – selects the LDAP elements to synchronize with Creatio organizational roles (user groups). The search filter must select active elements only.

  3. List of group users – builds a list of users included in the LDAP group. One or more attributes determine whether a user is a member of a group. For example, most directories use the “memberOf” attribute. The (memberOf=[#LDAPGroupDN#]) filter contains a Creatio macro and will filter out all objects (users) included in the [#LDAPGroupDN#] group.

Note. Enclose each logical expression in brackets () to ensure the filter works correctly both on Windows and Linux. Read more: Set up Active Directory filters.

Link LDAP elements to Creatio users and roles 

In Creatio, you can synchronize the organizational and functional user roles with the Active Directory groups.

You can transfer the company organizational structure and role settings from Active Directory to Creatio after the LDAP synchronization.

Set up the synchronization between Creatio organizational roles and Active Directory groups 

  1. Click the button to open the System Designer.

  2. Click “Organizational roles” in the “Users and administration” block.

  3. Select the needed role from the organizational tree on the newly-opened page (Fig. 3).

    If there is no such role, click New and select “Organization” or “Division” depending on the type of role you need to add. Specify the group name on the newly-opened page.

    Fig. 3 Selecting the organizational role for the synchronization setup
  4. Select the Synchronize with LDAP checkbox in the Users tab. Select the Active Directory group that corresponds to this Creatio organizational role in the LDAP element field (Fig. 4).

    Fig. 4 Selecting the Active Directory group for the synchronization setup
  5. If necessary, add new users by clicking the button on the Users detail.

    To synchronize large numbers of users not yet registered in Creatio, import these users from the LDAP directory. Read more: Import new users and roles from Active Directory.

  6. Click Save.

As a result, Creatio will synchronize the selected organizational role during the next synchronization session.

Set up the synchronization between Creatio functional roles and Active Directory groups 

  1. Click the button to open the System Designer.

  2. Click “Functional roles” in the “Users and administration” block.

  3. Repeat steps 3 through 5 of the Creatio organizational roles and Active Directory groups synchronization setup, described above.

Connect Creatio user accounts with LDAP users 

  1. Click the button to open the System Designer.

  2. Click “Organizational roles” or “Functional roles” in the “Users and administration” block, depending on what user groups you would like to synchronize.

  3. Select the relevant user's role on the newly-opened page.

  4. Go to the Users tab, select the relevant user, and double-click the row to open the record page.

  5. Select the LDAP authentication option in the General information tab.

  6. Select the relevant LDAP user in the Login field.

  7. Click Save (Fig. 5).

    Fig. 5 Connecting a user

This will connect the Creatio user with the LDAP user. The user will be able to log in to Creatio with credentials stored in the LDAP directory, such as the domain login and password.

Creatio will apply all changes made to users and groups in the LDAP directory to the connected user accounts and Creatio organizational structure elements during the synchronization session.

Run the LDAP synchronization 

Set up the automatic synchronization 

  1. Click the button in the top right to open the System Designer.

  2. Click “LDAP integration setup” in the “Import and integration” block.

  3. Fill out the Synchronization interval (hours) field on the newly-opened page. Creatio will automatically synchronize users with LDAP after every specified interval.

    Note. Read more about filling out other fields on the LDAP integration setup page in the Set up LDAP integration block.

  4. Click Save (Fig. 6).

    Fig. 6 Saving the filled out LDAP integration setup page

After you save the LDAP integration setup page, Creatio will automatically start the synchronization by running the “Run LDAP import” process (Fig. 7).

Fig. 7 The “Run LDAP import” process

Run the synchronization manually 

  1. Click the button in the top right to open the System Designer.

  2. Click the “Organizational roles” link in the “Users and administration” block.

  3. Select the Synchronize with LDAP action in the section menu (Fig. 8). This will run the “Run LDAP synchronization” process, which will, in turn, call the “Synchronize user data with LDAP” process (Fig. 9).

    Fig. 8 The Synchronize with LDAP action
Fig. 9 The “Synchronize user data with LDAP” and “Run LDAP synchronization” processes

Creatio will notify you when the synchronization is complete.

Note. Should the number of synchronized users exceed the number of active licenses, Creatio will notify the system administrators via the communication panel and email.

Synchronization results 

  • If an LDAP user is no longer among the active users, Creatio will clear the Active checkbox on the corresponding Creatio user page, and the user will not be able to log in.

  • If you activate a previously inactive LDAP user, Creatio will select the Active box on the corresponding Creatio user page.

  • If you rename an LDAP user or a group of users, Creatio will rename the synchronized Creatio users and roles as well.

  • If you select the Synchronize only groups checkbox and exclude an LDAP user from the LDAP group connected with a Creatio organizational structure element, Creatio will deactivate the corresponding user and exclude them from the organizational structure element.

  • If you select the Synchronize only groups check box and include a user to the LDAP group connected with a Creatio organizational structure element, Creatio will activate the corresponding user and include them in the organizational structure element.

  • If you add new unsynchronized users to the synchronized LDAP element, Creatio will import the users.

  • If there are Creatio users whom you did not import from LDAP yet their names match LDAP user names, Creatio will not synchronize them.

  • If you delete a synchronized LDAP user from a group connected with a Creatio organizational structure element, the user will remain active in Creatio but will not be able to log in.

  • Creatio will grant licenses to all synchronized users if you select the corresponding checkbox. Read more: Set up the connection to server.