Integration setup is the process of setting up parameters for connecting LDAP directory elements to bpm’online users and roles. To successfully set up LDAP integration, basic knowledge about the structure of the needed LDAP directory is required.
Attention!
Depending on the structure of each LDAP directory, LDAP element attributes in your directory may be different from the attributes specified as examples.
1. Running integration setup
To run the setup, open the system designer and click the [LDAP integration setup] link of the [Import and integration] block. The setup page (Fig. 1) will open. Be sure to set up the fields on Fig. 1. Default values may be used for the other fields.
The following settings are required for LDAP integration.
2. LDAP server connection setup
Specify LDAP server connection settings (Fig. 2).
•[Server name] - name or LDAP server IP address.
•[Authentication type] - authentication type.
Note
The authentication type is defined by the LDAP server being used, as well as by the authentication security requirements. For example, select the “Ntlm” type to authenticate “NT LanManager” that is supported by Windows.
•[Administrator login] and [Password] - administrator login and password fields.
•[Synchronization interval (hours)] - the interval for automatic users synchronization with LDAP.
3. User synchronization setup
To set up the user synchronization, specify the attributes of LDAP directory elements that contain the users data to be imported (Fig. 3).
Required attributes
•[Domain name] – the unique name of the LDAP organizational structure element comprising the users that are synchronized. All users that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify root element of the LDAP directory, all users in the directory will be available for synchronization.
•[User name] – LDAP attribute that contains the full name of an LDAP user. The value of this attribute is used to automatically fill in the [Full name] field in the contact page when importing users. For example, the first and last name can be contained in such attributes as “name” or “cn” (Common name).
•[Username] – the attribute that contains the LDAP user name that is used to log in to the system. The user, whose account was synchronized with LDAP, will be logging in to the system using that name. For example, login can be contained in the “sAMAccountName” attribute.
•[User Id] – the attribute that can be used as a unique user Id. The value of this attribute must be unique for each user.
•[Modification date attribute] – the name of the attribute where the time and date of the last LDAP element modification, for example, “WhenChanged” are stored automatically.
Attention
If any of these attributes is missing, LDAP synchronization will result in an error.
Additional attributes
You can also specify additional attributes containing the information that can be used to fill out the user registration page automatically:
•[Company name] – the attribute that contains organization name that the user works with. The value of the specified attribute will be used when filling in the [Account] field in the contact page. During the synchronization the account with name, completely matching the value of the specified attribute, will be selected in the field.
•[Job title] – the attribute that contains user's job title. The value of the specified attribute will be used when filling in the [Job title] field in the contact card. During the synchronization the job title with name, completely matching the value of the specified attribute, will be selected.
Note
Organizations and job titles in bpm’online are not created automatically as the result of the synchronization and therefore must be added manually.
•[Phone number] – the attribute that contains business phone number of the user. The value of the specified attribute will be used to fill in the [Business phone] field in the contact card.
•[Email] – the attribute that contains the email address of the user. The value of the specified attribute will be used to fill in the [Email] field in the contact card.
Attention
If you leave the mentioned fields empty, the corresponding fields in the contact page will not be filled in automatically when importing users from an LDAP directory.
4. Setting up the synchronization between the LDAP user groups and bpm’online roles
Group synchronization settings are used to enable linking groups in the LDAP directory and bpm’online organizational structure. To set up the user synchronization, specify the attributes of LDAP directory elements that contain the user data to be imported (Fig. 4).
•[LDAP group name] – the attribute containing the name of the user group in LDAP. For example, you can specify attribute “cn” (“common name”).
•[Group Id] – the attribute that must be used as a unique group Id. The value of this attribute must be unique for each group. For example, you can use the “objectSid” attribute as a unique group Id.
•[Groups domain name] – the unique name of the LDAP element organizational structure that contains all user groups that are synchronized. All user groups that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify the root element of the LDAP directory, all user groups in the directory will be available for synchronization.
Note
Bpm’online verifies users included into synchronization groups during the synchronization process. If the date stored in the modification date attribute of an LDAP user is later that that of the last synchronization, user entry into bpm’online organizational structure is updated.
Attention
If any of these attributes is missing, LDAP synchronization will result in an error.
5. Setting up filter conditions
Setting up filter conditions allow to determine which LDAP element criteria will be included in the list of the groups and users that are synchronized. Specify filtering settings (Fig. 5).
•Use the [List of users] filter to select the needed LDAP elements from the general catalog that will be synchronized with the bpm’online users. The search filter must select active elements only.
•Use the [List of groups] filter to select the needed LDAP elements that will be synchronized with the bpm’online organizational roles (user groups). The search filter must select active elements only.
•Use the [List of group users] filter to receive the list of users that are included in the LDAP group. One or more attributes will determine whether a user is a member of a group. For example, most directories use such attribute as “memberOf”. The (memberOf=[#LDAPGroupDN#]) filter contains a bpm’online macro and will filter out all objects (users) who are in the [#LDAPGroupDN#] group.
6. Web.config file setup
To enable user authentication through LDAP, modify the Web.config file in the application root folder.
Specify Ldap and SspLdapProvider in the list of available authentication providers.
<terrasoft>
<auth providerNames="InternalUserPassword,SSPUserPassword,Ldap,SSPLdapProvider" autoLoginProviderNames="" defLanguage="en-US" defWorkspaceName="Default" useIPRestriction="false" loginTimeout="30000">
<providers>
Attention
Upper/lowercase characters must be as in the example.
Specify server IP or URL as well as user domain parameters in the Ldap section:
<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
<add name="ServerPath" value="192.168.5.25" />
...
<add name="DistinguishedName" value="dc=tscrm,dc=com" />
...
</parameters>
Specify server IP or URL as well as portal user domain parameters in the SspLdapProvider section:
<provider name="SSPLdapProvider" type="Terrasoft.WebApp.Loader.Authentication.SSPUserPassword.SSPLdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
<add name="ServerPath" value="bpmonlineapp.com" />
...
<add name="DistinguishedName" value="dc=tscrm,dc=com" />
...
</parameters>
Save the changes in the Web.config file.
See also