Integration setup is the process of setting up parameters for connecting LDAP directory elements to bpm’online users and roles. Basic knowledge about the structure of the needed LDAP directory is required to set up LDAP integration.
This article contains examples of LDAP setup for Active Directory and OpenLDAP.
Attention
Depending on the structure of each LDAP directory, LDAP element attributes in your directory may be different from the attributes specified as examples.
1. Running integration setup
To begin the setup, open the System Designer and click the [LDAP integration setup] link of the [Import and integration] block. The setup page will open. Make sure you populate the highlighted fields. Default values may be used for other fields.
Active Directory settings
OpenLDAP settings
The below settings are required for LDAP integration.
2. LDAP server connection setup
Specify general server connection settings for Active Directory (Fig. 3) or for OpenLDAP (Fig. 4).
-
[Server name] - name or IP address of the LDAP server.
-
[Authentication type] - select the protocol for connection to the LDAP server.
Note
The authentication type is determined by the used LDAP server, as well as by the authentication security requirements. For example, select the “Ntlm” type to authenticate “NT LanManager” that is supported by Windows.
-
[Administrator login], [Password] – administrator credentials.
-
[Synchronization interval (hours)] - the interval for automatic user synchronization. Learn more in the “LDAP synchronization” article.
3. User synchronization setup
To set up the user synchronization, specify the attributes of LDAP directory elements that contain the user data to be imported (Fig. 5, Fig. 6).
Required attributes
-
[Domain name] – the unique name of the LDAP organizational structure element that comprises the synchronized users. All users that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify root element of the LDAP directory, all users in the directory will be available for synchronization.
-
[User name] – LDAP attribute that contains the full name of an LDAP user. The value of this attribute is used to populate the [Full name] field in the contact page when importing users. For example, the first and last name can be contained in such attributes as “name” or “cn” (Common name).
-
[Username] – the attribute that contains the LDAP user name that is used to log in to the system. The user, whose account was synchronized with LDAP, will be logging in to the system using that name. For example, the “sAMAccountName” attribute can contain user login.
-
[User Id] – the attribute to use as a unique user Id. The value of this attribute must be unique for each user.
-
[Modification date attribute] – the name of the attribute that stores the time and date of the last LDAP element modification, for example, “WhenChanged”.
Attention
If any of these attributes is missing, LDAP synchronization will result in an error.
Additional attributes
You can also specify additional attributes containing the information that can be used to fill out the user registration page automatically:
-
[Company name] – the attribute that contains the name of the user’s employer. The value of the specified attribute will be used for populating the [Account] field on the contact page. If an account name matches the value of the specified attribute, the user’s contact will be linked to this account.
-
[Job title] – the attribute that contains user's job title. The value of the specified attribute will be used for populating the [Job title] field on the contact page. If an existing job title matches the value of the specified attribute, this job title will be selected for the user during synchronization.
Note
If the value of the corresponding attribute does not match any existing accounts and job titles, bpm’online will not be adding new accounts and job titles during the synchronization and leave the corresponding fields empty on the user’s contact page.
-
[Phone number] – the attribute that contains phone number of the user. The value of the specified attribute will be used to populate the [Business phone] field on the contact page.
-
[Email] – the attribute that contains the email address of the user. The value of the specified attribute will be used to populate the [Email] field on the contact page.
Attention
If you leave any additional attribute fields empty, the corresponding fields on the contact page will not be populated automatically upon importing users from an LDAP directory.
4. Setting up the synchronization between the LDAP user groups and bpm’online roles
Group synchronization settings enable linking groups in the LDAP directory to elements of bpm’online organizational structure. To set up the user group synchronization, specify the attributes of LDAP directory elements that contain data about Active Directory (Fig. 7) or OpenLDAP (Fig. 8) groups to be imported.
-
[LDAP group name] – the attribute that contains the name of the user group in LDAP. For example, you can specify attribute “cn” (“common name”).
-
[Group Id] – the attribute that must be used as a unique group Id. The value of this attribute must be unique for each group. The “objectSid” attribute is a good choice for unique group Id.
-
[Groups domain name] – the unique name of the LDAP element that contains all user groups that are synchronized. All user groups that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify the root element of the LDAP directory, all user groups in the directory will be available for synchronization.
Note
Bpm’online verifies users included into synchronization groups during the synchronization process. If the date stored in the modification date attribute of an LDAP user is later that that of the last synchronization, user entry in bpm’online organizational structure will be updated.
Attention
If any of these attributes are missing, LDAP synchronization will result in an error.
5. Setting up filter conditions
Filter conditions determine which LDAP element criteria will be included in the list of the groups and users that are synchronized. Specify general server connection settings for Active Directory (Fig. 9) or for OpenLDAP (Fig. 10).
-
Use the [List of users] filter to select the needed LDAP elements from the general catalog that will be synchronized with the bpm’online users. The search filter must select active elements only.
-
Use the [List of groups] filter to select the needed LDAP elements that will be synchronized with the bpm’online organizational roles (user groups). The search filter must select active elements only.
-
Use the [List of group users] filter to receive the list of users that are included in the LDAP group. One or more attributes will determine whether a user is a member of a group. For example, most directories use such attribute as “memberOf”. The (memberOf=[#LDAPGroupDN#]) filter contains a bpm’online macro and will filter out all objects (users) who are in the [#LDAPGroupDN#] group.
6. Web.config file setup
To enable user authentication through LDAP, modify the Web.config file in the application root folder.
Active Directory and OpenLDAP settings are different.
1.Specify “Ldap” and “SspLdapProvider” in the list of available authentication providers. This step is the same for Active Directory and OpenLDAP.
<terrasoft>
<auth providerNames="InternalUserPassword,Ldap,SSPLdapProvider" autoLoginProviderNames="" defLanguage="en-US" defWorkspaceName="Default" useIPRestriction="false" loginTimeout="30000">
<providers>
Attention
Upper/lowercase characters must be as in the example.
2.Specify server IP or URL, as well as user domain parameters in the “Ldap” section. Active Directory and OpenLDAP parameters are different.
Active Directory parameters
<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
<add name="ServerPath" value="testactivedirectory.com" />
<add name="AuthType" value="Ntlm" /
<add name="DistinguishedName" value="dc=tscrm,dc=com" />
<add name="UseLoginUserLDAPEntryDN" value="false" />
<!--<add name="SearchPattern"
value="(&(objectCategory=person)(objectClass=user)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
memberOf=CN=SVNUsers,OU=groups,OU=Terrasoft,DC=tscrm,
DC=com))" />-->
<add name="SearchPattern"
value="(&(sAMAccountName={0})(objectClass=person))" />
<add name="KeyDistributionCenter" value="" />
</parameters>
OpenLDAP parameters
<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
<add name="ServerPath" value="testopenldap.com" />
<add name="AuthType" value="Basic" />
<add name="DistinguishedName" value="dc=example,dc=org" />
<add name="UseLoginUserLDAPEntryDN" value="true" />
<add name="SearchPattern"
value="(&(uid={0})(objectClass=inetOrgPerson))" />
<add name="KeyDistributionCenter" value="" />
</parameters>
3.Specify server IP or URL, as well as portal user domain parameters in the SspLdapProvider section. The step is the same for Active Directory and OpenLDAP.
<provider name="SSPLdapProvider" type="Terrasoft.WebApp.Loader.Authentication.SSPUserPassword.SSPLdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
<add name="ServerPath" value="bpmonlineapp.com" />
...
<add name="DistinguishedName" value="dc=tscrm,dc=com" />
...
</parameters>
4.Save the changes in the Web.config file.
5.Additional step for OpenLDAP: before you synchronize with OpenLDAP-server, specify the “true” value for UseLoginUserLDAPEntryDN in the Web.config file of Terrasoft.WebApp.
<appSettings>
...
<add key="UseLoginUserLDAPEntryDN" value="true" />
If you disregard this setting, the users will be synchronized with empty LDAPEntryDN field of the SysAdminUnit table, which will result in having authorization issues.
See also