Creatio administration
This documentation is valid for Creatio version 7.13.0. We recommend using the newest version of Creatio documentation.

LDAP integration setup

Integration setup is the process of setting up parameters for connecting LDAP directory elements to bpm’online users and roles. Basic knowledge about the structure of the needed LDAP directory is required to set up LDAP integration.

This article contains examples of LDAP setup for Active Directory and OpenLDAP.

Attention

Depending on the structure of each LDAP directory, LDAP element attributes in your directory may be different from the attributes specified as examples.

1. Running integration setup

To begin the setup, open the System Designer and click the [LDAP integration setup] link of the [Import and integration] block. The setup page will open. Make sure you populate the highlighted fields. Default values may be used for other fields.

Active Directory settings

Fig. 1 LDAP integration setup page for Active Directory

chapter_ldap_synchronization_setup_1_all.png 

OpenLDAP settings

Fig. 2 LDAP integration setup page for OpenLDAP

chapter_openldap_synchronization_setup_1_al.png 

The below settings are required for LDAP integration.

2. LDAP server connection setup

Specify general server connection settings for Active Directory (Fig. 3) or for OpenLDAP (Fig. 4).

Fig. 3 Server connection settings for Active Directory

chapter_ldap_synchronization_setup_2_server.png 

Fig. 4 Server connection  settings for OpenLDAP

chapter_openldap_synchronization_setup_2_server.png 

  • [Server name] - name or IP address of the LDAP server.

  • [Authentication type] - select the protocol for connection to the LDAP server.

Note

The authentication type is determined by the used LDAP server, as well as by the authentication security requirements. For example, select the “Ntlm” type to authenticate “NT LanManager” that is supported by Windows.

  • [Administrator login], [Password] – administrator credentials.

  • [Synchronization interval (hours)] - the interval for automatic user synchronization. Learn more in the “LDAP synchronization” article.

3. User synchronization setup

To set up the user synchronization, specify the attributes of LDAP directory elements that contain the user data to be imported (Fig. 5, Fig. 6).

Fig. 5 User attribute settings for Active Directory

chapter_ldap_synchronization_setup_3_users_sync.png 

Fig. 6 User attribute settings for OpenLDAP

chapter_openldap_synchronization_setup_3_users_sync.png 

Required attributes

  • [Domain name] – the unique name of the LDAP organizational structure element that comprises the synchronized users. All users that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify root element of the LDAP directory, all users in the directory will be available for synchronization.

  • [User name] – LDAP attribute that contains the full name of an LDAP user. The value of this attribute is used to populate the [Full name] field in the contact page when importing users. For example, the first and last name can be contained in such attributes as “name” or “cn” (Common name).

  • [Username] – the attribute that contains the LDAP user name that is used to log in to the system. The user, whose account was synchronized with LDAP, will be logging in to the system using that name. For example, the “sAMAccountName” attribute can contain user login.

  • [User Id] – the attribute to use as a unique user Id. The value of this attribute must be unique for each user.

  • [Modification date attribute] – the name of the attribute that stores the time and date of the last LDAP element modification, for example, “WhenChanged”.

Attention

If any of these attributes is missing, LDAP synchronization will result in an error.

Additional attributes

You can also specify additional attributes containing the information that can be used to fill out the user registration page automatically:

  • [Company name] – the attribute that contains the name of the user’s employer. The value of the specified attribute will be used for populating the [Account] field on the contact page. If an account name matches the value of the specified attribute, the user’s contact will be linked to this account.

  • [Job title] – the attribute that contains user's job title. The value of the specified attribute will be used for populating the [Job title] field on the contact page. If an existing job title matches the value of the specified attribute, this job title will be selected for the user during synchronization.

Note

If the value of the corresponding attribute does not match any existing accounts and job titles, bpm’online will not be adding new accounts and job titles during the synchronization and leave the corresponding fields empty on the user’s contact page.

  • [Phone number] – the attribute that contains phone number of the user. The value of the specified attribute will be used to populate the [Business phone] field on the contact page.

  • [Email] – the attribute that contains the email address of the user. The value of the specified attribute will be used to populate the [Email] field on the contact page.

Attention

If you leave any additional attribute fields empty, the corresponding fields on the contact page will not be populated automatically upon importing users from an LDAP directory.

4. Setting up the synchronization between the LDAP user groups and bpm’online roles

Group synchronization settings enable linking groups in the LDAP directory to elements of bpm’online organizational structure. To set up the user group synchronization, specify the attributes of LDAP directory elements that contain data about Active Directory (Fig. 7) or OpenLDAP (Fig. 8) groups to be imported.

Fig. 7 User group settings for Active Directory

chapter_ldap_synchronization_setup_4_groups.png 

Fig. 8 User group settings for OpenLDAP

chapter_openldap_synchronization_setup_4_groups.png 

  • [LDAP group name] – the attribute that contains the name of the user group in LDAP. For example, you can specify attribute “cn” (“common name”).

  • [Group Id] – the attribute that must be used as a unique group Id. The value of this attribute must be unique for each group. The “objectSid” attribute is a good choice for unique group Id.

  • [Groups domain name] – the unique name of the LDAP element that contains all user groups that are synchronized. All user groups that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify the root element of the LDAP directory, all user groups in the directory will be available for synchronization.

Note

Bpm’online verifies users included into synchronization groups during the synchronization process. If the date stored in the modification date attribute of an LDAP user is later that that of the last synchronization, user entry in bpm’online organizational structure will be updated.

Attention

If any of these attributes are missing, LDAP synchronization will result in an error.

5. Setting up filter conditions

Filter conditions determine which LDAP element criteria will be included in the list of the groups and users that are synchronized. Specify general server connection settings for Active Directory (Fig. 9) or for OpenLDAP (Fig. 10).

Fig. 9 Filter conditions for Active Directory

chapter_ldap_synchronization_setup_5_filtration.png 

Fig. 10 Filter conditions for OpenLDAP

chapter_openldap_synchronization_setup_5_filtration.png 

  • Use the [List of users] filter to select the needed LDAP elements from the general catalog that will be synchronized with the bpm’online users. The search filter must select active elements only.

  • Use the [List of groups] filter to select the needed LDAP elements that will be synchronized with the bpm’online organizational roles (user groups). The search filter must select active elements only.

  • Use the [List of group users] filter to receive the list of users that are included in the LDAP group. One or more attributes will determine whether a user is a member of a group. For example, most directories use such attribute as “memberOf”. The (memberOf=[#LDAPGroupDN#]) filter contains a bpm’online macro and will filter out all objects (users) who are in the [#LDAPGroupDN#] group.

6. Web.config file setup

To enable user authentication through LDAP, modify the Web.config file in the application root folder.

Active Directory and OpenLDAP settings are different.

1.Specify “Ldap” and “SspLdapProvider” in the list of available authentication providers. This step is the same for Active Directory and OpenLDAP.

<terrasoft>
<auth providerNames="InternalUserPassword,Ldap,SSPLdapProvider" autoLoginProviderNames="" defLanguage="en-US" defWorkspaceName="Default" useIPRestriction="false" loginTimeout="30000">
<providers>

Attention

Upper/lowercase characters must be as in the example.

2.Specify server IP or URL, as well as user domain parameters in the “Ldap” section. Active Directory and OpenLDAP parameters are different.

Active Directory parameters

<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
           <add name="ServerPath" value="testactivedirectory.com" />
           <add name="AuthType" value="Ntlm" /
           <add name="DistinguishedName" value="dc=tscrm,dc=com" />
           <add name="UseLoginUserLDAPEntryDN" value="false" />
       <!--<add name="SearchPattern"
           value="(&amp;(objectCategory=person)(objectClass=user)
           (!(userAccountControl:1.2.840.113556.1.4.803:=2))
           memberOf=CN=SVNUsers,OU=groups,OU=Terrasoft,DC=tscrm,
           DC=com))" />-->
           <add name="SearchPattern"
            value="(&amp;(sAMAccountName={0})(objectClass=person))" />
           <add name="KeyDistributionCenter" value="" />
</parameters>

OpenLDAP parameters

<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
           <add name="ServerPath" value="testopenldap.com" />
           <add name="AuthType" value="Basic" />
           <add name="DistinguishedName" value="dc=example,dc=org" />
           <add name="UseLoginUserLDAPEntryDN" value="true" />
           <add name="SearchPattern"
            value="(&amp;(uid={0})(objectClass=inetOrgPerson))" />
           <add name="KeyDistributionCenter" value="" />
</parameters>

3.Specify server IP or URL, as well as portal user domain parameters in the SspLdapProvider section. The step is the same for Active Directory and OpenLDAP.

<provider name="SSPLdapProvider" type="Terrasoft.WebApp.Loader.Authentication.SSPUserPassword.SSPLdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
           <add name="ServerPath" value="bpmonlineapp.com" />
...
           <add name="DistinguishedName" value="dc=tscrm,dc=com" />
...
</parameters>

4.Save the changes in the Web.config file.

5.Additional step for OpenLDAP: before you synchronize with OpenLDAP-server, specify the “true” value for UseLoginUserLDAPEntryDN in the Web.config file of Terrasoft.WebApp.

<appSettings>
...
                  <add key="UseLoginUserLDAPEntryDN" value="true" />

If you disregard this setting, the users will be synchronized with empty LDAPEntryDN field of the SysAdminUnit table, which will result in having authorization issues.

See also

System settings description

Did you find this information useful?

How can we improve it?