Creatio administration
This documentation is valid for Creatio version 7.16.0. We recommend using the newest version of Creatio documentation.

Set up user authentication through LDAP on Windows

To enable user authentication through LDAP, modify the Web.config file in the application root folder.

Please note that Active Directory and OpenLDAP settings are different.

1.Specify “Ldap” and “SspLdapProvider” in the list of available authentication providers. This step is the same for Active Directory and OpenLDAP.

<terrasoft>
<auth providerNames="InternalUserPassword,Ldap,SSPLdapProvider" autoLoginProviderNames="" defLanguage="en-US" defWorkspaceName="Default" useIPRestriction="false" loginTimeout="30000">
<providers>

Attention

Upper/lowercase characters must be as in the example. The provider names should be separated by commas with no blank spaces.

2.Specify server IP or URL, as well as user domain parameters in the “Ldap” section. Please note that Active Directory and OpenLDAP parameters are different.

Active Directory parameters

<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
           <add name="ServerPath" value="testactivedirectory.com" />
           <add name="AuthType" value="Ntlm" /
           <add name="DistinguishedName" value="dc=tscrm,dc=com" />
           <add name="UseLoginUserLDAPEntryDN" value="false" />
       <!--<add name="SearchPattern"
           value="(&amp;(objectCategory=person)(objectClass=user)
           (!(userAccountControl:1.2.840.113556.1.4.803:=2))
           memberOf=CN=SVNUsers,OU=groups,OU=Terrasoft,DC=tscrm,
           DC=com))" />-->
           <add name="SearchPattern"
            value="(&amp;(sAMAccountName={0})(objectClass=person))" />
           <add name="KeyDistributionCenter" value="" />
</parameters>

OpenLDAP parameters

<provider name="Ldap" type="Terrasoft.WebApp.Loader.Authentication.Ldap.LdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
           <add name="ServerPath" value="testopenldap.com" />
           <add name="AuthType" value="Basic" />
           <add name="DistinguishedName" value="dc=example,dc=org" />
           <add name="UseLoginUserLDAPEntryDN" value="true" />
           <add name="SearchPattern"
            value="(&amp;(uid={0})(objectClass=inetOrgPerson))" />
           <add name="KeyDistributionCenter" value="" />
</parameters>

3.Specify server IP or URL, as well as portal user domain parameters in the SspLdapProvider section. The step is the same for Active Directory and OpenLDAP.

<provider name="SSPLdapProvider" type="Terrasoft.WebApp.Loader.Authentication.SSPUserPassword.SSPLdapProvider, Terrasoft.WebApp.Loader">
<parameters>
...
           <add name="ServerPath" value="ldapserver.domain.com" />
...
           <add name="DistinguishedName" value="dc=domain, dc=com" />
...
</parameters>

4.Save the changes in the Web.config file.

5.Additional step for OpenLDAP: before you synchronize with OpenLDAP-server, specify the “true” value for UseLoginUserLDAPEntryDN in the Web.config file of Terrasoft.WebApp.

<appSettings>
...
                  <add key="UseLoginUserLDAPEntryDN" value="true" />

If you disregard this setting, the users will be synchronized with the empty LDAPEntryDN field of the SysAdminUnit table, which will result in having authorization issues.

See also

Setting up user authentication through LDAP on Linux

Did you find this information useful?

How can we improve it?