Integration setup is the process of setting up parameters for connecting LDAP directory elements to bpm’online users and roles. To successfully set up LDAP integration, basic knowledge about the structure of the needed LDAP directory is required.
Attention!
Depending on the structure of each LDAP directory, LDAP element attributes in your directory may be different from the attributes specified as examples.
1. Running integration setup
To run setup, open the system designer and click the [LDAP integration setup] link of the [Import and integration] block.
2. LDAP server connection setup
Specify the parameters to setup server connection:
• [Server name] - name or LDAP server IP address.
• [Authentication type] - authentication type.
Note
The authentication type is defined by the LDAP server being used, as well as by the authentication security requirements. For example, select the “Ntlm” type to authenticate “NT LanManager” that is supported by Windows.
• [Administrator login] and [Password] - administrator login and password fields.
• [Synchronization interval (hours)] - the interval for automatic users synchronization with LDAP.
• [Modification date attribute] - the name of the attribute where the time and date of the last LDAP element modification, for example, “WhenChanged” are stored automatically.
Note
During the next synchronization with LDAP, this date will be used to determine which users are new and have appeared in the LDAP groups after the last synchronization session.
3. User synchronization setup
To set up the user synchronization, specify the attributes of LDAP directory elements that contain the users data to be imported.
• [Domain name] - the unique name of the LDAP organizational structure element comprising the users that are synchronized. All users that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify root element of the LDAP directory, all users in the directory will be available for synchronization.
• [User's full name] - LDAP attribute that contains the full name of an LDAP user. The value of this attribute is used to automatically fill in the [Contact name] field in the contact page when importing users. For example, the first and last name can be contained in such attributes as “name” or “cn” (Common name).
• [Login] - the attribute that contains the LDAP user name that is used to log in to the system. The user, whose account was synchronized with LDAP, will be logging in to the system using that name. For example, login can be contained in the “sAMAccountName” attribute.
• [Unique identifier of user] - the attribute that can be used as a unique user Id. The value of this attribute must be unique for each user.
You can also specify additional attributes containing the information that can be used to fill out the user registration page automatically:
• [Organization name] - the attribute that contains organization name that the user works with. The value of the specified attribute will be used when filling in the [Account] field in the contact page. During the synchronization the account with name, completely matching the value of the specified attribute, will be selected in the field.
• [Job title] - the attribute that contains user's job title. The value of the specified attribute will be used when filling in the [Job title] field in the contact card. During the synchronization the job title with name, completely matching the value of the specified attribute, will be selected.
• [Phone] - the attribute that contains business phone number of the user. The value of the specified attribute will be used to fill in the [Business phone] field in the contact card.
• [Email] - the attribute that contains the email address of the user. The value of the specified attribute will be used to fill in the [Email] field in the contact card.
Attention!
If you leave the mentioned fields empty, the corresponding fields in the contact page will not be filled in automatically when importing users from an LDAP directory.
4. Setting up the synchronization between the LDAP user groups and bpm’online roles
Group synchronization settings are used to enable linking groups in the LDAP directory and bpm’online organizational structure. To set up the user synchronization, specify the attributes of LDAP directory elements that contain the user data to be imported.
• [LDAP group name] - the attribute containing the name of the user group in LDAP. For example, you can specify attribute “cn” (“common name”).
• [Group Id] - the attribute that must be used as a unique group Id. The value of this attribute must be unique for each group. For example, you can use the “objectSid” attribute as a unique group Id.
• [Groups domain name] - the unique name of the LDAP element organizational structure that contains all user groups that are synchronized. All user groups that are subordinate to the specified LDAP element, directly or through other elements, will be available for synchronization. For example, if you specify the root element of the LDAP directory, all user groups in the directory will be available for synchronization.
5. Setting up filter conditions
Setting up filter conditions allow to determine which LDAP element criteria will be included in the list of the groups and users that are synchronized. Specify the parameters to set up filter conditions:
• Use the [List of users] filter to select the needed LDAP elements from the general catalog that will be synchronized with the bpm’online users. The search filter must select active elements only. For example, the following search filter can be used:
“(&(objectClass=user)(objectClass=person)(!objectClass=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))”.
• Use the [List of groups] filter to select the needed LDAP elements that will be synchronized with the bpm’online organizational structure elements (user groups). The search filter must select active elements only. For example, the following search filter can be used:
“(&(objectClass=group)(!userAccountControl:1.2.840.113556.1.4.803:=2))”.
• Use the [List of group users] filter to receive the list of users that are included in the LDAP group. One or more attributes will determine whether a user is a member of a group. For example, most directories use such attribute as “memberOf”.
You can specify the conditions for forming a list of users as a search filter. Use the following variables to specify filter parameters:
a. [#LDAPGroupDN#] – unique name (Distinguished Name) of the group being searched;
b. [#LDAPGroupName#] – name of the group. This variable will contain the value specified in the [LDAP group name] field.
c. [#LDAPGroupIdentity#] – unique id of the searched folder. The variable will contain the value of the attribute specified in the [Group Id] field.
For example, the “memberOf” attribute determines if the user is a member of a group. The value of this attribute is a unique group name (Distinguished name). To set up synchronization with such directory, in the [List of group users] field, specify the following filter: “(memberOf=[#LDAPGroupDN#])”.
See also