LDAP Synchronization

LDAP Sync allows organizations to leverage their LDAP repository to manage the list of active users as well as their group membership in SD Elements.

Supported LDAP Servers

  • OpenLDAP

  • Microsoft Active Directory

Prerequisites

Before configuring LDAP Sync, collect the following information:

  • SD Elements super user credentials needed for configuring SD Elements.

  • The hostname and port of the LDAP server.

  • Method to connect with the LDAP server, which is one of:

    • LDAP.

    • LDAP with StartTLS.

  • The DN and password of a user to bind to the LDAP server.

  • The base group DN. This DN will be used for querying LDAP groups.

  • A list of LDAP group names to map to existing SDE groups. These LDAP groups should be under the base group DN.

LDAP connection fields

An LDAP connection has the following properties:

  • Name: A unique name for this connection.

  • LDAP Server: The host and port of the LDAP server. No protocol is necessary because the application will always use LDAP.

    • Example: ldap.server.com:389

  • Bind DN: The DN of the user to bind to the LDAP server.

  • Bind Password: The password of the user to bind to the LDAP server.

  • Group Base DN: The base DN of the LDAP groups to be synchronized.

  • Group Mapping: The mapping between LDAP groups and SDE groups. Only these LDAP groups will be used in the sync.

  • Sync Frequency: The rate at which the sync should occur.

    • Manually, Hourly, Daily, Weekly, Monthly

  • Optional fields:

    • Base DN: The base DN used in constructing user queries. This will be automatically computed from the bind DN if left blank.

    • LDAP User Schema: LDAP schema attribute mappings used by SD Elements for computing a user’s name and email. Leave blank to use the default mappings.

    • LDAP Filter: A whitelist of LDAP groups and users to limit the sync to. Leave blank to sync all users and groups defined in the Group Mapping.

    • LDAP Query Page Size: The maximum number of LDAP results to retrieve at a time. Only available on LDAP servers that implement RFC 2696.

    • Group Member Query: LDAP query for retrieving members of a group. ‘%s’ will be replaced by the LDAP group name during query constructing.

    • Validate Cert: Toggle on to enable SSL certificate validation.

    • Use TLS/SSL: Toggle on to connect securely using the LDAP protocol with StartTLS enabled.

    • Deactivation: Toggle on for the desired deactivation behavior.

    • Inaccessible: Mark this connection as inaccessible. This should only be done if the LDAP server cannot be reached from SDE. As a result, syncing from the server will be disabled for this connection. Instead, use the Remote Integration Client to perform the integration.

Add an LDAP connection

Follow the steps below to configure a new LDAP Sync connection.

Prerequisites:

  • The user has the system Super User permission.

Steps:

  1. Login with a user having super user permission.

  2. Click on the gear icon settings in the top right corner of the SD Elements interface, and select LDAP Integration.

  3. Click the plus add_circle button on the top right corner of the screen to create a new connection.

  4. Fill in the required fields described above.

  5. Click Save.

A new LDAP connection is added to the system. It will start automatically at the next timeslot if Sync Frequency is not marked to run Manually.

Initiate a manual sync

Start an ad hoc LDAP synchronization by following the steps below:

Prerequisites:

  • The user has the system Super User permission.

Steps:

  1. Login with a user having super user permission.

  2. Click on the gear icon settings in the top right corner of the SD Elements interface, and select LDAP Integration.

  3. Find the desired connection from the list and hover the mouse to the right-hand side of the row.

  4. Click the refresh icon.

A new synchronization job is initiated. The job may take a few minutes or more to complete based on the number of users and groups in scope.

FAQ

  • How does this relate to Single Sign-On (SSO)?

    • SSO handles user authentication - this feature provisions user accounts and manages their group membership.

    • Users provisioned by LDAP Sync on a server with SSO enabled will not be sent a password reset email.

  • Can I sync using multiple connections?

    • You can sync against multiple LDAP servers.

 Since this is a user integration system, syncing multiple connections at the same time may cause unexpected results or problems.

Troubleshooting

  • Sync failures

    • Clicking on the red exclamation warning button will display the error of the last synchronization attempt. To view older failures, click on the connection name to be taken to the sync history page.

  • TLS/SSL issues

    • If you are connecting to a TLS/SSL connection, you will need to ensure that the LDAP server or CA signing certificate is installed on the SD Elements instance.

    • Disable the Validate the SSL certificate of the LDAP server option.

      • This option is not recommended for production contexts.

  • Timeout

    • The sync will error and stop if it does not complete within 2 hours. If you experience this issue, please reach out to support for advice on how to resolve it.

results matching ""

    No results matching ""