LDAP Synchronization
LDAP Sync allows organizations to leverage their LDAP repository to manage the list of active users as well as their group membership in SD Elements.
-
OpenLDAP
-
Microsoft Active Directory
Prerequisites
Before configuring LDAP Sync, collect the following information:
-
SD Elements super user credentials needed for configuring SD Elements.
-
The default super user for OnSite Deployments is support@sdelements.com.
-
-
The hostname and port of the LDAP server.
-
The protocol to use when connecting with the LDAP server, which is one of:
-
LDAP
-
LDAP with StartTLS
-
LDAPS
-
-
The DN and password of a user to bind to the LDAP server.
-
The base group DN. This DN will be used for querying LDAP groups.
-
A list of LDAP group names to map to existing SDE groups. These LDAP groups should be under the base group DN.
LDAP connection fields
An LDAP connection has the following properties:
-
Name: A unique name for this connection.
-
Protocol: LDAP method to use when connecting. The available options are: LDAP, LDAPS, and LDAP with StartTLS. If unspecified, the LDAP method will default to LDAP with StartTLS.
-
LDAP Server: The host of the LDAP server.
-
Example:
ldap.server.com:389
-
LDAP Validate Cert: Toggle on to enable SSL certificate validation.
-
-
Bind DN: The DN of the user to bind to the LDAP server.
-
Bind Password: The password of the user to bind to the LDAP server.
-
Group Base DN: The base DN of the LDAP groups to be synchronized.
-
Sync Frequency: The rate at which the sync should occur.
-
Manually, Hourly, Daily, Weekly, Monthly
-
-
Optional fields:
-
Base DN: The base DN used in constructing user queries. This will be automatically computed from the bind DN if left blank.
-
LDAP User Schema: LDAP schema attribute mappings used by SD Elements for computing a user’s name and email. Leave blank to use the default mappings.
-
LDAP Filter - Group: A whitelist of LDAP groups to limit the sync to. Leave blank to sync all groups defined in the Group Mapping.
-
LDAP Filter - Email Filter: A whitelist of LDAP users to limit the sync to. Leave blank to sync all users defined in the Group Mapping.
-
LDAP Query Page Size: The maximum number of LDAP results to retrieve at a time. Only available on LDAP servers that implement RFC 2696.
-
Group Member Query: LDAP query for retrieving members of a group. ‘%s’ will be replaced by the LDAP group name during query constructing.
-
Deactivation: Toggle on for the desired deactivation behavior.
-
Inaccessible: Mark this connection as inaccessible. This should only be done if the LDAP server cannot be reached from SDE. As a result, syncing from the server will be disabled for this connection. Instead, use the Remote Integration Agent to perform the integration.
-
Add an LDAP connection
Follow the steps below to configure a new LDAP Sync connection.
-
The user has the system Super User permission.
-
Login with a user having super user permission.
-
Click on the gear icon settings in the top right corner of the SD Elements interface, and select Authentication.
-
Select the LDAP Synchronization tab.
-
Click the plus add_circle button on the top right corner of the screen to create a new connection.
-
Fill in the required fields described above.
-
Click Save.
A new LDAP connection is added to the system. It will start automatically at the next timeslot if Sync Frequency is not marked to run Manually.
Initiate a manual sync
Start an ad hoc LDAP synchronization by following the steps below:
-
The user has the system Super User permission.
-
Login with a user having super user permission.
-
Click on the gear icon settings in the top right corner of the SD Elements interface, and select LDAP Integration.
-
Find the desired connection from the list and hover the mouse to the right-hand side of the row.
-
Click the refresh icon.
A new synchronization job is initiated. The job may take a few minutes or more to complete based on the number of users and groups in scope.
FAQ
-
How does this relate to Single Sign-On (SSO)?
-
SSO handles user authentication - this feature provisions user accounts and manages their group membership.
-
Users provisioned by LDAP Sync on a server with SSO enabled will not be sent a password reset email.
-
-
Can I sync using multiple connections?
-
You can sync against multiple LDAP servers.
-
-
How can I add group mappings between LDAP groups and SDE groups?
-
Add LDAP Group Mappings:
-
Select the gear icon settings menu.
-
Select Authentication.
-
Select LDAP Synchronization tab.
-
From the Group Mappings column, click on + Add Group Mappings.
-
Click on the plus add_circle button on the right to add a new group mapping.
-
-
|
Since this is a user integration system, syncing multiple connections at the same time may cause unexpected results or problems. |
Troubleshooting
-
Sync failures
-
Clicking on the red exclamation warning button will display the error of the last synchronization attempt. To view older failures, click on the connection name to be taken to the sync history page.
-
-
TLS/SSL issues
-
If you are connecting to a TLS/SSL connection, you will need to ensure that the LDAP server or CA signing certificate is installed on the SD Elements instance.
-
Disable the Validate the SSL certificate of the LDAP server option.
-
This option is not recommended for production contexts.
-
-
-
Timeout
-
The sync will error and stop if it does not complete within 2 hours. If you experience this issue, please reach out to support for advice on how to resolve it.
-