LDAP directories

When starting the application, users are granted access, or not, depending on their identity. There are four types of authentications:

• Database authentication
• LDAP authentication (on-premise installations only)
• OAuth2 authentication
• SAML2 authentication (on-premise installations only)

This page describes the LDAP authentication settings.

Principles of LDAP Authentication

The user enters a login and password in the application login screen:

1. If the login does not correspond to a user entity, the user cannot log in.
2. If the login corresponds to a user entity, the system performs an LDAP search for the user's distinguished name (which identifies the user in the LDAP structure). If an authentication name is provided, it can be used for the search. Otherwise, the login name is used.
3. If the entry is found, an LDAP authentication is performed with the distinguished name and the password. If the authentication succeeds, the user can use the application.

Connection properties

This section provides relevant information about the connection to the LDAP authentication server.

Name

Name used to reference the LDAP setup.

Display name

User-friendly description.

Active

If the check box is cleared, the server is considered as inactive, and no login is possible using this setup.

URL

Defines the LDAP server name, port, and protocol (example: "ldap://vil-ldap:3268").

DN for searching

Distinguished name of an LDAP user who has the rights to search the LDAP tree. All other rights should be disabled for this user as it is more "public" than other users.

Note: Anonymous binding is not supported.

Password for DN search

Password for the search user defined in DN for searching.

Search base

Defines the root of the subtree within the LDAP structure in which the search will be performed.

Search filter

Defines the search filter.

CA certificates of LDAP server for TLS

CA certificates to set up if the LDAP server uses an SSL certificate of a well-known certificate authority (CA).

User mapping LDAP attributes

This section defines the mapping LDAP attributes if you want to import users from LDAP.

Mapping for authentication name

Contains the name of the LDAP attribute corresponding to the authentication name property (and in most cases, the login name) of the user entity. Set this field with an existing LDAP attribute. When you use Active Directory, the value is usually "sAMAccountName". You can select the value from a list of LDAP attributes which is obtained from LDAP during runtime. To do so, the fields of the LDAP server have to be already saved in the database. You can also directly enter another LDAP attribute, or even a name that is not on the list.

Mapping for first name

Contains the name of the LDAP attribute corresponding to the first name property of the user entity. You can select an attribute from the list for the authentication name mapping. The value is usually "firstName".

Mapping for last name

Contains the name of the LDAP attribute corresponding to the last name property of the user entity. You can select an attribute from the list for the authentication name mapping. The value is usually "sn".

Mapping for email

Contains the name of the LDAP attribute corresponding to the email property of the user entity. You can select an attribute from the list for the authentication name mapping. The value is usually "mail".

Mapping for photo

Contains the name of the LDAP attribute corresponding to the photo properties of the user entity. You can select an attribute from the list for the authentication name mapping. When you use Active Directory, the value is usually "thumbnailPhoto".

Mapping for group membership

Contains the name of the LDAP attribute corresponding to the group membership property of the user entity. The value is usually "memberOf". The link between X3 groups and LDAP groups is made in the group settings.

Users search filter for synchronization

This section allows you to define search criteria for LDAP users. LDAP has strong search capabilities built in to the server.
LDAP filters consist of one or more criteria. If at least two criteria exist in a filter definition, they can be concatenated by logical operators "AND" and "OR". These operators are always placed between two criteria.

Refer to this page for more information on filters.

User search filter

Defines a custom search filter for importing user data from the LDAP.

Users belonging to known groups

Adds a complementary filter in order to select only LDAP users belonging to LDAP groups linked to X3 groups. The link between X3 groups and LDAP groups is made in the group settings.

Global LDAP user search filter

Read-only field that displays the final query (in the LDAP filter syntax) that will be sent to the LDAP server in order to select the user entity.

Groups

This section defines the LDAP group settings.

Group search filter

LDAP filter that identifies the group's entities on the LDAP tree.
The group search filter is only used for helping to link X3 groups with LDAP groups (LDAP group name lookup). It is not related to the synchronization of users.

Example: "(objectClass=group)"

Mapping for group name

Contains the name of the LDAP attribute corresponding to the group identification property used to identify group memberships on the user entity. Refer to Mapping for group membership.

Synchronization settings

This section defines the LDAP syncronization settings.

User authentication

Defines the default user's authentication policy. Imported users inherit this setting.
If you chose "Standard" authentication, make sure you have a valid policy setting different than "Basic" in the global settings:

• LDAP (Lightweight Directory Access Protocol) means that the control is performed using an access to an LDAP directory.
• Standard corresponds to the default global policy setting. This default setting is managed in the Global settings function.

Connection test

This service tries to connect to the LDAP server using the entered authentication data and then disconnects from the LDAP server. Any errors during this process (e. g. wrong password) will be shown.

User import from LDAP

An LDAP server contains more information about users than necessary for authentication. User data can be imported from an LDAP server into a user entity.

Mapping user attributes to LDAP attributes

As attribute names in LDAP and in the user entity are different, you have to enter:

• The appropriate authentication name in the Mapping for authentication name field.
• The appropriate first name in the Mapping for first name field.
• The appropriate last name in the Mapping for last name field.
• The appropriate email in the Mapping for email field.
• The appropriate photo properties in the Mapping for photo field.

The import process

To run this function, the current LDAP entry must be active, and you must have write access to the user data. If this is the case, the program performs the following:

1. The LDAP server uses the pattern defined in the Sync search filter field to search within the subtree defined by the Search Base field, and retrieve a list of LDAP user data.
2. For each user, the program checks if any entry of the LDAP user data has the same value as the LDAP attribute in which the user account was mapped. The user account corresponds to the "Authentication name" if the user has LDAP authentication selected by default, and if the field is not empty. If not, it corresponds to the "login code".
3. If there is such an entry, all values of the user entity attributes are filled using the corresponding values of the LDAP user data attributes. The LDAP user data entry is also marked as used, and the user entity is marked as active.
   If not, it is marked as inactive and the user can no longer log in.
4. At the end of this process, the program runs a loop over all LDAP user data entries that have not been marked as used. These correspond to users that still have to be created. If there is already a user whose "login" is the same as the value of the "authenticationName", a login name is created as follows:
   • The program retrieves all instances of the user entity whose login name starts with the given value. The lowest available number is then appended to the login name. For example, if the name is "test" and users test, test0, test1, test3 and testa already exist, "2" is the lowest available number. In this case, test2 will be the new login name.
   • The "authenticationName" is not changed because it is used for LDAP authentication. For existing users, the mechanism described above guarantees that user data will be updated correctly when this function is called again. An error message is triggered if a new user is created by another connection while the searching user entity process is in progress. There is no loop that tests each possible combined user name, whether it has already been created or not, so that endless loops will not be possible under any circumstance.
5. For the other attributes (first name, last name, mail, photo), the value in the user instance is updated when a mapping is given, and when there is a value for the LDAP attribute. If the mapping is given but there is no value for the LDAP attribute, the value in the user instance is emptied. If no mapping is given, the value in the user instance does not change.
6. If the LDAP user contains group information and a group mapping exists, the user instance is included in this group. For all X3 endpoints of the group, an X3 user is created with a unique login composed of the original login and a hash code that is automatically generated. The profession code associated to the X3 user is determined using the "roles to profession codes mapping" grid defined in the corresponding endpoint.

Once all users have been managed, all error messages are displayed.

Scheduling user update

The Scheduler function (Administration > Usage > Automate > Scheduler) allows the selection of a scheduler to automate the process.