Customers
User information
 Loading ...
Show article in Knowledge Base

 How do I configure LDAP integration? Export knowledge base Export     SubscribeSubscribe      Show article info

LDAP configuration

You can configure VisionFlow to authenticate or import users in an LDAP directory server. This only works for the installed server version of VisionFlow.

 

How do I configure LDAP? 

 

LDAP is configured in the VisionFlow.properties file depending on how you want it to behave (restart your server after each change).

What is the normal setup?

The common way to do LDAP/AD integration is to:

 

  • Import the users that you want to have accees to VisionFlow (using the LDAPImportUtil)
  • Configure VisionFlow to authenticate user login against the LDAP/AD server
  • Do not allow for users to be imported during login

 

This means that you have control of what users can access the system, and you can also give them access to the right data for them manually (such as projects)

 

This is done by enabling the following settings (in VisionFlow.properties file):

 

ldap.auth.enabled=true
ldap.auth.required=false

ldap.import.enabled=false

ldap.import.sendNotification=false

 

More info on other config options below...

How do I import users from LDAP?

  • On your server, login as an administrator into your VisionFlow server
  • Go to http://localhost/LDAPImportUtil.jsp file (use localhost or 127.0.0.1)
  • Configure the import util to get hold of the right users that you want to import
  • Import the users
  • Login to VisionFlow and configure the access and projects for the imported users

 

Please note that to to allow connection from another machine (such as http://YOUR_SYSTEM_URL/LDAPImportUtil.jsp file), you need to add ldap.importutil.remoteenabled=true into your VisionFlow.properties file.

 

Debugging info and tools to help

It is recommended that you follow these tips: http://www.VisionFlow.se/ShowKnowledgeBaseEntry.do?id=3376

How does the LDAP authentication work?

LDAP authentication works in the following way in VisionFlow: 

 

  • If LDAP is enabled, users will be authenticated using the LDAP server or using the local VisionFlow database (i.e. you can override the LDAP configuration in the VisionFlow database).
  • If LDAP is required, users will only be authenticated using the LDAP directory server specified and not using the local VisionFlow database.
  • Please note that users also need to exist in the VisionFlow dastabase to be able to login. This is achieved in either of 2 ways.
    • Either users are first imported into VisionFlow first (in bulk) using the import tool.
    • Or users are automatically imported at login time, which is the most common scenario. For this to work the "ldap.import.enabled" needs to be active.

 

When users login to VisionFlow for the first time and are authenticated in the LDAP directory, their user data is imported (if the ldap.import.enabled=true) into the VisionFlow database. When user related data (such as their password) is updated in the LDAP directory, then it will be updated in VisionFlow VisionFlow at the next login, i.e. data always flows from the LDAP server --> VisionFlow and not the other way around!

 

Even though authenticated users will be able to login into VisionFlow, he/she will not have access to any project in the system. It is therefore recommended that you first import all users from the LDAP directory using the /LDAPImportUtil.jsp (can only be run locally on the server and only after you've logged in once as an admin). This way you will be able to pick and choose what users you want to import as well as assign them the correct user group and give them access to the right projects.

 

Please note that users still can be disabled in the local database, which will override the LDAP server settings!

 

LDAP authentication can be configured in the VisionFlow.properties using these main settings:

ldap.auth.enabled=false
ldap.auth.required=false

Configure if LDAP is enables or required
ldap.auth.autoPassword

If true the password will be totally ignored in LDAP and created and set in the system (randomly)

ldap.auth.method=bind Set either "bind" and/or "password-compare" for the LDAP authentication method. (Bind is preferred by most vendors so that you don't have to worry about encryption strategies
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory This setting should not be changed
ldap.base.provider.url=ldaps://localhost:10636 Change this to match your LDAP server, such as ldap://domainserver.mycompany.com:389 or ldaps://localhost:10636
ldap.base.dn=ou=system Base DN in where users are found and a location where to start searching for users in the LDAP (Active Directory) tree, such as ”ou=system” or ”dc=example,dc=com”
ldap.security.principal=uid=admin,ou=system The user to login with to LDAP repository with
ldap.security.credentials=secret Password to login with to LDAP repository with

ldap.users.dn=DC=MYCOMPANY,DC=LOCAL

 

The following settings are used to map/find LDAP users to portal users.

 

The DN is the starting point in the LDAP hierarchy where your user search will begin and where login users are found.

 

NOTE! THIS IS USED IN COMBINATION WITH THE ldap.auth.search.filter PROPERTY MENTION HERE BELOW!

 

ldap.auth.search.filter=(&(uid=@user_id@)(objectClass=user)(memberOf=CN=VPUSER,CN=Users,DC=MYCOMPANY,DC=LOCAL))

Set the search filter to match the users that login and are imported into VisionFlow - the more detailed the better, such as (mail=@email_address@) or (&(uid=@user_id@)(objectClass=inetOrgPerson)) or (&(mail=@user_id@)(objectClass=inetOrgPerson)).

 

The @user_id@ variable in the search filter will be replaced with the username that is used when logging in.

 

See more about search filters below…

 

For users to be able to be verified and login into VisionFlow you need to have a search filter that works for all your users.

 

NOTE! IT IS IMPORTANT THAT THIS FILTER MATCHES ONE UNIQUE USER, OTHERWISE THE ldap.users.dn MUST MATCH EXACLY ONE USER (WHICH IT NORMALLY DOESN'T)!!!

 

ldap.user.mappings=userName=uid\npassword=userPassword\nemailAddress=mail\n
firstName=givenName\nlastName=sn\nphoneNumber=mobile

LDAP attribute-name-mapping to internal VisionFlow user attribute, for instance userName in VisionFlow should be mapped to uid in this case.

 

These fields are the ones that will be synchronized between the LDAP directory and VisionFlow. Currently the only possible attributes to import are:

  • userName
  • password (if allowed/available)
  • emailAddress
  • firstName
  • lastName
  • phoneNumber

 

 

 

ldap.importutil.remoteenabled=true Allow the Import util from external PC/Computer (not just localhost

ldap.import.usergroup.defaultProjectAccess=

This property should contain a comma separated list of projectId's (such as 1,2,3) for projects/workspaces that you want to give users access to users by default.

 

A list of available projectId's can be found in the database in the table "project", or these can be found in the system in the "General" --> "Settings" --> "Integrations" --> "CTI".

ldap.import.enabled=true If users should the created and data imported automatically when users log in to the syste,
ldap.import.sendNotification=false Set this attribute to false if you don't want users to be informed when they are imported into the system.
ldap.user.impl=se.visionera.VisionFlow.valueobject.SystemUserVO Do not change, this is the class to which the attributes imported are mapped
ldap.auth.password.encryption.algorithm= The encryption algorithm used
ldap.auth.password.encryption.algorithm.types=MD5,SHA Allowed algorithm types
ldap.import.on.startup
ldap.import.interval
ldap.import.search.filter
ldap.export.enabled
ldap.connect.pool.enabled
ldap.groups.dn
ldap.group.mappings
ldap.user.default.object.classes=top,person,inetOrgPerson,organizationalPerson
These settings are not used at the moment

Search filters (ldap.auth.search.filter)

Please note that when accessing a user account for authentication or authorization, a special attribute is often checked 

first to determine the current status of the account: disabled or enabled. Such an attribute is either sAccountLock
(bears value of TRUE or FALSE) used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory
(AD) world.

 

Active Directory stores information about the user account as a series of bit fields or flags in the UserAccountControl
attribute, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT
(0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 +
0x0002)

If you want to prevent disabled accounts from logging into the portal you need to use a search filter (ldap.auth.search.filter)
similar to the Following:

More information about this here :

http://support.microsoft.com/kb/305144/


User comments
 Loading ...