You can configure VisionFlow to authenticate or import users in an LDAP directory server. This only works for the installed server version of VisionFlow.
How do I configure LDAP?
LDAP is configured in the VisionFlow.properties file depending on how you want it to behave (restart your server after each change).
What is the normal setup?
The common way to do LDAP/AD integration is to:
- Import the users that you want to have accees to VisionFlow (using the LDAPImportUtil)
- Configure VisionFlow to authenticate user login against the LDAP/AD server
- Do not allow for users to be imported during login
This means that you have control of what users can access the system, and you can also give them access to the right data for them manually (such as projects)
This is done by enabling the following settings (in VisionFlow.properties file):
More info on other config options below...
How do I import users from LDAP?
- On your server, login as an administrator into your VisionFlow server
- Go to http://localhost/LDAPImportUtil.jsp file (use localhost or 127.0.0.1)
- Configure the import util to get hold of the right users that you want to import
- Import the users
- Login to VisionFlow and configure the access and projects for the imported users
Please note that to to allow connection from another machine (such as http://YOUR_SYSTEM_URL/LDAPImportUtil.jsp file), you need to add ldap.importutil.remoteenabled=true into your VisionFlow.properties file.
Debugging info and tools to help
It is recommended that you follow these tips: http://www.VisionFlow.se/ShowKnowledgeBaseEntry.do?id=3376
How does the LDAP authentication work?
LDAP authentication works in the following way in VisionFlow:
- If LDAP is enabled, users will be authenticated using the LDAP server or using the local VisionFlow database (i.e. you can override the LDAP configuration in the VisionFlow database).
- If LDAP is required, users will only be authenticated using the LDAP directory server specified and not using the local VisionFlow database.
- Please note that users also need to exist in the VisionFlow dastabase to be able to login. This is achieved in either of 2 ways.
- Either users are first imported into VisionFlow first (in bulk) using the import tool.
- Or users are automatically imported at login time, which is the most common scenario. For this to work the "ldap.import.enabled" needs to be active.
When users login to VisionFlow for the first time and are authenticated in the LDAP directory, their user data is imported (if the ldap.import.enabled=true) into the VisionFlow database. When user related data (such as their password) is updated in the LDAP directory, then it will be updated in VisionFlow VisionFlow at the next login, i.e. data always flows from the LDAP server --> VisionFlow and not the other way around!
Even though authenticated users will be able to login into VisionFlow, he/she will not have access to any project in the system. It is therefore recommended that you first import all users from the LDAP directory using the /LDAPImportUtil.jsp (can only be run locally on the server and only after you've logged in once as an admin). This way you will be able to pick and choose what users you want to import as well as assign them the correct user group and give them access to the right projects.
Please note that users still can be disabled in the local database, which will override the LDAP server settings!
LDAP authentication can be configured in the VisionFlow.properties using these main settings:
|Configure if LDAP is enables or required
If true the password will be totally ignored in LDAP and created and set in the system (randomly)
||Set either "bind" and/or "password-compare" for the LDAP authentication method. (Bind is preferred by most vendors so that you don't have to worry about encryption strategies
||This setting should not be changed
||Change this to match your LDAP server, such as ldap://domainserver.mycompany.com:389 or ldaps://localhost:10636
||Base DN in where users are found and a location where to start searching for users in the LDAP (Active Directory) tree, such as ”ou=system” or ”dc=example,dc=com”
||The user to login with to LDAP repository with
||Password to login with to LDAP repository with
The following settings are used to map/find LDAP users to portal users.
The DN is the starting point in the LDAP hierarchy where your user search will begin and where login users are found.
NOTE! THIS IS USED IN COMBINATION WITH THE ldap.auth.search.filter PROPERTY MENTION HERE BELOW!
Set the search filter to match the users that login and are imported into VisionFlow - the more detailed the better, such as (mail=@email_address@) or (&(uid=@user_id@)(objectClass=inetOrgPerson)) or (&(mail=@user_id@)(objectClass=inetOrgPerson)).
The @user_id@ variable in the search filter will be replaced with the username that is used when logging in.
See more about search filters below…
For users to be able to be verified and login into VisionFlow you need to have a search filter that works for all your users.
NOTE! IT IS IMPORTANT THAT THIS FILTER MATCHES ONE UNIQUE USER, OTHERWISE THE ldap.users.dn MUST MATCH EXACLY ONE USER (WHICH IT NORMALLY DOESN'T)!!!
LDAP attribute-name-mapping to internal VisionFlow user attribute, for instance userName in VisionFlow should be mapped to uid in this case.
These fields are the ones that will be synchronized between the LDAP directory and VisionFlow. Currently the only possible attributes to import are:
- password (if allowed/available)
||Allow the Import util from external PC/Computer (not just localhost
This property should contain a comma separated list of projectId's (such as 1,2,3) for projects/workspaces that you want to give users access to users by default.
A list of available projectId's can be found in the database in the table "project", or these can be found in the system in the "General" --> "Settings" --> "Integrations" --> "CTI".
||If users should the created and data imported automatically when users log in to the syste,
||Set this attribute to false if you don't want users to be informed when they are imported into the system.
||Do not change, this is the class to which the attributes imported are mapped
||The encryption algorithm used
||Allowed algorithm types
|These settings are not used at the moment
Search filters (ldap.auth.search.filter)
Please note that when accessing a user account for authentication or authorization, a special attribute is often checked
first to determine the current status of the account: disabled or enabled. Such an attribute is either sAccountLock
(bears value of TRUE or FALSE) used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory
Active Directory stores information about the user account as a series of bit fields or flags in the UserAccountControl
attribute, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT
(0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 +
If you want to prevent disabled accounts from logging into the portal you need to use a search filter (ldap.auth.search.filter)
similar to the Following:
More information about this here :