The LDAP configuration can be a bit tricky and may requires a bit of testing back and forth to get right.
Below you'll find a couple tips of how to get this to work more easily.
Recommended steps to get LDAP to work properly
- Use the LDAPImportUtil to test your connection and searches
- Use JXplorer to test your configuration and access to your LDAP/AD server
- Debug the system and check files often during config/testing
- Make sure that only one user matches search criteria
- Restart VisionFlow after each change to the LDAP settings
For details about these steps, see below ...
1. Test your LDAP connection using the in LDAPImport util
- On your server, login as an administrator into your VisionFlow server
- Go to https://localhost/LDAPImportUtil.jsp file (use localhost or 127.0.0.1)
- Use the LDAPImportUtil to test your different configurations to :
- Make sure you can connect to your LDAP/AD server
- Test and find right users that you want to import or that you want to have access to VisionFlow (You can use the util as a search tool)
- Test the final settings in the VisionFlow.properties file so that everything works as intended
2. Test config and searches in JXplorer
It is recommended that you test your settings and configurations using a separate tool, we recommend http://jxplorer.org/ .
Using jxplorer you can actually test all your LDAP searches and filters before applying them to VisionFlow
For Windows you can also use ADExplorer provided by Microsoft here ...
3. Use debugging more and check files
When configurating your VisionFlow server instance for LDAP authentication extend the log level (increase logging to reveal more information). See here for more info on how to do this...
Then check in the VisionFlow.log file on a regular basis for useful information.
In the log files is where any error messages and debug information is written when you test out VisionFlow. This is very helpful when figuring out what might be wrong. You can find info on the log files here...
4. If you have problem during authentication, then make sure that only one user matches search criteria
- It is important that both: ldap.auth.search.filter and ldap.users.dn matches
- It is also important that the ldap.auth.search.filter only returns one unique user, so the sAMAccountName=@user_id@ (or similar) is important. The @user_id@ will be replaced with the username that is used when logging into VisionFlow.
4. Restart the system after each change
Please note that you must restart VisionFlow after each change that you make to the LDAP settings in the VisionFlow.properties file for them to take effect.
5. Create a separate group for VisionFlow users
It is recommended that you create a separate group for the users that you want to be able to import and use this in your seaches/authentication.
For eample, you can create a CN called VPUser and assign this to the users you want to have access to the system, then update the filter in VisionFlow such as: ldap.auth.search.filter=(&(sAMAccountName=@user_id@)(memberOf=CN=VPusers,CN=Users,DC=myCompany,DC=local))
Please note that the @user_id@ will be replaced with the username that is used when logging into VisionFlow
6. Keep track of your user licenses
If you have many employees in your organization we recommend that you create a separate group for the employees that should have access to VisionFlow. See above. This way it is easy to make sure that you don't exceed the total number of user licenses that you have purchased.
We also recommend that you import users with the "Support user" group, you specify this in the ldap.import.usergroup.mapping in the VisionFlow.properties file.
This way you can be sure that the number of licenses aren't exceeded by default and the system locked down.