The LDAP connector is used to provision and authenticate users against a directory service using LDAP. The connector supports both DNS lookup or manual configuration of SRV records. Several user attribute fields can be configured, but only username and email address are required.
Below are sample base organizational units for the different directory types:
- Active Directory:
'OU=Employees,DC=company,DC=com'
- Apache Directory Services:
'OU=Users,DC=example,DC=com'
- Apache Directory Services:
'OU=Users,DC=example,DC=com'
- Lotus Domino:
'O=SCNotes'
- Novell eDirectory:
'O=Company Organization'
- DirX:
'ou=Users,o=Company'
And below are example search filter attribute names and values:
'department=EDI'
limits to entries that match the attribute name=value.'department=EDI,group=administrators'
limits to entries that match two attributes.'department=EDI,telephoneNumber=800*'
limits to an attribute that starts with a value.'objectclass=person'
limits to just people; it can contain other entries (for example, computers).'!(userAccountControl:1.2.840.113556.1.4.803:=2)'
excludes disabled accounts
In Active Directory, if an account is disabled, bit 0x02 in the userAccountControl attribute value is on. 1.2.840.113556.1.4.803 is the rule object ID (ruleOID) for the LDAP bitwise AND
operator.
Finally, these are the typical username attributes for the different directory types:
- Active Directory:
'sAMAccountName'
- Apache Directory Services:
'uid'
- Lotus Domino and Novell eDirectory:
'CN'
- DirX:
'cn'
To then use an LDAP connector, go to a Users' mailbox and select the Connector Host Authentication Type. Point to the LDAP connector by using a URI reference (for example ldap:External where External is the LDAP host connector alias).
Notes:
- Use the Test Authentication and List Users buttons to validate that authentication is working and that the expected list of users and attributes is returned.
- The configured Base DN and Search Filter property values can be overridden when using the connector for a specific user mailbox by adding URI request parameters (for exmple, ldap:External?SearchFilter=department=EDI). Furthermore, the configured SearchFilter can be extended rather than overridden by adding '.extend' to the name (for example, ldap:External?SearchFilter.extend=,department=EDI).
- Multiple LDAP connectors can be configured and then used across different user mailboxes. The LDAP server configured within system options can still be used as well, but is limited to a single directory service.
- You must provide values for the following properties:
- Directory Type
- Security Mode
- SRV Records
- Base DN
- Username Attribute
- Email Address Attribute
- User UID Attribute
- Sync Account User Name
- Sync Account Password
LDAP Connector Properties
Each instance of the LDAP Connector can be configured using the following settings:
Property | Description | Required |
---|---|---|
Directory Type | The product used for the LDAP directory service. | Yes |
Security Mode | If the directory server requires using SSL, specify a security mode. Otherwise, select None. | Yes |
SRV Records | The LDAP SRV records. | Yes |
DNS Domain Name | The DNS domain name from which you want to look up SRV records. | |
Automatic DNS Lookup | Automatically look up SRV records at runtime using DNS. | |
Base DN | The base organizational unit where the users are defined. Contact your directory administrator for the correct Base DN value. | Yes |
Search Filter | Used to limit the amount of information returned from the LDAP server when many users are defined. A more restrictive filter can be specified as a comma-separated attribute name=value list. Characters that have special meaning - * ( ) \ , - need to be escaped with a \ if they are part of a search value. A two-character hex representation can also be used (for example, NUL is \00 ). If necessary, contact your directory administrator to determine the appropriate filter. |
|
Username Attribute | The directory attribute that matches the username entered when a login is required. | Yes |
Email Address Attribute | The directory attribute that is the user's email address. | Yes |
Phone Attribute | The directory attribute that is the user’s registered phone number. | |
First Name Attribute | The directory attribute that is the user's first name. | |
Last Name Attribute | The directory attribute that is the user's last name. | |
Full Name Attribute | The directory attribute that is the user's full name. | |
Home Directory Attribute | The directory attribute that is the user's home directory path. | |
User UID Attribute | Required field for user ID lookup if using SAML Single Sign On. This directory attribute must match the SAML assertion Nameld value passed by the IDP in order for a user to successfully log in through SAML. | Yes |
Sync Account User Name | Username for extracting the users from the LDAP directory service. | Yes |
Sync Account User Password | Password value for the Sync Account User Name. | Yes |
Enable Debug | A switch that indicates whether to perform debug logging. | |
System Scheme Name | The URI scheme name used as a shortcut to this host. Valid pattern: [[a-zA-Z]{l}[a-zA-Z0-9+\-\.]{l/23}] . |
|
System Public | A switch that indicates whether the connector is public. |
Comments
0 comments
Please sign in to leave a comment.