Difference between revisions of "Integration/LDAP"
old>Admin |
m (15 revisions imported) |
||
(4 intermediate revisions by one other user not shown) | |||
Line 5: | Line 5: | ||
All configuration options are found in: [[Policy#Active_directory]] | All configuration options are found in: [[Policy#Active_directory]] | ||
== Synchronization options == | == Synchronization options == | ||
Line 12: | Line 11: | ||
# Validate credentials: Check username/password against LDAP | # Validate credentials: Check username/password against LDAP | ||
# | # Maintain groups: Add missing groups as defined in the LDAP | ||
# Create missing users: Create users with correct LDAP credentials | # Create missing users: Create users with correct LDAP credentials | ||
Line 19: | Line 18: | ||
# ldapAuthentication | # ldapAuthentication | ||
# ldapMaintainGroupsOnLogon | # ldapMaintainGroupsOnLogon | ||
# ldapCreateUsers | # ldapCreateUsers | ||
Groups and usersd in Tempus Serva will be marked with the LDAP path of the object. This path is also editable, so that groups or users can be mapped to other names in Tempus Serva than in the LDAP. | |||
== Failover mechanism == | |||
In case the LDAP is not responding the server can be allowed to use local application credentials: | In case the LDAP is not responding the server can be allowed to use local application credentials: | ||
* ldapAuthenticationFallback | * ldapAuthenticationFallback | ||
The server will initially try to validate against the LDAP, after which the validation is done against the local user table. In order to allow this operation, an encrypted copy of the user password is stored on every successfull LDAP authentication. Note this behaviour is only active if the fallback authentication is enabled. | |||
== LDAP service account == | == LDAP service account == |
Latest revision as of 12:06, 10 December 2021
Basic configuration is the name of the LDAP server and domain that is binded to the application
- ldapServer
- ldapDomainDefault
All configuration options are found in: Policy#Active_directory
Synchronization options
Different options for LDAP integration exists
- Validate credentials: Check username/password against LDAP
- Maintain groups: Add missing groups as defined in the LDAP
- Create missing users: Create users with correct LDAP credentials
Credential validation (1) is mandatory, while group synchronization (2) and automatic user creation (3) is optional.
- ldapAuthentication
- ldapMaintainGroupsOnLogon
- ldapCreateUsers
Groups and usersd in Tempus Serva will be marked with the LDAP path of the object. This path is also editable, so that groups or users can be mapped to other names in Tempus Serva than in the LDAP.
Failover mechanism
In case the LDAP is not responding the server can be allowed to use local application credentials:
- ldapAuthenticationFallback
The server will initially try to validate against the LDAP, after which the validation is done against the local user table. In order to allow this operation, an encrypted copy of the user password is stored on every successfull LDAP authentication. Note this behaviour is only active if the fallback authentication is enabled.
LDAP service account
In order to communicate with the LDAP server, the Tempus Serva application will need its own acount to carry out many of the synchronization operations:
- ldapUsername
- ldapPassword
No permissions except lookup rights are required for this role.