LDAP Integration of Deepser needs to automate the users and group import management.
It is possible to connect to an LDAP Server and import all the data regarding users and groups and insert the users in the right groups.
What we recommend is to configure the objects of the LDAP Server in the right way, easy to access by other softwares, like Deepser.
LDAP integration can interface with all server supported by the library Adldap2.
All most important LDAP systems are supported by that library, for example Active Directory and OpenLDAP, the most used systems in the business and educational organizations.
If, for a specific project, you need a particular configuration, it is possibile to integrate other LDAP systems with the development team of Deepser.
When all users have been imported from LDAP the Login screen of Deepser changes: it will be visibile the select-box for the LDAP Domain. Every LDAP imported users need to select the LDAP Domain to access the system. The Domain Password will not be read or stored in the Deepser Database. Deepser will call the LDAP Server and only if the LDAP server acknowledges the user and password, then Deepser will let the user log into the system.
Note: the LDAP integration in Deepser cannot change the LDAP data, it connects in read-only mode to the LDAP Server.
Data are only modified by the LDAP integration inside Deepser. Every manual edit in the Deepser form of an imported LDAP user will be overwritten if the changed fields are re-imported in Deepser via LDAP.
Insert a new LDAP integration
To configure a new LDAPO integration, select the menu System > Permissions > LDAP Integration
You can see the grid with all the LDAP integrations already configured. Click on Add Ldap upper right.
We can add the data for a new LDAP integration.
Fields are divided into 3 tabs: data to connect to the LDAP Server, settings to create users in Deepser and settings to create groups in Deepser.
The fields have the following meaning:
|Name||Descriptive name of the integration.|
|Domain Controller||The address of the LDAP Domain Controller, eg: ldap.forumsys.com (Tip: this Domain Controller is public and contains data to test the integration, also present in the demo of Deepser. You can use ldap.forumsys.com for testing purpose.).|
|Cron Expression||The Cron (link to Wikipedia) Expression to schedule the import Job. You can schedule an import every minute (not suggested!), or twice a day, once a week, etc.|
|Status||It tells if the integration is active or not. If active, but not scheduled with the Cron Expression, you can run it “spot” with the upper right button “Run“.|
|Base DN||Base DN to connect to the LDAP Server, usually where you can find the users to import.|
|Port||Port of the LDAP Server. Standards are: 389 for LDAP and 636 for LDAPS.|
|Timeout||Time for the timeout of the LDAP connection. After that, the server will return an error.|
|Use SSL||Use the SSL protocol for a secure connection.|
|Use TLS||Use the TLS protocol for a secure connection.|
|Follow Referrals||Usually, if the LDAP infrastructure has multiple “join” domains, they compose a Forest. Every “cross-domain” access can be resolved if your LDAP server supports it.|
|Admin Username||The username of a user who can read the LDAP directory. In the case of Active Directory usually this name is the DOMAIN\Username string. In the case of OpenLDAP you should probably use the complete DN, eg: cn=read-only-admin,dc=example,dc=com. We have chosen to le you freely insert the complete DN, to improve the compatibility of our integration with LDAP systems.|
|Admin Password||The password used to connect to LDAP.|
|User Name Attribute||
The LDAP Attribute to identify the unique field “Username” that will be stored in Deepser DB.
As described in the user guide, this field is modified by Deepser for the LDAP Users, in order to be stored in the format ID\username where ID is the key field (numeric) of the LDAP integration stored in the DataBase of Deepser.
This way you can always know from which LDAP server has been imported a user.
When you have users imported from LDAP, the Login screen of Deepser changes, introducing a select-box to chose the LDAP domain. Every user imported from LDAP must select the Domain in that field to access. In the field User Name in the Login screen, they have to insert their username, without the string “ID\”.
|User RDN Attribute||The unique field (eg: distinguishedName) to associate users to groups.|
Multiline field to decide which fields to import from LDAP into Deepser DB, for the users. See the screenshot for a clear example:
|User Object Filter||LDAP filter to retrieve only a subset of LDAP Objects. It is possibile to set an LDAP Query.|
|Account Prefix||Prefix of the DN of the user.|
|Account Suffix||Suffix of the DN of the user.|
|Disable Users||When importing an LDAP disabled user, you can disable it in Deepser. Every LDAP Disabled users have different attributes, depending on the LDAP implementation. In Active Directory and Free IPA the attribute userAccountControl is checked, while in OpenLDAP pwdAccountLockedTime is checked.|
|Custom Code||PHP Code invoked after a user import. This way it is possibile to customize the fileds and the behaviour of the LDAP integration of Deepser. The code exposes two fundamental objects: $user (an PHP array with the data of the user imported into Deepser) and $ldapUser (an PHP array with the data read from LDAP).
To edit, for example, the language of a user imported from LDAP, use this PHP code:
$user[‘locale’] = ‘en_US’;
|Group Enable||If the LDAP Group integration is active.|
|Group Base DN||Base Directory to find the LDAP Groups.|
|Group Name Attribute||LDAP unique attribute to identify the Name of the Group of Deepser.|
|Group Members Attribute||LDAP Attribute to identify if a user belongs to a group. For example uniqueMember.|
|Group Object Filter||Query LDAP to filter the imported objects.|
|Group Fields||This multiline field lets you define the fields of the groups you want to import from the LDAP server. See User Fields field for an example.|