Customers
User information
 Loading ...
Show article in Knowledge Base

 LDAP Import and login configuration for enterprise version Export knowledge base Export     SubscribeSubscribe      Show article info

LDAP configuration for the enterprise version

You can configure VisionFlow to authenticate or import users from an LDAP directory server. This only works for the enterprise server version of VisionFlow.

LDAP is configured in Settings --> Integrations --> LDAP.

 

We recommend that you use one configuration for authentication and a separate configuration for user import. You can add many import configurations for different groups of users but make sure that the same user is not included in many imports. 

 

How do I configure LDAP

 

Go to Settings --> Integrations --> LDAP.

 

Create a new configuration

 

Name: "Name of configuration"

 

Description: "Description" 

 

Type: Choose if this configuration is for login or import.

 

Security principaluid=admin,ou=system (LDAP user account that is used by Visionflow)

 

 

Authentication method: Choose authentication method

 

Time limit (Time limit for the LDAP query in ms.)

 

Ldap search page limiti: Page limit for LDAP query, recommended setting: 100

 

Limit test import users: 50 (Limit amount of users for the import test button)

 

Import: Enable if you want to automatically import/update users when they authenticate.

 

URL: ldap://domainserver.mycompany.com:389 (Url for ldap server connection)

 

Base DN  - dc=example,dc=com (Where to start searching for users in the LDAP tree)

 

User DNThe DN is the starting point in the LDAP hierarchy where your user search will begin and where login users are found.

 

Mappings: VisionFlow user attributes to map to ldap user attributes.

Example for Active Directory attributes: 

userName=sAMAccountName

password=userPassword

 

Search filterSet the search filter to match the users that login. The search for authentication must match only one unique user. Example: ldap.auth.search.filter=(&(uid=@user_id@)(objectClass=user)(memberOf=CN=VPUSER,CN=Users,DC=MYCOMPANY,DC=LOCAL))

 

 

For imports you can choose some of these settings to be applied for the imported users: Project, user group, company, Locale, date format, time format, and if an email should be sent to the new user.

We recommend that you configure this carefully in your test environment. Either set up one import specific for each user group, or configure users groups manually after the user(s) has been imported.

 

 

About Search filters 

Please note that when accessing a user account for authentication or authorization, a special attribute is often checked 

first to determine the current status of the account: disabled or enabled. Such an attribute is either sAccountLock 
(bears value of TRUE or FALSE) used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory 
(AD) world.

 

Active Directory stores information about the user account as a series of bit fields or flags in the UserAccountControl 
attribute, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT
(0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 + 
0x0002)

If you want to prevent disabled accounts from logging into the portal you need to use a search filter (ldap.auth.search.filter) 
similar to the Following:

More information about this here :

http://support.microsoft.com/kb/305144/
http/www.mediawiki.org/wiki/Extension:LDAP_Authentication
  

 

 

 


User comments
 Loading ...