You can configure VisionFlow to authenticate or importusers from an LDAP directory server. This only works for the enterprise server version of VisionFlow.
LDAP is configured in Settings --> Integrations --> LDAP.
We recommend that you use one configuration for authentication and a separate configuration for user import. You can add many import configurations for different groups of users but make sure that the same user is not included in many imports.
How do I configure LDAP
Go to Settings --> Integrations --> LDAP.
Create a new configuration
Name: "Name of configuration"
Type: Choose if this configuration is for login or import.
Security principal: uid=admin,ou=system (LDAP user account that is used by Visionflow)
Limit test import users: 50 (Limit amount of users for the import test button)
Import: Enable if you want to automatically import/update users when they authenticate.
URL: ldap://domainserver.mycompany.com:389 (Url for ldap server connection)
Base DN - dc=example,dc=com (Where to start searching for users in the LDAP tree)
User DN- The DN is the starting point in the LDAP hierarchy where your user search will begin and where login users are found.
Mappings: VisionFlow user attributes to map to ldap user attributes.
Example for Active Directory attributes:
Search filter: Set the search filter to match the users that login. The search for authentication must match only one unique user. Example: ldap.auth.search.filter=(&(uid=@user_id@)(objectClass=user)(memberOf=CN=VPUSER,CN=Users,DC=MYCOMPANY,DC=LOCAL))
For imports you can choose some of these settings to be applied for the imported users: Project, user group, company, Locale, date format, time format, and if an email should be sent to the new user.
We recommend that you configure this carefully in your test environment. Either set up one import specific for each user group, or configure users groups manually after the user(s) has been imported.
About Search filters
Please note that when accessing a user account for authentication or authorization, a special attribute is often checked
first to determine the current status of the account: disabled or enabled. Such an attribute is either sAccountLock (bears value of TRUE or FALSE) used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory (AD) world.
Active Directory stores information about the user account as a series of bit fields or flags in the UserAccountControl attribute, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT (0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 + 0x0002)
If you want to prevent disabled accounts from logging into the portal you need to use a search filter (ldap.auth.search.filter) similar to the Following: