LDAP User Sync Configuration

From idenprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes


idenprotect Core Platform can be used with or without LDAP integration. After the initial installation, LDAP integration is disabled. If LDAP is enabled, idenprotect Core Platform connects idenprotect users' identities to an LDAP directory, such as Microsoft Active Directory.

This article will help you configure the end-users being synchronized to the idenprotect Core Platform. If you are looking to configure the administrative users being synchronized, please see LDAP Admin Sync Configuration

If you do not yet have your connection to LDAP Configured, see LDAP Connection Configuration

If you would like to configure the LDAP synchronization job to store additional details about a user, see LDAP Extra Parameters or LDAP Group Definitions

Account Username

Each User account registered during synchronization needs to have at least one unique attribute. In releases up to version 3.12.0, this was the User's email address. In order to account for configurations where an individual may have multiple Active Directory accounts for different purposes but each one has the same email attribute, we have introduced an Account Username Field. If you are upgrading your installation from a release which is version 3.12.0 or lower, User accounts will automatically transition and the initial Account Username will be set as the LDAP Attribute "mail".

By default, the Account Username Field is set to "mail" but can be amended to fit any unique attribute such as the User's Common Name (cn). This Account Username will then be used when registering a User's mobile device and for any communication between applications in relation to that User.

NOTE: If you are using BlackBerry with your idenprotect solution, currently the Account Username MUST be set to mail (or another attribute which provides an email address which will match the email attached to the User's BlackBerry account)

Configuring the User Synchronization job

If you have set User Sync to be enabled, this allows for user accounts to be created and deleted based on group membership.

It should be noted that idenprotect Core Platform verifies that all connecting idenprotect users can be found in the LDAP directory. However, during enrollment, an idenprotect administrator has to manually verify all newly registered users. This part of enrollment can be further streamlined by enabling LDAP auto-enrollment. When auto-enrollment is enabled, idenprotect Core Platform automatically enrolls all new idenprotect users who have been assigned to a defined auto-enrollment group in the LDAP directory.

This configuration can be found in: -

  • LDAP User Sync Configuration under the LDAP section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/ldap.properties
Parameters for LDAP
Parameter in Config Tab Parameter in Properties File Description
Enforce Sync? ldap.user.enforce Delete any user account that no longer has required AD group membership. If this is not set then the account is soft-deleted.

This means the account is disabled and the user cannot authenticate. If the account is found later to have the required group membership, the account is re-anabled

Auto Enroll Enabled? ldap.autoenroll.enabled Set to true to enable LDAP auto-enrollment
Auto Enroll Group ldap.autoenroll.group Auto-enrollment Group name in the LDAP directory. All members in this group are automatically enrolled when they register a new Device. The Group syntax is CN=<GroupName>,OU<GroupFolder>,DC=<LDAPDirectoryName>
Auto Enroll Limit ldap.autoenroll.limit.policy Maximum number of accounts that can be created in any one sync job
Search Base ldap.search.base Set to the DN (Distinguished Name) of the search base object where the LDAP directory lookup search begins
Search Object Class ldap.search.objectclass Set to the objectclass of the search base target. If unsure of the right option, set to person
Force Create User if not Found? ldap.autoenroll.userNotFound.forceCreate If True, will create user when enrolling if they do not already exist if server side enrollment not true
Is Domain Dependant? policy.ldap.domain.dependant If True, this enables Websocket servers to be independant by domain
Attribute Name ldap.user.attributename Additional LDAP attribute used for the subject in the CSRs
First Name Field ldap.field.first.name Column names in the LDAP directory to be used as the user first name
Last Name Field ldap.field.last.name Column names in the LDAP directory to be used as the user last name
Full Name Field ldap.field.last.name Column names in the LDAP directory to be used as the user full name
Username Field ldap.field.user.name Column names in the LDAP directory to be used as the user name
Email Field ldap.field.email Column names in the LDAP directory to be used as the user email
Account Username Field ldap.field.account.username Column names in the LDAP directory to be used as the user's account username (must be a unique attribute) when authenticating with AD