By configuring the LDAP Configuration element, you specify in which way WebOffice 10.9 R4 will connect to the LDAP system using the LDAP v3 protocol.

You can also specify an LDAPS server connection secured via SSL/TLS at this configuration.

 

icon_comment

When using an LDAPS server, the corresponding SSL/TLS certificate for the WebOffice application must be imported.

The LDAP system connection of course is read only. WebOffice 10.9 R4 needs to search the login user and bind to it.

icon_cross-reference

See chapter Import SSL Certificates in SynAdmin for more information.

 

LDAP / LDAPS configuration

LDAP / LDAPS configuration

 

Property

Description

LDAP Server URL

LDAP(S) Server URL to be provided depends on the LDAP(S) system provider.

It is an LDAP(S) URL that specifies

the domain name of the directory server to connect to

the TCP/IP port number to be used.

icon_warning

CAUTION!

Please note that when using LDAPS it is necessary to specify the Fully-Qualified Domain Name (FQDN) of the LDAPS server and not only the domain in the JAVA or WebOffice certificate store. See chapter Import SSL Certificates in SynAdmin for more information.

Secure connection?

Enables secured LDAPS traffic via SSL certificates.

Base DN

The LDAP entry that is the root base (Base DN or Base Distinguished Name) of the LDAP sub tree containing user objects.

icon_comment

The configured Base DN must contain the user objects not only references to them.

This LDAP entry is used to start the search for a user that needs to be authenticated by the LDAP system.

If e.g. using a standard OpenLDAP system the value would be dc=guessant,dc=org.

User ID field

The name of the LDAP attribute, that stores the UNIQUE login name of the user.

This login name in the LDAP must be the same as that entered by the user in the login dialog, e.g. sAMAcountname for MS Active Directory Server. Values may be sn or mail as well.

Display Name field

The name of the attribute, that stores the full verbose name of the user, e.g. displayName.

User: Ignore referrals?

Ignore referrals (true) to speed up LDAP search. Search results might be incomplete.

Role Base DN

The LDAP entry that is the root base (Base DN or Base Distinguished Name) of the subtree containing groups.

This LDAP entry is used to start the search for all roles of a user to be authenticated

If e.g. using a standard OpenLDAP system the value would be ou=roles,dc=org.

Role members field

The name of the attribute that stores the ids of the users having a role.

Role field

The name of the attribute that stores the name of the role.

Roles: Ignore referrals?

Ignore referrals (true) to speed up LDAP search. Search results might be incomplete.

Roles: Searching for all ancestors?

Searching recursively for all ancestor entries (true). For example when a group A is member of the group B, then the group B should also be returned.

icon_comment

function allows nested AD groups.

User name of service user

User name of service user (the service user is the LDAP user which is granted access to connect to the LDAP system, search for user objects and read the necessary attributes).

icon_comment

If not specified the connection is anonymous. This does work for some LDAP systems like e.g. OpenLDAP but not for e.g. MS Active Directory Server.

Note that you need to verify (LDAP system administrator) that the user configured here has the necessary set of rights in the LDAP system (i.e. connect and bind rights).

Password of service user

Password of service user.

LDAP configuration

 

icon_comment

To solve problems with LDAP authentication the tool JXplorer is very helpful. You can find it in WebOffice10.9R4-DVD\Software\Util\JXplorer\jxplorer-3.3.1.2-windows-installer.exe. Please use this tool before contacting WebOffice Support Team. Instead of JXplorer you can also use ApacheDirectoryStudio.

Check also how to readout attributes from MS AD.

The Microsoft AD group Domain Users contains by default any user account created in the domain. By configuring Domain Users in your WebOffice usermanagement Groups it is simply possible to set restrictions/rights for all of your Microsoft AD members at once.

 

To use the Active Directory groups in WebOffice 10.9 R4 the groups in the user management database have to be named identically (case sensitive). No user has to be member of the group. All user groups of the Active Directory can be used, even the domain users group.

 

Steps to get out the group names using i.e. JXplorer:

1.Search for the User with <User IDField> in path <Role Base DN>

2.Read out the DN distinguishedName

3.Search for the DN in path <Role Base DN> in field <Role members field>

4.Read out the role <Role field>

5.Use this roles for the UM group names