Navigation:  WebOffice author standalone > WebOffice Menu > Common Category > Application Configuration > Common > User Management > Authentication Type LDAP >

LDAP Configuration

Previous pageReturn to chapter overviewNext page

By configuring the LDAP Configuration element, you specify in which way WebOffice 10.8 SP2 will connect to the LDAP system using the LDAP v3 protocol.

You can also specify an LDAPS server connection secured via SSL/TLS at this configuration.

 

Note: 

When using an LDAPS server, the corresponding SSL/TLS certificate for the WebOffice application must be imported. See chapter Import SSL Certificates in SynAdmin for more information.

The LDAP system connection of course is read only. WebOffice 10.8 SP2 needs to search the login user and bind to it. 

 

LDAP / LDAPS configuration

LDAP / LDAPS configuration

 

Property

Description

LDAP Server URL

LDAP(S) Server URL to be provided depends on the LDAP(S) system provider.

It is an LDAP(S) URL that specifies

the domain name of the directory server to connect to

the TCP/IP port number to be used.

 

Examples:

ldap://ds.example.com:389

ldaps://ds.example.com:636

 

Caution: 

Please note that when using LDAPS it is necessary to specify the Fully-Qualified Domain Name (FQDN) of the LDAPS server and not only the domain in the JAVA or WebOffice certificate store. See chapter Import SSL Certificates in SynAdmin for more information.

Secure connection?

Enables secured LDAPS traffic via SSL certificates.

Base DN

The LDAP entry that is the root base (Base DN or Base Distinguished Name) of the LDAP sub tree containing user objects.

Note: The configured Base DN must contain the user objects not only references to them.

This LDAP entry is used to start the search for a user that needs to be authenticated by the LDAP system.

If e.g. using a standard OpenLDAP system the value would be dc=guessant,dc=org.

User ID field

The name of the LDAP attribute, that stores the UNIQUE login name of the user.

This login name in the LDAP must be the same as that entered by the user in the login dialog, e.g. sAMAcountname for MS Active Directory Server. Values may be sn or mail as well.

Display Name field

The name of the attribute, that stores the full verbose name of the user, e.g. displayName.

User: Ignore referrals?

Ignore referrals (true) to speed up LDAP search. Search results might be incomplete.

Role Base DN

The LDAP entry that is the root base (Base DN or Base Distinguished Name) of the subtree containing groups.

This LDAP entry is used to start the search for all roles of a user to be authenticated

If e.g. using a standard OpenLDAP system the value would be ou=roles,dc=org.

Role members field

The name of the attribute that stores the ids of the users having a role.

Role field

The name of the attribute that stores the name of the role.

Roles: Ignore referrals?

Ignore referrals (true) to speed up LDAP search. Search results might be incomplete.

Roles: Searching for all ancestors?

Searching recursively for all ancestor entries (true). For example when a group A is member of the group B, then the group B should also be returned.

Note: This functions allows nested AD groups.

User name of service user

User name of service user (the service user is the LDAP user which is granted access to connect to the LDAP system, search for user objects and read the necessary attributes).

Note: If not specified the connection is anonymous. This does work for some LDAP systems like e.g. OpenLDAP but not for e.g. MS Active Directory Server.

Note that you need to verify (LDAP system administrator) that the user configured here has the necessary set of rights in the LDAP system (i.e. "connect" and "bind" rights).

Password of service user

Password of service user.

LDAP configuration

 

Note: To solve problems with LDAP authentication the tool JXplorer is very helpful. You can find it in WebOffice10.8-DVD\Software\Util\JXplorer\jxplorer-3.3.1.2-windows-installer.exe. Please use this tool before contacting WebOffice Support Team. Instead of JXplorer you can also use ApacheDirectoryStudio.

Note: Check also how to readout attributes from MS AD.

Note: The Microsoft AD group 'Domain Users' contains by default any user account created in the domain. By configuring 'Domain Users' in your WebOffice usermanagement Groups it is simply possible to set restrictions/rights for all of your Microsoft AD members at once.

 

To use the Active Directory groups in WebOffice 10.8 SP2 the groups in the UserManagement Database have to be named identically (case sensitive). No user has to be member of the group. All user groups of the Active Directory can be used, even the domain users group. Nested groups are not supported.

 

Steps to get out the group names using i.e. JXplorer:

1.Search for the User with <User IDField> in path <Role Base DN>

2.Read out the DN distinguishedName

3.Search for the DN in path <Role Base DN> in field <Role members field>

4.Read out the role <Role field>

5.Use this roles for the UM group names