4.0 LDAP Servers and Synchronization

LDAP Configuration Dialog

Path: Port 8443 TeamWorks Admin Console > System > LDAP

Best Practice: Plan your LDAP Servers and use the following worksheets when working in this dialog:

  • Worksheet 5 - LDAP Synchronization

Table 4-1 Using the LDAP Configuration dialog

Field, Option, or Button

Information and/or Action

LDAP Configuration dialog

LDAP Servers tab

 

  • Add button

  • Delete button

  • Click this to remove the selected LDAP server from the list.

    IMPORTANT:Before you remove an LDAP server, make sure you consider the account options (Disable or Delete) that you have set for users and groups that are no longer in LDAP in the User Settings tab and the Group Settings tab.

  • Sync All button

HINT:If you have just added or modified the LDAP Servers configuration, you must save it by clicking OK before running an LDAP synchronization.

  • After your users and groups are synchronized, you can click this to refresh the LDAP information in TeamWorks.

  • To synchronize only certain users or groups, filter the list by entering a string in the Filter List.

    Or

  • Click the drop-down arrow next to the Filter List and select the type of users or groups to synchronize.

    For example, Added users, Modified users, Modified groups, and so forth.

  • Users and groups that have been modified by running the LDAP sync are reported, along with information about how they have been modified.

  • Preview Sync button

HINT:If you have just added or modified the LDAP Servers configuration, you must save it by clicking OK before previewing an LDAP synchronization.

  • Use this to preview the synchronization results—users and groups that will be added or deleted, users that will be disabled, and so on—before you run the actual synchronization.

    • To preview only certain users or groups, filter the list by entering a string in the Filter List.

      Or

    • Click the drop-down arrow next to the Filter List and select the type of users or groups to synchronize.

      For example, Added users, Modified users, Modified groups, and so forth.

  • After you are satisfied with the results, use the Sync All option with the same filters to perform the actual synchronization.

  • Show Sync Results button

  • Use this to display the most recent synchronization results for the current browser session.

NOTE:If you run a synchronization, log out of TeamWorks, and then log in again, no previous synchronization results are available to view.

LDAP servers list

  • Server URL

  • User DN

  • This is the LDAP proxy user information for the LDAP server

User Settings tab

 

  • Register User Profiles Automatically

  • Select this option to automatically add LDAP users to the TeamWorks site.

  • Synchronize User Profiles

  • Select this option to automatically update TeamWorks with user information changes following the initial LDAP synchronization.

  • The attributes that are synchronized are the attributes listed in the mappings box in the Server Information tab.

For user accounts provisioned from LDAP that are no longer in LDAP sub-section

  • Disable Account

  • Delete Account

IMPORTANT:A deleted user cannot be undeleted; this action is not reversible.

  • Select this only if you have deleted users from your LDAP directory and you want the LDAP synchronization process to also remove them from TeamWorks.

Use the following when creating new users sub-section

  • Time zone:

  • Use this drop-down list to set the time zone for user accounts that are synchronized from the LDAP directory into your TeamWorks site.

  • The time zone list is grouped first by continent or region, optionally by country or state, and lastly by city.

  • Locale:

  • Use this drop-down list to set the locale for user accounts that are synchronized from the LDAP directory into your TeamWorks site.

  • The locale list is sorted alphabetically by language.

Group Settings tab

 

  • Register LDAP group profiles automatically

  • Select this to automatically add new LDAP groups to the TeamWorks site.

    NOTE:LDAP groups are not included or supported in the TeamWorks apps for the initial release, but are currently planned to be supported in the future.

    We recommend that you synchronize groups despite the initial limitation.

  • Synchronize group profiles

  • Select this to synchronize group information, such as the group description, to the TeamWorks site whenever this information changes in LDAP.

  • Synchronize group membership

  • This option ensures that the TeamWorks group includes the same users (and possibly groups) as the corresponding LDAP group.

    If this is not selected, then LDAP group changes are not reflected in TeamWorks.

  • Delete groups that were provisioned from LDAP but are no longer in LDAP

IMPORTANT:A deleted group cannot be undeleted; this action is not reversible.

  • Select this only if you have deleted groups from your LDAP directory and you want the LDAP synchronization process to also remove the groups from TeamWorks.

Synchronization Schedule tab

  • Enable schedule

  • This is selected by default so that LDAP synchronizations occur at regular intervals.

  • You should not normally de-select this unless you are troubleshooting a problem or working with Micro Focus support to resolve a service request.

  • Every day

  • Select this to run an LDAP synchronization every day at the time or interval specified below.

  • On selected days

  • Select this if you want the LDAP synchronization to run only on specific days.

  • At HH:MM

  • Using the drop-down lists, you can specify synchronizations to occur at a specific time.

  • Hours start at midnight (0) and continue through 11 p.m. (23).

  • Minutes can be specified using 5-minute increments.

  • Repeat every X hours

  • As an alternative to synchronizing at a specific time, you can set a time interval and synchronize multiple times each day (for example, every four hours).

  • The smallest time interval you can set is .25 hours (every 15 minutes).

Local User Accounts tab

  • Allow log in for local user accounts (i.e user accounts not in LDAP)

  • Use this to enable or disable logging in by locally created and self-provisioned user accounts.

LDAP Server Configuration Dialog

Path: Port 8443 TeamWorks Admin Console > System > LDAP > Add button

Best Practice: Plan your LDAP Servers and use the following worksheets when working in this dialog:

  • Worksheet 4 - Users and Groups

Table 4-2 Using the LDAP Server Configuration dialog

Field, Option, or Button

Information and/or Action

LDAP Server Configuration dialog

Server Information tab

  • LDAP Server URL

WARNING:If you modify an existing LDAP connection, do not modify this LDAP server URL field. Doing so can cause synchronized users to be disabled or deleted.

  • This is the host name of the LDAP server where your directory service is running.

    Specify a URL with the format your server requires, as follows:

  • If the LDAP server uses a different port number from those above, you must include the port in the URL as follows:

    • ldap://hostname:port_number

    • ldaps://hostname:port_number

  • User DN:

    (LDAP proxy user)

IMPORTANT:If you are using GroupWise 18 as an LDAP directory source, make sure you have followed the instructions in Configuring GroupWise LDAP Provisioining in the GroupWise Mobility Service 18 Administration Guide.

Specifically, you must create an Admin App in GroupWise to act as the LDAP proxy user for importing and synchronizing users and groups, and you must know the GroupWise system name to use it as the organization name when specifying the proxy user name.

  • This is the LDAP proxy user and it must have sufficient rights to access the user information stored there.

  • You must specify a fully qualified, comma-delimited user name, along with its context in your LDAP directory tree, in the format expected by your directory service.

    • GroupWise: cn=gw-admin-app-name,o=gw-system-name

    • eDirectory: cn=username,ou=organizational_unit,o=organization

    • Active Directory: cn=username,ou=organizational_unit,dc=domain_component

  • Password:

    (LDAP proxy user password)

  • You must type the password for the User DN.

  • Directory Type:

  • Select the directory type for the LDAP server that you are configuring (GroupWise, eDirectory or Active Directory)

  • Guid attribute:

  • Based on the directory type you have selected, TeamWorks selects the standard LDAP attribute used to identify a user.

  • entryUUID, GUID, and objectGUID: These are the default, binary attributes for GroupWise, eDirectory, and Active Directory, respectively

    They have unique values that do not change if you rename or move a user in the LDAP directory, thus ensuring that TeamWorks modifies the existing user rather than creating a new one.

  • Other: Selecting this option in the Guid attribute drop-down prompts you to map users to a different LDAP attribute by specifying the attribute name and then clicking OK.

    • You must ensure that the attribute you specify is a binary attribute.

      For example, the cn attribute cannot be used because it is not a binary attribute.

    • If you cancel the prompt to specify an attribute or specify an attribute that is not binary, TeamWorks create new TeamWorks users when names or locations change.

      For example, if you have a TeamWorks user who is also an LDAP user named William Jones, and if William requests that you change his name to Bill in the LDAP directory, then the next time an LDAP synchronization occurs, TeamWorks creates a new user named Bill Jones.

  • TeamWorks account name attribute:

  • TeamWorks uses this attribute

    • To create TeamWorks account names

    • To locate users in the LDAP directory.

    • As the User ID for authentication purposes.

  • The value of this attribute must be unique in LDAP.

  • Attribute options depend on the directory type selected in the Directory type drop-down list.

    Consult with your directory administrator to determine which attribute or attributes are used in your directory service.

    • For GroupWise and eDirectory, the default available options are cn and Other.

    • For Active Directory, the default available options are sAMAccountName, cn, and Other.

    • If you select Other as the value for this attribute, you are prompted to enter the name of an LDAP attribute to use instead of the default choices.

  • Based on your findings, you might need to set up two or more LDAP sources that point to the same LDAP server but use different values for the LDAP Attribute Used for TeamWorks Name.

    For example, if you use Active Directory, you might need to set up one LDAP source and use cn and another to sAMAccountName as the TeamWorks account name attribute.

  • In addition to the attributes already mentioned in this section, other LDAP attributes can be used for the TeamWorks account name attribute, as long as the attribute is unique for each User object.

    For example, the mail LDAP attribute could be used so that TeamWorks users can log in by using their email addresses.

  • LDAP Attribute Mappings box

  • This lists the mappings between TeamWorks user information and the LDAP attributes that correspond to them.

    It is populated automatically.

  • If Synchronize User Profiles is enabled in the User Settings tab, the information associated with the mappings that are configured here, is updated each time the user account is synchronized.

OK button

  • If you are modifying previously configured LDAP server information, you can click OK. Otherwise, you must click the Users tab

Cancel button

  • Click this to discard any LDAP server configuration changes that you have made and exit the tab.

Users tab

 

  • Add button

  • Delete button

  • Click this after selecting one or more list entries. For example, when the context no longer exists or when it is covered by another entry.

OK button

  • If you are modifying previously configured User information, you can click OK.

  • If this is a new configuration, you should click the Groups tab and add an LDAP search context. Otherwise, expected groupings of users will not be available in TeamWorks.

Cancel button

  • Click this to discard your changes and exit.

Groups tab

 

  • Add button

  • Delete button

  • Click this after selecting one or more group Base DN entries. For example, when the context no longer exists or when it is covered by another entry.

OK button

  • Click OK to save the LDAP server configuration.

Cancel button

  • Click this to discard your changes and exit.

LDAP Search Dialog (User Version)

Path: Port 8443 TeamWorks Admin Console > System > LDAP > Add button > Users tab > Add button

Table 4-3 Using the LDAP Search dialog (User Version)

Field, Option, or Button

Information and/or Action

LDAP Search dialog (User Version)

  • Base DN:

Best Practice: Use the Browse icon next to the Base DN field to browse the LDAP directory for the base DN that you want to use. This eliminates the risk of typing the context incorrectly. Also, if browsing fails, that means the LDAP server configuration is not correct and must be changed.

  • This is the directory context or container under which LDAP User objects are located.

  • When specifying this you must use the syntax required by your directory service type.

    • GroupWise: ou=gw-domain-name,o=gw-system-name

    • eDirectory: ou=organizational_unit,o=organization

    • Active Directory: ou=organizational_unit,dc=domain_component

IMPORTANT:Container names cannot exceed 128 characters. If they do, users are not provisioned.

  • Filter:

  • IMPORTANT:TeamWorks sets up a standard user filter for the LDAP server type.

    In almost all cases, this doesn’t require modification.

  • About User Filters:

    • By default, TeamWorks identifies potential users by filtering on the following LDAP directory object attributes:

      • Person

      • orgPerson

      • inetOrgPerson

      If needed, you can modify the filter by inserting the following operators:

      • | OR (the default)

      • & AND

      • ! NOT

  • A Group for TeamWorks Users:

    • You might want to create a group for only TeamWorks users, regardless of where they are located in your LDAP directory.

    • After creating the group, use the following filters to search for User objects that have the group membership attribute shown below.

      Make sure you include the parentheses in your filter.

      • GroupWise: (groupMembership=cn=group_name,ou=gw-domain-name,o=gw-system-name)

      • eDirectory: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)

      • Active Directory: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)

    IMPORTANT:Users in eDirectory sub-groups are not synchronized.

    However, for Active Directory you can create a filter that synchronizes users in sub-groups by using the following rule object identifier (OID):

    <attribute name>:<matching rule OID>:=<value>

  • Search subtree

  • Select this if you want TeamWorks to search for users in containers underneath the base DN (that is, in subtrees).

LDAP Search Dialog (Group Version)

Path: Port 8443 TeamWorks Admin Console > System > LDAP > Add button > Groups > Add button

Table 4-4 Using the LDAP Search dialog (Group Version)

Field, Option, or Button

Information and/or Action

LDAP Search dialog (Group Version)

  • Base DN:

Best Practice: Use the Browse icon next to the Base DN field to browse the LDAP directory for the base DN that you want to use. This eliminates the risk of typing the context incorrectly. Also, if browsing fails, that means the LDAP server configuration is not correct and must be changed.

  • This is the directory context or container under which LDAP Group objects are located.

  • When specifying this you must use the syntax required by your directory service type.

    • GroupWise: ou=gw-domain-name,o=gw-system-name

    • eDirectory: ou=organizational_unit,o=organization

    • Active Directory: ou=organizational_unit,dc=domain_component

IMPORTANT:Container names cannot exceed 128 characters. If they do, groups are not provisioned.

  • Filter:

  • IMPORTANT:TeamWorks sets up a standard group filter for the LDAP server type.

    In almost all cases, this doesn’t require modification.

  • Search subtree

  • Select this if you want TeamWorks to search for groups in containers underneath the base DN (that is, in subtrees).