Follow

Setup

LDAP Sync is a feature added to SD Elements in Release 4.5. It allows an organization to leverage their LDAP repository to manage the list of active users as well as their group membership in SD Elements.

LDAP Sync is currently in beta: it has been tested against Active Directory and OpenLDAP. There are performance improvements being rolled into release 4.6. The feature will come out of beta after further testing with additional LDAP server types and schemas.

Prerequisites

Gather the following prior to the setup.

  • SD Elements super user credentials (i.e. support@sdelements.com) which are needed for configuring SD Elements
  • The hostname and port of the LDAP server
  • Method to connect with the LDAP server, i.e. one of:
    • LDAP
    • LDAP with StartTLS
  • The DN and password of a user to bind to the LDAP server.
  • The base group DN. This DN will be used for querying LDAP groups.
  • A list of LDAP group names to map to existing SDE groups. These LDAP groups should be under the base group DN.

Instructions

1. Login to SD Elements with super user credentials. The user support@sdelements.com is one such user.

2. Click on the gear icon in the top right corner of the SD Elements interface, and select LDAP Integration.

3. On the LDAP Integration page, click the ‘+’ button on the top right corner of the screen to create a new connection.

4. Fill out the form then click Save. Fields are described below.

  • Name: A unique name for this connection
  • LDAP Server: The host and port of the LDAP server. No protocol is necessary; the application will always use ldap. The LDAPS protocol is not supported unlike SSO where it is supported. To secure your connection please select the "Use TLS/SSL" option.
  • Bind DN: The DN of the user to bind to the LDAP server
  • Bind Password: The password of the user to bind to the LDAP server
  • Group Base DN: The base dn of the LDAP groups to be synchronized.
  • Group Mapping: The mapping between LDAP groups and SDE groups. Only these LDAP groups will be used in the sync.
  • Sync Frequency: The rate at which the sync should occur.
  • (Optional) Base DN: The base DN used in constructing user queries. This will be automatically computed from the bind DN if left blank.
  • (Optional) LDAP User Schema: LDAP schema attribute mappings used by SD Elements for computing a user’s name and email. Leave blank to use the default mappings.
  • (Optional) LDAP Filter: A whitelist of LDAP group and users to limit the sync to. Leave blank to sync all users and groups defined in the Group Mapping.
  • (Optional) LDAP Query Page Size: The maximum number of LDAP results to retrieve at a time. Only available on LDAP servers that implement RFC 2696.
  • (Optional) Group Member Query: LDAP query for retrieving members of a group. ‘%s’ will be replaced by the LDAP group name during query constructing.
  • (Optional) LDAP Validate Cert: Toggle on to enable SSL certificate validation.
  • (Optional) Use TLS/SSL: Toggle on to connect securely using the LDAP protocol with StartTLS enabled.
  • (Optional) Deactivation: Toggle on for the desired deactivation behaviour.
  • (Optional) Inaccessible: Mark this connection as inaccessible. This should only be done if the LDAP server cannot be reached from SDE. As a result, syncing from the server will be disabled for this connection. Instead, use the Remote Integration Client to perform the integration.

FAQ

  • How does this relate to Single Sign On?
    • SSO handles user authentication - this feature can provision user accounts and manage their group membership.
    • Users provisioned via LDAP Sync on a server with SSO enabled will not be sent a password reset email.
  • Can I sync using multiple connections?
    • You can sync against multiple connections. But because this is a user integration system, syncing multiple connections at the same time may cause unexpected results or problems.

Troubleshooting

  • Sync Failures
    • Clicking on the red exclamation button will display the error of the last synchronization attempt. To view older failures, click on the connection name to be taken to the sync history page.
  • SSL Issues
    • If you are connecting to a TLS/SSL connection, you will need to ensure that the SD Elements server has a copy of the LDAP server or CA signing certificate.
  • Timeout Issues
    • If the sync is failing due to a SoftTimeLimitExceeded error, you will need to increase the default timeout. To do so you will need to edit the local_settings.py file on your SD Elements instance and add or modify the timeout values: 

      Version 4.6+
      # 120 minutes
      LDAP_SYNC_TIME_LIMIT = 7200
      # 118 minutes
      LDAP_SYNC_SOFT_TIME_LIMIT = 7080
      

      Version 4.5
      # 240 minutes
      CELERY_JOB_TASK_SOFT_TIME_LIMIT = 14400
      

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments