ELMA365 Store solutions / Active Directory/LDAP

Active Directory/LDAP

Active Directory/LDAP standard module allows you to import users from another corporate system to ELMA365 while retaining their login information. Imported and manually registered users can work in ELMA365 system simultaneously.

начало внимание

The AD/LDAP module is available for ELMA365 On-Premises only.

конец внимание

How it works

The system administrator connects an AD/LDAP server to ELMA365 using the server address, login and password. Then, he or she defines the correspondence between ELMA and AD/LDAP fields and a database synchronization interval. The AD/LDAP server is added to the Integration list.

 

The users can be imported directly to ELMA365. Then, the employees will be able to log in using their username and password from the system from which they were imported.  

That way, you can configure integration with multiple systems.

Configuration

To configure the AD/LDAP integration, go to the Administration > Modules.

Select the Active Directory or LDAP and check the Enable Module box. To add a new item, click Add item.

The properties window opens. It can be divided into five sections: Connect to server, User connection and import, Group import, External users import and Automatic settings.

Lets take a look at each section in detail.

Connect to the server

First, set up the connection between ELMA365 and the AD/LDAP server.

ad-ldap-2

  • No. Indicate the sequence number of the integration.
  • Name*. Enter the name of the integration. It will be displayed in the integration list.
  • Server address*Specify the IP address by which the server is accessed and enter the port.

The default value of the LDAP port is 389. If you need to specify a port other than the LDAP port to access the server, enter it in this field separated by a colon. For example, in 192.168.1.1.:42, 42 is the port used with the 192.168.1.1 IP address.

  • Use TLS. Select Yes to use a secure connection to the server.
  • User*. Enter the user name for LDAP server authentication.
  • Password*. Enter the user password.

User connection and import

In the AD module, the fields for connecting and importing users are pre-filled automatically, but for the LDAP integration, you have to fill in the fields manually.

ad-ldap-3

  1. Domain. If you specified the domain, the users will be required to enter a login with the domain during authentication.
  2. Login Name Format*. Specify the domain name by which the server is accessed.

When using the sAMAccountName field as the source of the Login field, the following authentication options are available:


Option 1

Option 2

Option 3

Option 4

Login

login

login@domain.com

domain\login

domain.com\login

Domain


domain.com

domain

domain.com

Login Name Format

domain\{$login}

domain\{$login}

domain\{$login}

domain\{$login}

For example, if the Login Name Format field is specified as "elma\{$login}" and the Domain field is specified as "elma.com", then the user need to enter a login on the authorization page in the following format "johnson@elma.com". The login: "johnson" will be selected from this string, the authentication template will be filled on its basis, i.e. a request with the login elma\johnson will be sent to the authentication server.

You can also use the userPrincipalName field as the source of the "login" field (the format for storing the login is username@domain.com, the length of the string is not limited). In this case, the integration settings are set as follows:

  • domain: domain.com;
  • login name format: {$login};
  • user: login@domain.com;
  • login string during authorization: login@domain.com.

начало внимание

The imported user does not need to be granted additional access rights, he or she should only be a domain user.

конец внимание

  1. Path to users*. Specify a path to users using the ADSI connection string syntax:
    • OU stands for Organization Unit that contains such objects as users, contacts, groups, and others.
    • CN stands for Common Name that is a name of a user, contact, group, or another object that usually does not have child objects.
    • DC stands for Domain Component that is the name of the domain or the DNS.

For example, in order to import the users from the Users root group of the company.com domain, use the following path: “cn=Users, dc=company, dc=local”.

начало внимание

If there are leading or trailing spaces or special characters in the user path \ , # + < > ; "=", they must be preceded by a backslash "\".

конец внимание

User path example:

Correct

Incorrect

OU=ouTest \+,OU=your\#Company,DC=testsmir,DC=local

OU=ouTest +,OU=yourCompany,DC=testsmir,DC=local

  1. User Import filter*. Filter used in queries to LDAP server when importing users.

Next, map the ELMA and LDAP fields:

  1. Login parameter*. Specify the field storing the user login on the LDAP server, for example, "sAMAccountName". After the user is imported from LDAP he or she will use this name to login ELMA365.
  2. First Name parameter. Specify the field storing the user name on the LDAP server, for example, "name".

Configure the Last Name parameter, Patronymic, Phone number parameter, Mobile number parameter, E-mail parameter and “Lock Status” parameter fields in the same way.

To learn more about importing internal users into ELMA365, see Import internal users from AD/LDAP.

Group import

As for user import, specify the values for the path to groups and the import filter fields. In the Group name, Group description and Group members parameters specify the fields that store corresponding values on your AD/LDAP server.

ad-ldap-4

 

To learn more about importing groups to ELMA365 and distributing users, see Import groups from AD/LDAP.

Import external users

If you want the users to be able to interact with the external portal only, enable the Import external users option.

Same as for user import, specify the Path to external user and External users filter fields. Please note that if you are importing internal and externals users at the same time, these filters must not be identical.

To learn more about importing users to the ELMA365 portal, see Import external users from AD/LDAP.

Automation settings

ad-ldap-5

 

  • Turn on or off the automatic group and user synchronization and import. If automatic import is enabled, new AD/LDAP users are immediately added to ELMA365.

Each object is given a unique identifier: ObjectGUID in AD and entryID in LDAP. They make sure that all the changes made in user accounts and groups, such as locked users or edited personal data, are transferred to ELMA365 when synchronized.

  • "DN" parameter*. Enter the name of the attribute that stores the path to the user on your AD/LDAP server;
  • "Created on" parameter. If automatic import is enabled, you can filter of imported objects. In this case the entries created prior to the specified date will not be imported into ELMA365;
  • "Updated on" parameter. If automatic synchronization is enabled, you can filter the updated objects.In this case the entries updated prior to the specified date will not be updated in into ELMA365;
  • Synchronization interval in minutes. Set the synchronization interval according to your company's policy.

To finish, click Save. After that, the ELMA365 connection to the AD/LDAP server is checked. If the connection to the server is not established, you will see a message with an invalid parameter at the top of the page.

Delete server

To delete a server, go to the settings of the AD/LDAP module and click on the recycle bin icon to the right of the server address.

Note that when you delete a server, the system checks for imported users. If there are users imported from this server, you will not be able to delete it.

Found a typo? Highlight the text, press ctrl + enter and notify us