Set Up Periodic Synchronization of Users with LDAP
ADOIT allows you to automate the synchronization of users with an LDAP-compliant directory service.
Depending on the configuration, users will be assigned to preconfigured system roles/user groups. Optionally, specific repositories will be assigned to them as their working place and they will be shared with these repositories to make them available as objects in modelling.
The following steps have to be taken to enable synchronization:
If you set up the authentication mechanism Web Client Login with LDAP Coupling before you enable periodic synchronization of users with LDAP, important parts of the configuration can be reused.
To enable synchronization, you need experience with JSON. If you need help, contact your ADOIT consultant.
Adapt Domain-Specific LDAP Parameters
Domain-specific parameters need to be set.
Open the Admin Page. On the toolbar at the top of the screen, click More , point to Authentication, and then click LDAP.
Click the button to edit your domain.
Adapt the following parameters:
sync_base_dn [optional]
A domain-specific parameter. Define the node in the directory service tree structure that should be used as the starting point for user searches.
noteThe sync_base_dn parameter is used as a fallback when the startNode attribute is not defined for the synchronization job. If neither sync_base_dn nor startNode are defined, the login_base_dn parameter is used as a fallback.
sync_filter [optional]
A domain-specific parameter. A filter to narrow down what should be queried from the directory service. For example, set the value of this attribute to
"(objectClass=user)"
to fetch only users.noteThe sync_filter parameter is used as a fallback when the filter attribute is not defined for the synchronization job. If neither sync_filter nor filter are defined, the value "(objectClass=user)" is used as a fallback.
Adapt Global LDAP Settings
Adapting the global LDAP settings to enable synchronization requires the same steps as it does when setting up the authentication mechanism Web Client Login with LDAP Coupling. Therefore, please refer to the corresponding description Adapt Global LDAP Settings.
User Mapping
If LDAP coupling is configured for the Standard connector, and a user mapping is specified for the Standard connector, you can reuse the user mapping concerning the assignment of system roles, user groups, repositories and user attributes:
- The value of the property defaultConnector must be the ID of the Standard connector (by default "Standard Login").
If you have not enabled LDAP coupling, you may have to configure a global user mapping inside the general LDAP settings. For details on how to configure a user mapping, please refer to the section User Mapping.
Adapt Synchronization Settings
In order to adapt the synchronization settings:
- Under Authentication > LDAP, edit the LDAP Settings.
The following parameters allow you to control how the synchronization works. Examples are included in the Help file which you can download from the Admin Page.
These parameters can be configured:
Within the general LDAP Settings, to adapt the synchronization for all configured domains (= globally) at the same time.
For a specific domain, to adapt the synchronization for a specific domain.
The configuration works in the same way in both cases:
synchronization (property: schedules)
schedules is an array of scheduling objects.
schedule [{properties: name, filter [optional], startNode [optional], scheduleType, scheduleInterval, scheduleCronData}]
The configuration of the synchronization job consists of the following properties:
name: A name to use for this job (just for traceability in the log files).
filter: A filter to narrow down what should be queried from the directory service. For example, set the value of this attribute to
"(objectClass=user)"
to fetch only users.startNode: Define the node in the directory service tree structure that should be used as the starting point for user searches.
noteThe sync_base_dn parameter is used as a fallback when the startNode attribute is not defined for the synchronization job. If neither sync_base_dn nor startNode are defined, the login_base_dn parameter is used as a fallback.
scheduleType: Specify the time units to be used (1:seconds | 2:minutes | 3:hours | 4:days | 5: weeks | 6:months | 7:years).
scheduleInterval: This setting allows you to set a synchronization interval. Select every how many time units ADOIT performs the job. This setting is compatible with
scheduleType
1,2,3 and 7.scheduleCronData (properties: D,w,h,m)
This parameter allows you to schedule the synchronization job to run periodically at fixed times or dates. It is compatible with
scheduleType
4,5 and 6 only. It consists of the following properties:D: Day of month, allowed values: 1-31.
w: Day of week, allowed values 1-7 (Sunday - Saturday). Separate multiple values with comma.
h: The hour at which to run the job.
m: The minute at which to run the job.
A schedule based on days will execute daily but can use a declaration of the day/days of the week to limit it to certain days only.
A schedule based on weeks will execute once per week. It needs the declaration of the day of week.
A schedule based on months will execute once per month. It needs the declaration of the day of month.
Example
"synchronization": { "schedules": [ { "filter": "(objectClass=user)", "name": "my5minSync", "scheduleInterval": "5", "scheduleType": 2, "startNode": "dc=boc,dc=eu" } ] }
Objects are imported from the directory service:
- every 5 minutes [
scheduleType
= minutes,scheduleInterval
= execute every 5 units (= minutes)], - if they are user objects [
filter
="(objectClass=user)"] and - if they belong to the node "dc=company,dc=eu" or its children [
startNode
].
Example
"synchronization": { "schedules": [ { "filter": "(objectClass=user)", "name": "myWorkDaySync", "scheduleCronData": { "h": 1, "m": 0, "w": [ 2, 3, 4, 5, 6 ] }, "scheduleType": 4, "startNode": "dc=boc,dc=eu" } ] }
Objects are imported from the directory service:
- daily from Monday to Friday [
scheduleType
= days,scheduleCronData
= execute every 1st, 2nd, 3rd, 4th and 5th weekday at 1:00 AM local time], - if they are user objects [
filter
="(objectClass=user)"] and - if they belong to the node "dc=company,dc=eu" or its children [startNode].
Start Synchronizing Users
Save your changes on the Admin Page. Once the changes are saved, they take effect immediately. A restart is not required.
The synchronization of users will start. Jobs that run at fixed time intervals will be executed immediately and then repeated each time the time interval has passed. Schedules based on days, weeks or months will execute at the specified time.
Run the Synchronization on Demand
The Admin Page of the web client allows you to run the synchronization on demand. The synchronization is triggered according to the configuration specified on the Admin Page for all configured domains.
For questions about the necessary steps, please refer to the Administration Manual, chapter "Admin Page", section "Server".
(Optional) Tracking Errors
General logging output and errors are written to the files ”<Tomcat installation>/logs/ADOIT15_0.log” and ”<ADOIT installation/*_aworker.log>”. Detailed logging output can be found in the file ”<Tomcat installation>/logs/ADOIT15_0_LDAP.log”.