Skip to main content
Version: 17.1

Set Up Periodic Synchronisation of Users with LDAP

ADOIT enables the synchronisation of users with an LDAP-compliant directory service via a scheduled task. Supported authentication mechanisms include LDAP, IDM, SAML, and OIDC. To use this feature, the chosen authentication mechanism (= connector) must be configured to use LDAP coupling.

Users will be created in ADOIT before logging in for the first time. Depending on the configuration, users will be assigned to preconfigured user groups and system roles. Optionally, specific repositories will be assigned to them as their working place and they will be shared with these repositories to make them available as objects in modelling.

The following steps have to be taken to enable synchronisation:

  1. Prerequisites

  2. Set up Synchronisation Schedule

  3. Start Synchronising Users

note

If you set up the authentication mechanism LDAP Authentication before you enable periodic synchronisation of users with LDAP, important parts of the configuration can be reused.

Prerequisites

Before setting up a synchronisation schedule, make sure the following steps are completed:

  • Configure the general LDAP settings and define domain-specific LDAP parameters.

  • Adapt the connector-specific LDAP settings by enabling LDAP coupling and adding a user mapping for your chosen connector.

The procedure is the same as for setting up LDAP authentication - detailed instructions can be found in the LDAP Authentication section.

Set up Synchronisation Schedule

Once all requirements are met, you can set up a synchronisation schedule:

You have two options now:

  • You can configure synchronisation for all domains simultaneously in the right pane, under LDAP Settings, in the Schedule section.

  • Or you can configure synchronisation for a specific domain. Find the domain you want to adjust in the left pane, under LDAP Domains. Hover over the domain, click More, and then select Edit. The settings you want are on the third page, Schedule.

The configuration works in the same way in both cases. Adapt the following parameters:

  • Name

    Choose a name for this job (for traceability in the log files).

  • Filter

    A filter to narrow down what should be queried from the directory service. For example, set the value to (objectClass=user) to fetch only users.

  • Start node

    Define the node in the directory service tree structure that should be used as the starting point for user searches.

    note

    The Sync base DN parameter is used as a fallback when no Start node is defined for the synchronisation job. If neither Sync base DN nor Start node are defined, the Login base DN parameter is used as a fallback.

  • Start at

    Optional start date indicating when the schedule should become active. By default, the schedule is active immediately.

  • End at

    Optional end date specifying when the schedule should become inactive. After this date, the schedule will no longer be active.

  • Type

    Choose the time unit for the synchronisation schedule. Available options include secondly, minutely, hourly, daily, weekly, monthly, or yearly.

  • Interval

    Define the frequency of the synchronisation job for schedules based on seconds, minutes, hours or years. Select every how many time units ADOIT performs the job.

  • Day of month

    Specify the day of the month when the job should run for monthly schedules.

  • Weekdays

    Select the days on which the job should run for daily and weekly schedules as follows:

  • Days: The job runs every day by default, but you can optionally restrict it to specific days of the week.

  • Weeks: The job runs once per week on the selected day.

  • Execution time

    Specify the exact hour and minute at which the job should start for daily, weekly and monthly schedules.

Example

Name: my5minSync | Filter: (objectClass=user) | Start node: dc=company,dc=eu | Type: minutely | Interval: 5

Objects are imported from the directory service:

  • every 5 minutes [Type = minutely, Interval = execute every 5 units (= minutes)],
  • if they are user objects [Filter = (objectClass=user)] and
  • if they belong to the node "dc=company,dc=eu" or its children [Start node].

Start Synchronising Users

Save your changes in the ADOIT Administration. Once the changes are saved, they take effect immediately. A restart is not required.

The synchronisation of users will start. Jobs that run at fixed time intervals will be executed immediately and then repeated each time the time interval has passed. Schedules based on days, weeks or months will execute at the specified time.

Run the Synchronisation on Demand

The ADOIT Administration allows you to run the synchronisation on demand. The synchronisation is triggered according to the configuration specified for all configured domains.

  • In the ADOIT Administration, go to Home > More options, and then click Server.

  • Click Start LDAP synchronisation.

(Optional) Tracking Errors

General logging output and errors are written to the files "<Tomcat installation>/logs/ADOIT17_1.log" and "<ADOIT installation/*_aworker.log>". Detailed logging output can be found in the file "<Tomcat installation>/logs/ADOIT17_1_LDAP.log".