Set Up Periodic Synchronisation of Users with LDAP
ADOIT enables the synchronisation of users with an LDAP-compliant directory service via a scheduled task. Supported authentication mechanisms include LDAP, IDM, SAML, and OIDC. To use this feature, the chosen authentication mechanism (= connector) must be configured to use LDAP coupling.
Users will be created in ADOIT before logging in for the first time. Depending on the configuration, users will be assigned to preconfigured user groups and system roles. Optionally, specific repositories will be assigned to them as their working place and they will be shared with these repositories to make them available as objects in modelling.
The following steps have to be taken to enable synchronisation:
If you set up the authentication mechanism LDAP Authentication before you enable periodic synchronisation of users with LDAP, important parts of the configuration can be reused.
Prerequisites
Before setting up a synchronisation schedule, make sure the following steps are completed:
Configure the general LDAP settings and define domain-specific LDAP parameters.
Adapt the connector-specific LDAP settings by enabling LDAP coupling and adding a user mapping for your chosen connector.
The procedure is the same as for setting up LDAP authentication - detailed instructions can be found in the LDAP Authentication section.
Set up Synchronisation Schedule
Once all requirements are met, you can set up a synchronisation schedule:
- Open the ADOIT Administration and go to Authentication > LDAP.
You have two options now:
You can configure synchronisation for all domains simultaneously in the right pane, under LDAP Settings, in the Schedule section.
Or you can configure synchronisation for a specific domain. Find the domain you want to adjust in the left pane, under LDAP Domains. Hover over the domain, click More, and then select Edit. The settings you want are on the third page, Schedule.
The configuration works in the same way in both cases. Adapt the following parameters:
Name
Choose a name for this job (for traceability in the log files).
Filter
A filter to narrow down what should be queried from the directory service. For example, set the value to
(objectClass=user)
to fetch only users.Start node
Define the node in the directory service tree structure that should be used as the starting point for user searches.
noteThe Sync base DN parameter is used as a fallback when no Start node is defined for the synchronisation job. If neither Sync base DN nor Start node are defined, the Login base DN parameter is used as a fallback.
Start at
Optional start date indicating when the schedule should become active. By default, the schedule is active immediately.
End at
Optional end date specifying when the schedule should become inactive. After this date, the schedule will no longer be active.
Type
Choose the time unit for the synchronisation schedule. Available options include secondly, minutely, hourly, daily, weekly, monthly, or yearly.
Interval
Define the frequency of the synchronisation job for schedules based on seconds, minutes, hours or years. Select every how many time units ADOIT performs the job.
Day of month
Specify the day of the month when the job should run for monthly schedules.
Weekdays
Select the days on which the job should run for daily and weekly schedules as follows:
Days: The job runs every day by default, but you can optionally restrict it to specific days of the week.
Weeks: The job runs once per week on the selected day.
Execution time
Specify the exact hour and minute at which the job should start for daily, weekly and monthly schedules.
Example
Name: my5minSync | Filter: (objectClass=user) | Start node: dc=company,dc=eu | Type: minutely | Interval: 5
Objects are imported from the directory service:
- every 5 minutes [
Type
= minutely,Interval
= execute every 5 units (= minutes)], - if they are user objects [
Filter
= (objectClass=user)] and - if they belong to the node "dc=company,dc=eu" or its children [
Start node
].
Start Synchronising Users
Save your changes in the ADOIT Administration. Once the changes are saved, they take effect immediately. A restart is not required.
The synchronisation of users will start. Jobs that run at fixed time intervals will be executed immediately and then repeated each time the time interval has passed. Schedules based on days, weeks or months will execute at the specified time.
Run the Synchronisation on Demand
The ADOIT Administration allows you to run the synchronisation on demand. The synchronisation is triggered according to the configuration specified for all configured domains.
In the ADOIT Administration, go to Home > More options, and then click Server.
Click Start LDAP synchronisation.
(Optional) Tracking Errors
General logging output and errors are written to the files "<Tomcat installation>/logs/ADOIT17_1.log" and "<ADOIT installation/*_aworker.log>". Detailed logging output can be found in the file "<Tomcat installation>/logs/ADOIT17_1_LDAP.log".