Set Up Periodic Synchronisation of Users with LDAP
ADONIS allows you to automate the synchronisation of users with an LDAP-compliant directory service.
Depending on the configuration, users will be assigned to preconfigured user groups and system roles. Optionally, specific repositories will be assigned to them as their working place and they will be shared with these repositories to make them available as objects in modelling.
The following steps have to be taken to enable synchronisation:
If you set up the authentication mechanism Login with LDAP Coupling before you enable periodic synchronisation of users with LDAP, important parts of the configuration can be reused.
To enable synchronisation, you need experience with JSON. If you need help, contact your ADONIS consultant.
Adapt Domain-Specific LDAP Parameters
Domain-specific parameters need to be set.
Open the ADONIS Administration.
Go to Home > More options, and then click LDAP.
Click the Edit connector button
to edit your domain.
Adapt the following parameters:
sync_base_dn [optional]
A domain-specific parameter. Define the node in the directory service tree structure that should be used as the starting point for user searches.
RemarqueThe sync_base_dn parameter is used as a fallback when the startNode attribute is not defined for the synchronisation job. If neither sync_base_dn nor startNode are defined, the login_base_dn parameter is used as a fallback.
sync_filter [optional]
A domain-specific parameter. A filter to narrow down what should be queried from the directory service. For example, set the value of this attribute to
"(objectClass=user)"to fetch only users.RemarqueThe sync_filter parameter is used as a fallback when the filter attribute is not defined for the synchronisation job. If neither sync_filter nor filter are defined, the value "(objectClass=user)" is used as a fallback.
Adapt Global LDAP Settings
Adapting the global LDAP settings to enable synchronisation requires the same steps as it does when setting up the authentication mechanism Login with LDAP Coupling. Therefore, please refer to the corresponding description Adapt Global LDAP Settings.
User Mapping
If LDAP coupling is configured for the Standard connector, and a user mapping is specified for the Standard connector, you can reuse the user mapping concerning the assignment of system roles, user groups, repositories and user attributes:
- The value of the property defaultConnector must be the ID of the Standard connector (by default "Standard Login").
If you have not enabled LDAP coupling, you may have to configure a global user mapping inside the general LDAP settings. For details on how to configure a user mapping, please refer to the section User Mapping.
Adapt Synchronisation Settings
In order to adapt the synchronisation settings:
In the ADONIS Administration, go to Home > More options, and then click LDAP.
Edit the LDAP Settings.
The following parameters allow you to control how the synchronisation works.
Examples are included in the template with all authentication parameters explained. You can download this template from the LDAP page by clicking Download Template.
These parameters can be configured:
Within the general LDAP Settings, to adapt the synchronisation for all configured domains (= globally) at the same time.
For a specific domain, to adapt the synchronisation for a specific domain.
The configuration works in the same way in both cases:
synchronization (property: schedules)
schedules is an array of scheduling objects.
schedule [{properties: name, filter [optional], startNode [optional], scheduleType, scheduleInterval, scheduleCronData}]
The configuration of the synchronisation job consists of the following properties:
name: A name to use for this job (just for traceability in the log files).
filter: A filter to narrow down what should be queried from the directory service. For example, set the value of this attribute to
"(objectClass=user)"to fetch only users.startNode: Define the node in the directory service tree structure that should be used as the starting point for user searches.
RemarqueThe sync_base_dn parameter is used as a fallback when the startNode attribute is not defined for the synchronisation job. If neither sync_base_dn nor startNode are defined, the login_base_dn parameter is used as a fallback.
scheduleType: Specify the time units to be used (1:seconds | 2:minutes | 3:hours | 4:days | 5: weeks | 6:months | 7:years).
scheduleInterval: This setting allows you to set a synchronisation interval. Select every how many time units ADONIS performs the job. This setting is compatible with
scheduleType1,2,3 and 7.scheduleCronData (properties: D,w,h,m)
This parameter allows you to schedule the synchronisation job to run periodically at fixed times or dates. It is compatible with
scheduleType4,5 and 6 only. It consists of the following properties:D: Day of month, allowed values: 1-31.
w: Day of week, allowed values 1-7 (Sunday - Saturday). Separate multiple values with comma.
h: The hour at which to run the job.
m: The minute at which to run the job.
A schedule based on days will execute daily but can use a declaration of the day/days of the week to limit it to certain days only.
A schedule based on weeks will execute once per week. It needs the declaration of the day of week.
A schedule based on months will execute once per month. It needs the declaration of the day of month.
Example
"synchronization": { "schedules": [ { "filter": "(objectClass=user)", "name": "my5minSync", "scheduleInterval": "5", "scheduleType": 2, "startNode": "dc=boc,dc=eu" } ] }
Objects are imported from the directory service:
- every 5 minutes [
scheduleType= minutes,scheduleInterval= execute every 5 units (= minutes)], - if they are user objects [
filter="(objectClass=user)"] and - if they belong to the node "dc=company,dc=eu" or its children [
startNode].
Example
"synchronization": { "schedules": [ { "filter": "(objectClass=user)", "name": "myWorkDaySync", "scheduleCronData": { "h": 1, "m": 0, "w": [ 2, 3, 4, 5, 6 ] }, "scheduleType": 4, "startNode": "dc=boc,dc=eu" } ] }
Objects are imported from the directory service:
- daily from Monday to Friday [
scheduleType= days,scheduleCronData= execute every 1st, 2nd, 3rd, 4th and 5th weekday at 1:00 AM local time], - if they are user objects [
filter="(objectClass=user)"] and - if they belong to the node "dc=company,dc=eu" or its children [startNode].
Start Synchronising Users
Save your changes in the ADONIS Administration. Once the changes are saved, they take effect immediately. A restart is not required.
The synchronisation of users will start. Jobs that run at fixed time intervals will be executed immediately and then repeated each time the time interval has passed. Schedules based on days, weeks or months will execute at the specified time.
Run the Synchronisation on Demand
The ADONIS Administration allows you to run the synchronisation on demand. The synchronisation is triggered according to the configuration specified for all configured domains.
In the ADONIS Administration, go to Home > More options, and then click Server.
Click Start LDAP synchronisation.
(Optional) Tracking Errors
General logging output and errors are written to the files "<Tomcat installation>/logs/ADONIS16_0.log" and "<ADONIS installation/*_aworker.log>". Detailed logging output can be found in the file "<Tomcat installation>/logs/ADONIS16_0_LDAP.log".