Directory Services: LDAP Sync


iSheriff Cloud Console allows LDAP connection to  import the users from the Directory Service. We need to setup the LDAP server details on the console for the successful connection. 


To do so – Login to iSheriff Cloud Console à go to Filter Management à User Management à Directory Services à Directory Host à New Host 



 

Upon clicking New Host, it will bring you to the Server tab as shown below:



 

On the Server tab we need to fill the following:

Ø Server Type: select from the drop down menu, example Active Directory, Open LDAP etc.

Ø Host Description: host

Ø Protocol Version: select according from v2 or v3

Ø Hostname: name or IP of the host

Ø Port: The default port is 389. If using a different port, please specify

Ø Login Name: credentials for the login, CN (Common Name), DN (Distinguished Name) needed to make the connection.

Ø Login Password: Password

Ø Use SSL (Secure Socket Layer): check this option if the connection is encrypted

Ø Anonymous Login: check this option is using anonymous connection


The next tab is Connections and Filters:



 

Ø Base DN: most directory servers will require a base search DN used for connect to the database

Ø Query: Can be left blank, usually not needed

Ø User Search Filter: contains an object that can be used to identify an object as a user account

Ø Group Search Filter: depending on the Group type selected, specify the attributes that can be used to identify an object as a group and is used upon the retrieval of the group list

Ø Email Alias Search Filter: used to search for attributes that hold email addresses.


The next tab after this is Attributes:



 

Ø Login Attribute: user attribute defined on the host. The default is cn

Ø First Name Attribute: as defined on the host. The default is givenname

Ø Last Name Attribute: as defined on the host. The default is sn

Ø Password Attribute: as defined on the host

Ø Primary Email Address Attribute: email attribute and key for retrieving email aliases for users. Please check Email Alias Attribute and Email Alias Search Attribute

Ø Email Alias Attribute: to specify an email search attribute as well as any additional attributes that might hold user’s other email addresses. The primary email address attribute field should only contain one attribute, however, this field accepts a command separated list of attributes that store other email addresses for the user. Example: Primary Email Address Attribute = mail, Email Alias search Filter = (objectclass=email), Email Alias Attributes = aliasemail,cn

Ø Group Type: two types:

a) User Field – the group value name is stored for each user and will be retrieved on the same query for the user list

b) Group Subset – The query that matches all the attributes for the users in the LDAP database. Will also get the group attribute from the value declared on Group Attribute

Ø Group Attribute: group attribute on the user database. The default is gidnumber

Ø Member of Attribute: if the group comes from a new query, this is the group value. The default is cn.

At the end of the page, there are two options which is Test Users and Test Email Aliases. Use these options to test if the information entered is correct.


The next tab after this is Groups:



 

Ø Click on Update Groups to populate the groups and select the groups you would like to synchronize and move them to the right box.


The next tab is Host Synchronization:




 

Let’s you schedule the day/hour for the automatic synchronization process.


Important: before scheduling synchronization, test the process with the “Test synchronization” button and verify the resultant list. The synchronization process could notify you about warnings or errors.


Ø Synchronize this host: enable/disable automatic synchronization

Ø Schedule synchronization:  enable to schedule the synchronization

Ø Connection Retry Times: specify the number of retry times for the synchronization incase it fails.


NOTE: The LDAP port needs to be opened on the company firewall for a successful connection.