Configuring the LDAP settings and server

The LDAP settings on the Control Panel include whether LDAP is enabled and required for authentication, the connection to the LDAP server, and whether to support batch import or export to or from the LDAP directory. The method for processing batch imports is set in portal-ext.properties.

In portal-ext.properties, the setting ldap.import.method determines how to perform batch imports from LDAP. This setting is only applied if batch import is enabled. The available values for ldap.import.method are:

Value Description
user Indicates to use user-based import. This is the default value.

User-based batch import uses the import search filter configured in the Users section of the LDAP tab.

For user-first import, Studio:
  1. Uses the user import search filter to run an LDAP search query.
  2. Imports the resulting list of users, including all of the LDAP groups the user belongs to.

    The group import search filter is ignored.

group Indicates to use group-based import.

Group-based import uses the import search filter configured in the Groups section of the LDAP tab.

For group-based import, Studio:
  1. Uses the group import search filter to run an LDAP search query.
  2. Imports the resulting list of groups, including all of the users in those groups.

    The user import search filter is ignored.

The value you should use depends partly on how your LDAP system works. If your LDAP directory only provides user information, without any groups, then you have to use user-based import. If your LDAP directory only provides group information, then you have to use group-based import.

To configure the LDAP server and settings:

  1. On the Control Panel menu, click Settings.
  2. In the Settings page menu to the right, click Authentication.
  3. Click the LDAP tab.
    LDAP tab on the Settings page
  4. On the LDAP tab:
    1. To enable LDAP authentication, check the Enabled checkbox.
    2. To only allow users to log in using an LDAP account, check the Required checkbox.

      If this box is checked, then any users that you create manually in Studio cannot log in.

      To make sure that users you create manually can log in, make sure that this box is not checked.

  5. To populate the LDAP server configuration fields with default values based on a specific type of server:
    1. Under Default Values, click the radio button for the type of server you are using.
    2. Click Reset Values.
  6. The Connection settings cover the basic connection to LDAP:

    Connection settings for the LDAP server
    Field Description
    Base Provider URL The location of your LDAP server.

    Make sure that the machine on which Studio is installed can communicate with the LDAP server.

    If there is a firewall between the two systems, make sure that the appropriate ports are opened.

    Base DN The Base Distinguished Name for your LDAP directory.
    For a commercial organization, it may look something like: 
    dc=companynamehere,dc=com
    Principal The user name of the administrator account for your LDAP system.

    This ID is used to synchronize user accounts to and from LDAP.

    Credentials The password for the administrative user.

    After providing the connection information, to test the connection to the LDAP server, click the Test LDAP Connection button.

  7. The Users section contains settings for finding users in your LDAP directory. The first couple of settings are filters for finding and identifying users.

    Users section of the LDAP configuration settings
    Field Description
    Authentication Search Filter The search criteria for user logins.

    If you do not enable batch import of LDAP users, then the first time a user tries to log in, Studio uses this authentication search filter to search for the user in the LDAP directory.

    By default, users log in using their email address. If you have changed this setting, you must modify the search filter here.

    For example, if you changed the authentication method to use the screen name, you would modify the search filter so that it can match the entered login name: 
    (cn=@screen_name@)
    Import Search Filter The search filter to use for batch import of users.
    This filter is used if:
    • You enable batch import of LDAP users
    • In portal-ext.properties, ldap.import.method is set to user

    Depending on the LDAP server, there are different ways to identify the user.

    The default setting (objectClass=inetOrgPerson) usually is fine, but to search for only a subset of users or for users that have different object classes, you can change this.

  8. Under User Mapping, map your LDAP attributes to the Studio user fields:

    User Mapping fields for the LDAP connection

    After setting up the attribute mappings, to test the mappings, click Test LDAP Users.

  9. Under Groups, map your LDAP groups.

    Groups section in the LDAP configuration
    1. In the Import Search Filter field, type the filter for finding LDAP groups.
      This filter is used if:
      • You enable batch import of LDAP users
      • In portal-ext.properties, ldap.import.method is set to group
    2. Map the following group fields:
      • Group Name
      • Description
      • User
    3. To test the group mappings, click Test LDAP Groups.

      The system displays a list of the groups returned by your search filter.

  10. The Import/Export section is used to configure batch import and export of LDAP user data:
    Import/Export settings for the LDAP connection
    1. If the Import Enabled checkbox is checked, then batch import of LDAP users is enabled.

      If the box is not checked, then Studio synchronizes each user as they log in.

      It is recommended that you leave this box unchecked.

      If you do enable batch import, then the import process is based on the value of ldap.import.method.

      Note also that when using batch import, you cannot filter both the imported users and imported groups at the same time. For user-based batch import mode, you cannot filter the LDAP groups to import. For group-based batch import mode, you cannot filter the LDAP users to import.

    2. If the Export Enabled checkbox is checked, then any changes to the user in Studio are exported to the LDAP system.

      It is recommended that you leave this box unchecked.

  11. To use the password policy from your LDAP system, instead of the Studio password policy, check the Use LDAP Password Policy checkbox.
    Password Policy section of LDAP configuration
  12. To save the LDAP configuration, click Save.