LDAP Configurations

Purpose

This article reviews the User Administration tool, specifically for LDAP configuration.

The User Administration tool is found in the Control Panel under Administration Tools - Users.  This screen is utilized to create users, modify users, enable/disable users and delete users.  

Administrators may also modify the user account for the following properties:

• Change user passwords
• Administer user groups
• Manager supervisor assignment
• Update user preferences
• Set user and password expiration
• View user history
• View user task list

Only enabled users are counted for licensing or billing purposes.

LDAP Capabilities

As users are administered within VisualVault, there is the ability to integrate VisualVault with LDAP authentication servers using LDAP Profiles. 

• After a profile has been set up, administrators can import users into VisualVault. 
• Passwords for imported users are maintained by the LDAP source. 
• When integrating with LDAP authentication servers, the user accounts may not be easy to use in the VisualVault interface. 
  • Administrators can change the format used to display user names in the interface. 

Views and Licensing

User licenses in VisualVault are based on the number of enabled User ID's. 

• Each enabled User ID in the system must have a User License. 
• Users that are disabled are not counted against the license. 
• The "Public" user does not count as one of the user licenses. 
• For ease of security administration, it is recommended that users are assigned to groups, then groups are used to assign user roles and permissions.

Creating an LDAP Profile

As users are administered within VisualVault, there is the ability to integrate VisualVault with LDAP authentication servers using LDAP Profiles. 

• After a profile has been set up administrators can import users into VisualVault. 
• Passwords for imported users are maintained by the LDAP source. 
• When integrating with LDAP authentication servers, the user accounts may not be easy to use in the VisualVault interface. 
  • Administrators can change the format used to display user names in the interface. 

LDAP Profile ID Card - Server Details Tab

The following is a list of fields on the LDAP ID Card:

LDAP Server Details

Server Type

Configures the profile with various predetermined profile configurations. Options include:

• Active Directory
• ADAM (Active Directory Application Mode)
• AD LDS (Active Directory Lightweight Directory Services)
• Novell eDirectory
• Other

• Used for generic LDAP integration.

LDAP Profile Name

Name of LDAP Profile.

Description

Description of LDAP Profile.

Active Directory Domain

Can use a FQDN, domain name or IP Address.

Domain Naming Context

Full LDAP path. ( i.e. dc=acme,dc=com).

Use SSL

Configures the LDAP profile to connect to LDAP using SSL.

• Required for AD-LDS & ADAM.

Server Credentials

User Principal Name or Domain/User ID

The user ID is used to interface with LDAP. 

• Under most circumstances, an account that can read LDAP and facilitate authentication is required.

Password

Password for the user account used to connect to the LDAP server.

Search Options

LDAP Search Filter

LDAP search filter to limit the kinds of records that will be available for import.

Search Results Page Size

Configure the number of results that can be returned from the LDAP server.

Attribute Mapping

LDAP Attribute Names

Configures which LDAP attributes are mapped to the user attributes in VisualVault.

Security Options

Import User's Groups

Configure the profile to import the groups from LDAP.

Create Groups Only in User's Default Database

If the user is in multiple VisualVault databases, the groups are only created in the default VisualVault database.

Allow Users to Change Password

Allows a user to change their LDAP password.

Allow Users to Reset Password

Allow the user to reset their password through the forgotten password process.

Scheduled Synchronization

Enable Scheduled Synchronization

Enable synchronization to occur on a scheduled basis.

Import New Users

Configure the LDAP import to automatically import new users.

Occurs Every

Configure how often the scheduled synchronization occurs.

Start Date

Configure the start date for when the imports begin to occur.

LDAP Profile ID Card - Import Users Tab

This tab shows the list of users from the LDAP source that can be imported. 

• Select the Get LDAP Users button to get the list of users from LDAP. 
  • Once you have a list of users, check the check box to the left of the user accounts you want to import. 
• Select Import Selected to import any user that has been checked.

LDAP Profile ID Card - Import Log Tab

The Import Log shows status information and logs as items are synchronized with VisualVault.

LDAP Profile Setup

To create a new LDAP Profile:

1. Hover over the user information in the upper right-hand corner of the window and select Control Panel.
   
2. Select the Enterprise Tools tab.
   
3. Select LDAP Import.  
4. Use the New LDAP Profile button.
   
5. In the window that appears (for an image, see LDAP Profile ID Card sections above):
   • Select the Server Type.
   • Key in the LDAP Profile Name.
   • Key in the LDAP or Active Directory Domain.
   • Key in the Domain Naming Context. i.e. dc=acme,dc=com.
   • Key in the User Principal Name or Domain/User ID.
   • Key in the Password of the user.
   • Key in or configure other sections:
     • Search Options
     • Attribute Mapping
     • Security Options
     • Scheduled Synchronization
6. When finished, use the Save button.
   
7. Select Test Import at the top to ensure that the profile connects to LDAP.