UPSSO ADMINISTRATION – LDAP INTEGRATION AND CONFIGURATION
This document explains how to integrate and configure LDAP servers with UPSSO such as Active Directory and OpenLDAP. This integration will enable LDAP users to access the UPSSO application. We can also configure LDAP security groups to control access to the UPSSO application.
CONFIGURE LDAP DETAILS
- Login into the UPSSO portal as an administrator user.
- Click on “LDAP Integration” => “LDAP Integration” form the left side navigation menu.
- Enter LDAP details as described below,
LDAP Host: Hostname or IP address of the LDAP server
LDAP Port: Port number of the LDAP server (Example: 389 or 636)
LDAP Username: Username to access LDAP server
LDAP DN: The Distinguished Name of the root node under which all the LDAP users and groups exist. (Example: DC=democompany,DC=com)
LDAP Password: Password to access LDAP server
Confirm LDAP Password: Repeat the LDAP password
LDAP Type: Select the LDAP product type. UPSSO supports Active Directory and OpenLDAP
Use SSL/TSL: Select this checkbox if the LDAP server allows connection via secure port such as 636. Please note, if this option is selected then we should specify a secure port number in “LDAP Port”
LDAP Account Prefix: This string will be prefixed with all the usernames when authenticating against the LDAP server. (For example, if the prefix is “democompany\” then username sent to the LDAP server will be as “democompany\demouser”). Some LDAP implementations do not need this prefix, please leave it blank in that case.
LDAP Account Suffix: This string will be suffixed with all the usernames when authenticating against the LDAP server. (For example, if the suffix is “@democompany” then username sent to the LDAP server will be as “demouser@democompany”). Some LDAP implementations do not need this suffix, please leave it blank in that case.
4. Click on the “SAVE” button.
5. Click on the “TEST LDAP” button to test the connection. If the connection is successful then the system will display the no of users available.
6. Please refer to the following screenshot for reference,
Note: If LDAP server integration is not required, then we can disable the LDAP connectivity using the on/off button as highlighted below. If the LDAP connection is off then UPSSO will not attempt to validate the users against LDAP instead it will validate only against the UPSSO directory users(database users).
CONFIGURING LDAP SECURITY GROUPS
UPSSO provides options to configure one or more security groups to limit access to certain groups of users. Only the users belonging to these groups will be allowed access to UPSSO. Here are the steps to add a security group,
- Login into UPSSO as an administrator user.
- Click on the “LDAP Integration” => “LDAP Security Groups” from the left side navigation menu.
- Enter “LDAP Security Group” as the Distinguished Name of the Security Group (For Example CN=IT-Users-Group,OU=IT Department,DC=democompany,DC=com)
4. Select Status as Active.
5. Click on the “SAVE” button.
TIP: We can use the AdExplorer tool (https://download.sysinternals.com/files/AdExplorer.zip) to copy the Distinguished Name of the Security Group. Connect to the LDAP server using AdExplorer and navigate to the Security Group to copy the Distinguished Name.
MAPPING LDAP USER ATTRIBUTES TO UPSSO
By default, UPSSO user attributes are mapped to the standard LDAP attributes. UPSSO administrators have the option to map a UPSSO user attribute to some other LDAP attribute instead of the default one.
For example, by default, the UPSSO will read Email ID from the LDAP attribute “mail” as highlighted below,
An administrator may decide to use the “description” LDAP attribute to the store Email ID instead of the default “mail” attribute as shown below. Please note, in the Active Directory screenshot below, the Email ID is stored in Description than Email.
Here are the steps to map the Email to “description” LDAP attribute,
- Login into UPSSO as an administrator.
- Click on “LDAP Integration” => “LDAP Attribute Mapping” from the left side navigation menu.
- Click on the Action button for email as highlighted below,
4. Enter “LDAP Attribute” as “description” as shown below.
5. Click on the “SAVE” button.
Note: The button “RESET DEFAULT” can be used to revert the “LDAP Attribute” value to the default one.
TIP: All the Active Directory user attributes are available here (https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all). Visit this webpage and click on an attribute of your choice. Copy the “Ldap-Display-Name” value.
TESTING THE LDAP INTEGRATION
Here are the steps to test the LDAP integration,
- Login into the UPSSO portal with an LDAP username & password.
- After the successful login, please logout.
- Login into the UPSSO portal as an administrator.
- Click on the “Users” from the left side navigation menu.
- Search for the LDAP username that we use in step 1.
- Make sure the Source is “LDAP” (Note: All the users created from LDAP will have the Source as LDAP. These users password won’t be available with UPSSO. They are always authenticated against the LDAP server)
- Make sure the data such as email, mobile are matching with the LDAP data.