Configuring LDAP for Managing User Accounts and Groups

Before you update your user accounts and groups through an LDAP server, you must do the following:

  • Configure your LDAP server.
  • Map attributes from your LDAP directory to your user accounts in Archer.
  • Set the rules for creating, updating, activating, and reactivating the user accounts and groups.

Important: LDAP synchronization is not available for Archer SaaS.

On this page

Recommended configurations

You can also set a schedule to automate the synchronization process between your LDAP server and the Archer database. It is recommended that you select LDAP servers that communicate using LDAP over HTTPS, and that you set the LDAP Connection attribute to secure.

Note: It is recommended that you require a domain for LDAP synchronizations and SSO. If domains are not used, disable the display of the Domain field in the Archer Control Panel.

Task 1: Set up your LDAP server

  1. From the menu, click Admin menu > Access Control > LDAP Configurations.

  2. Click Add.
  3. In the General Information section, enter the name and description.
  4. Click the Configuration tab, and do the following:

    1. In the LDAP / Active Directory Server section, enter the LDAP / Active Directory Server Domain, Name / IP Address, and connection or binding preferences.

      The following table describes each field.

      Field

      Description

      User's Domain

      The domain to which user accounts from this LDAP server belong. The name must be unique for all LDAP configurations.

      If you are using Windows Authentication, ensure that the User Domain field matches the Windows domain name. If these values do not match, single sign-on (SSO) fails. These domain names are not case sensitive.

      Name/IP Address

      The fully qualified name or IP address of your LDAP or Active Directory server. Selecting this option ensures that your server assumes responsibility for directing Archer to the appropriate domain controller.

      If the previously contacted domain controller is unavailable, a secondary domain controller is identified and used instead. For example, if your primary LDAP server is down for maintenance, Archer is directed to the secondary server to begin LDAP synchronization.

      Note: You can bind the LDAP connection to a default domain controller without specifying the name of a default server. Microsoft recommends the use of serverless binding for fault tolerance. If you select Use Serverless Binding, you do not need to enter a value in the Name/IP Address field.

    2. In the LDAP/Active Directory Server Configuration section, enter the configuration options for your LDAP server.

      The following table describes each field.

      Field

      Description

      User Name

      The user name of the user identified to access the LDAP or Active Directory server when additional authentication is required.

      Password

      The password of the user identified to access the LDAP or Active Directory server when additional authentication is required.

      Active Directory Domain

      The domain of the Active Directory when additional authentication is required.

      User Identifier

      Identifies the object as a user object.

      • For new LDAP configurations, the default value is user.
      • For Active Directory servers, the default value is user.
      • For other LDAP servers, the default value is inetOrgPerson.

      To obtain the actual default values for your organization, contact your LDAP Administrator.

      Group Identifier

      Identifies the object as a group object.

      • For new LDAP configurations, the default value is group.
      • For Active Directory servers, the default value is group.
      • For other LDAP servers, the default value is groupOfUniqueNames.

      To obtain the actual default values for your organization, contact your LDAP Administrator.

      Additional Attributes

      Provides additional attributes that must be retrieved from the LDAP source during search. For example, if you are using filters, enter those filters into this field.

      User's Group Identifier

      Identifies the groups to which the user belongs.

      • For new LDAP configurations, the default value is memberOf.
      • For Active Directory servers, the default value is memberOf.
      • For other LDAP servers, the default value is uniqueMember.

      To obtain the actual default values for your organization, see your LDAP Administrator.

      Users and Groups

      Sets the User/Group association.

      • Users contain groups. Specifies that the user-group association is defined in the user object of the Active Directory server.

      • Groups contain users. Specifies that the user-group association is defined in the group object of the LDAP server.

      Connection Timeout

      Inputs the timeout value in seconds for the LDAP query.

      Important: This value must be a whole number greater than 0.

      For new LDAP configurations, the default value is 60.

  5. Click Save or Save and Close.

    • To apply the changes and continue working, click Save.
    • To save and exit, click Save and Close.

Task 2: Map LDAP attributes to your user profiles

Fields modified during mapping

The following fields change during mapping:

  • A user profile field that is mapped to an LDAP attribute is populated for new accounts. The value is retained for existing accounts.
  • A user profile field that is mapped to an LDAP attribute that does not have a value is not populated for new accounts. The value is retained for accounts that were previously created.
  • When the Email Address or Phone field in the user profile is mapped to an LDAP value, the LDAP value is inserted in the first email or phone number field in the user profile for new user accounts. For existing accounts, the LDAP value replaces the value in the first email or phone number field in the user profile. If a user has modified the email address or phone number through the Platform, the modification is overwritten by LDAP synchronization unless the LDAP value is null.
  • The Time Zone field in the user profile cannot be mapped to an LDAP attribute.

Tasks

  1. From the menu, click Admin menu > Access Control > LDAP Configurations.

  2. Click the Configuration tab.

  3. Go to the User Field Mapping section.
  4. In the Base DN field, enter the domain name.
  5. (Optional) In the Filter field, enter the criteria for filtering the LDAP directory.
  6. Click Get Attributes to populate the field mapping.

  7. In the User Field Mapping section, select the attributes for each field in the user profile that you are synchronizing with the LDAP directory.

    The following table describes each field.

    Field

    Description

    Base DN

    Specifies the Base Distinguished Name (DN) for the location of user account information in your LDAP directory.

    Filter

    Filters the LDAP information available for mapping to user profile fields. Filters are entered using the following format: objectClass=class name.

    Example:

    You want to map only LDAP values associated with the User class. Enter objectClass=user as the filter. This entry makes the values associated with this class available for mapping.

    Get Attributes

    Populates the Attribute lists in the Field Mapping section.

    Note: Archer supports creation of custom attributes for users in their LDAP server. Only custom attributes designated as human-readable with their object identifiers (OIDs) defined in RFC 2252 are available for mapping under LDAP configuration in the User Field Mapping section.

    Field Mapping

    Maps the attributes from the LDAP directory to the fields in the user profile. You must map all required fields in the user profile to an attribute.

    Test Connection

    Tests the connection of an LDAP Configuration between the Archer database and the LDAP server or active directory server.

    If an error message is displayed when the number of records returned exceeds the configured size limit for the active directory, contact your LDAP administrator to request a configuration change.

  8. Click Save or Save and Close.

    • To apply the changes and continue working, click Save.
    • To save and exit, click Save and Close.

Task 3: Set rules for managing user accounts and groups

  1. From the menu, click Admin menu > Access Control > LDAP Configurations.

  2. Click the Data Sync tab.

  3. In the User Account Management section, define the rules for updating, creating, deactivating, and reactivating accounts.

    The following table describes each section.

    Field

    Description

    Updating

    Specifies the rules for updating the user profile.

    • Update all user accounts on each sync: Updates all user accounts based on the information contained in your LDAP server
    • Update only user accounts where the LDAP attribute meets the following criteria: Updates user accounts based on a specific LDAP attribute and the specified criteria.

    Example:

    You want to update only user accounts from your New York office. Select Office from the Attribute list, select Equals as the operator, and enter New York in the Value field from the Operator list.

    Creating

    Creates or updates a user account if the account does not exist in Archer. The name for the new user account is assigned the value of the LDAP attribute mapped to the User Name (Login) field.

    Clear User DNs

    Clears the distinguished names of all users just before the LDAP synchronization starts. The synchronization then repopulates the database with the most up-to-date list of distinguished names. If users have changed their login names, moved location, or are in a new part of the company, for example, the old distinguished names are no longer valid. Consequently, these users would not be able to log into Archer.

    Note: It is strongly recommended that you enable this option.

    Deactivation

    Deactivates user accounts.

    • Deactivate all user accounts that do not have a matching LDAP user. Deactivates user accounts for which no matching LDAP account is found during data synchronization.
    • Deactivate those user accounts where LDAP attribute meets the following criteria and then enter the LDAP criteria. Deactivate user accounts based on a specific LDAP attribute.

    Example:

    You want to deactivate user accounts where the employment status for the matching LDAP user account is set to inactive. Select Employment Status from the Attribute list, select Equals as the operator, and enter Inactive in the Value field from the Operator list.

    Reactivation

    Reactivates user accounts based on specific LDAP attribute criteria.

    Example:

    You want to reactivate inactive user accounts where the employment status in the matching LDAP user account is set to active. You would select Employment Status from the Attribute list, select Equals and enter Active in the Values field from the Operator list.

    Send Notification

    Sends a notification to each user that is created to alert the user of a new password. The Default Email Address in the user account must be present to send notifications. When you select this option, a notification message is sent to all users that are being created.

    It is recommended to disable this option when synchronizing a large number of records because uploading a large number of users can cause the email server to exceed its capacity for sending email messages.

  4. (Optional) In the Group Management section, select whether to enable the Group sync as part of the sync process.

    The following table describes each field.

    Field

    Description

    Group Sync

    Replicates your LDAP group structure in Archer when synchronized.

    The common name (CN) of the group on your LDAP server is used as the group name in Archer. If a group in Archer is created before synchronizing with your LDAP server, and there is a group with a matching name in your LDAP directory, the group in Archer is not synchronized with the LDAP group. Instead, a new group with the same name is created and is flagged with the Synchronization icon.

    Selecting the Group Synch option makes your LDAP server the authoritative system for Archer group management.

    • Any groups that you delete from your LDAP server also are deleted from Archer
    • Any changes made to your groups in the LDAP directory are reflected in Archer.

    You cannot edit or delete groups in Archer that were created through LDAP synchronization. You can create additional groups in Archer that are not included in your LDAP group structure, and can fully manage these groups in Archer.

    Group Base DN

    Specifies the Base Distinguished Name (DN) for your LDAP group structure.

    If you selected Group Sync and you do not specify a DN for your group structure, the group sync query defaults to the Base DN specified in the LDAP configuration.

  1. Click Save or Save and Close.

    • To apply the changes and continue working, click Save.
    • To save and exit, click Save and Close.