QPR Knowledge Base 2017.1

LDAP Settings

LDAP Settings

Previous topic Next topic No directory for this topic  

LDAP Settings

Previous topic Next topic Topic directory requires JavaScript Mail us feedback on this topic!  

LDAP (Lightweight Directory Access Protocol) can be used to import users into the QPR Foundation Server (User Management System). The LDAP Settings page requires some specific information and settings of your LDAP server. If you do not know the required information, you should contact your LDAP administrator.

 

 

LDAP Settings

Enter the address of the LDAP server in the Server address field.

 

In the Search base field, enter the value that corresponds to that which is set in your LDAP server.

In the Naming convention drop-down list, you can select from two options: "Standard" and "Active Directory". The selected Naming Convention defines what kind of naming conventions are used for LDAP connection parameters. The "Standard" setup is used to communicate with, for example, Lotus Notes. Whereas the "Active Directory" setup is used to communicate with Windows Active Directory LDAP.

In Secure connection, select the "Always use secure connection" option to verify that only secure connections can be used. If you want only the authentication via a secure connection, select the "Authenticate via secure connection" option. If you do not want secure connections to be used at all, select the "Never use secure connection" option.

 

Secure connections with LDAP mean that the connection is made via Secure Socket Layers (SSL). In order for SSL connections to work correctly, the following 3 preconditions must be met:

 

1.The LDAP server must support and accept connections via SSL.
2.The SSL certificate of the LDAP server must be signed by a certificate authority, which is trusted by the computer on which the QPR Foundation Server runs.
3.The hostname of the LDAP server's certificate must match the name which is used to connect to the server. (i.e. it must be the same as the contents of the "Server address" field in the current page, "LDAP Settings", of this configuration utility).

 

Enabling trust for a certificate authority (i.e. fulfilling precondition 2) is done in Windows by adding the certificate authority's certificate to the list of "Trusted Root Certification Authorities". For further information about enabling trust for certificate authorities, consult your Windows support documentation.

 

Note that currently a secure LDAP authentication requiring a client certificate is not supported.

 

 

LDAP Setting Group

The Standard/Active Directory setup information can be modified in this section.

 

Setting

Description

Distinguished name attribute

Attribute name of an LDAP directory entry, which identifies the DN of the entry.

Common name attribute

Attribute name of an LDAP directory entry, which identifies the full user name of the entry. When importing users, this is mapped as the user name of the user.

Person full name attribute

Attribute name of an LDAP directory entry, which identifies the full name of the user. If the value is not defined explicitly, the default value is used, i.e. the value set to Common name attribute. If the value is defined, it overrides the default value.

Email attribute

Attribute name of an LDAP directory entry, which identifies the email address of the entry. When importing users, this is mapped as the email address of the user.

Member attribute

Attribute name of an LDAP directory entry. This attribute identifies one group member. An entry having this attribute represents some kind of group. The entry has one (Member attribute, DN of the

member) pair for each of its members.

Description attribute

Attribute name of an LDAP directory entry, which identifies the description of the entry. When importing users, this is mapped as the description of the user.

Filter for searching groups

Groups are retrieved from the LDAP directory using this search filter.

Filter for searching persons

Users are retrieved from the LDAP directory using this search filter.

Used id attribute name

Attribute name of an LDAP directory entry, which identifies the user id (login name) of the entry. It is mapped as such when importing users.

Group search base

The distinguished name of the entry under which the search is performed on. Used when searching for groups in LDAP. If set to <Default>, the value of SearchBase in QPR_Servers.ini is used (see Appendix A in QPR - Administrator's Guide for description of the SearchBase key).

Use Global Catalog searching for AD

Defines whether Global Catalog searching for Active Directory objects in any domain in the forest is enabled.

 

LDAP Directory Login

As authentication method you can select between anonymous authentication or login with user name and password. If you select the Login with user name and password checkbox, then you should enter the User name and Password for the LDAP directory login in the corresponding fields.

 

 

LDAP Scheduled Synchronization Settings

This section is used to define the LDAP scheduled synchronization settings.

 

Setting

Description

Synchronization method

Defines how QPR Foundation Server synchronizes users and groups with LDAP. Options: No synchronization (default), Synchronization enabled (users in groups found in both LDAP and QPR Foundation Server are synchronized), Synchronization enabled, delete obsolete users (users in groups found in both LDAP and QPR Foundation Server are synchronized, but obsolete users, i.e. users not found in LDAP anymore, are moved to a group defined by Group for deleted users setting, and in the case the group is not defined, those users are deleted.), Synchronization enabled, deleted users synchronized (users in groups found in both LDAP and QPR Foundation Server are synchronized, and users who are in deleted users group are moved to normal groups if they are re-added in LDAP.)

 

WARNING: In the case synchronization is used, changing groups in LDAP may result in users and related data (actions, element owners) being removed from QPR Foundation Server.

Start date and time

Defines the initial start time of group synchronization. Format is datetime (yyyy-MM-dd hh:mm).

Synchronization interval (dd:hh:mm)

Defines the interval between group synchronization operations starting from the time defined in Start date and time. The correct format for this setting is a colon-separated list of days, hours and minutes. For example, if Start date and time=2008-15-01

01:15 and Synchronization interval=01:00:00, the first

synchronization takes place on 2008-15-01 01:15 and subsequent synchronizations are done every day at 01:15.

Excluded groups (comma-separated list)

A comma-separated list of groups which are excluded from synchronization. In the case a user belongs to any of the groups listed in this setting, the synchronization does not affect that user. Note that the group name must be contained in double quotes in the case the name contains spaces.

Group for deleted users

Name of the group where users not found in LDAP are moved during synchronization if obsolete users are set to be deleted. If this is empty, the affected users are deleted from QPR Foundation Server. By default this is "#Deleted users#".