ldap_integration
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ldap_integration [2019/04/17 17:05] – lucy | ldap_integration [2021/11/04 18:57] (current) – lucysecurity | ||
---|---|---|---|
Line 1: | Line 1: | ||
===== LDAP Integration ===== | ===== LDAP Integration ===== | ||
- | LUCY > 3.2 has an LDAP API, which allows the administrator to: | + | LUCY has an LDAP API, which allows the administrator to: |
- | * import recipients | + | * import recipients |
- | * import | + | * authorize |
- | directly from your directory service. | + | ==== Sync tool for Windows ==== |
+ | |||
+ | Besides LDAP API, there is a tool that can be run on Windows machines to sync your Active Directory groups with Lucy, see more [[ldap_synchronization_tool|here]]. | ||
===== Setup ===== | ===== Setup ===== | ||
- | To configure the LDAP connection please go in LDAP settings (Settings -> LDAP Settings) and save your server and authentication details. Within the field " | + | To configure the LDAP connection please go in LDAP settings (Settings -> LDAP Settings) and save your server and authentication details. Within the field " |
+ | |||
+ | :!: LUCY summarizes the values for " | ||
+ | So if the LDAP login is " | ||
Fields "Group Object" | Fields "Group Object" | ||
Line 17: | Line 22: | ||
(|(objectClass=inetOrgPerson)(objectClass=user)) | (|(objectClass=inetOrgPerson)(objectClass=user)) | ||
+ | {{: | ||
+ | Also in the "LDAP settings" | ||
- | {{ ldap2.png?600 }} | + | {{: |
+ | //Note:// The Global Catalogue allows the connection only via two special ports: 3268 or 3269. To use this functionality, | ||
+ | |||
+ | The global catalog (GC) allows users and applications to find objects in an Active Directory domain tree, given one or more attributes of the target object. The global catalog contains a partial replica of every naming context in the directory. It contains the schema and configuration naming contexts as well. This means the GC holds a replica of every object in the directory but with only a small number of their attributes. The attributes in the GC are those most frequently used in search operations (such as a user's first and last names or login names) and those required to locate a full replica of the object. | ||
+ | |||
+ | ===== LDAP Update Preferences ===== | ||
+ | |||
+ | This menu allows configuring automatic synchronization of LDAP recipients and users that were imported into LUCY. Automatic synchronization happens every 10 minutes. | ||
+ | |||
+ | Note, these settings are global and all of the Autoupdate LDAP preferences per a group of recipients will be ignored with the settings enabled (see [[ldap_integration# | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | LDAP update preferences contain 2 options for automatic action. | ||
+ | It is possible to configure LUCY to add users and recipients automatically or to wait for the Administrator' | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | In case if you select " | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | It is also possible to customize the pattern of automatic import of users from an Organization Unit. | ||
+ | Lucy will scan a Distinguished Name (RDN) of the OrganizationUnit (eg. OU=Admins, DC=domain, DC=tld) and automatically bind a role to an imported user according to the settings that can be seen on the screenshot below. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | The user default role defines a role that will be assigned to users with manual import users from LDAP. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Multiple LDAP integrations ===== | ||
+ | |||
+ | LUCY allows to configure and use multiple LDAP servers.\\ | ||
+ | The dedicated section in the LUCY web interface can be found in the Settings: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Pressing "Add Server" | ||
+ | Configure the additional LDAP Server and press Save. It will appear in the list of available LDAP Servers ready for sync and import.\\ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After setting-up multiple LDAP Servers, there would be a dropdown menu in the import settings of the recipient group to chose the specific server for the import. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | The same choice is available for the Autoupdate feature. | ||
+ | |||
+ | {{ : | ||
===== Importing recipients in a group for a campaign ===== | ===== Importing recipients in a group for a campaign ===== | ||
Line 26: | Line 82: | ||
When you create a new recipient group you will be able to use the previously configured LDAP connection to query and import all the users/ | When you create a new recipient group you will be able to use the previously configured LDAP connection to query and import all the users/ | ||
- | {{ ldap1.png?600 }} | + | {{: |
- | {{ ldap3.png?600 }} | + | {{: |
LUCY will automatically match the user's attributes in the LDAP directory with the available recipient attributes in LUCY. | LUCY will automatically match the user's attributes in the LDAP directory with the available recipient attributes in LUCY. | ||
Line 34: | Line 90: | ||
If " | If " | ||
+ | ===== Autoupdate LDAP Recipients ===== | ||
+ | |||
+ | It is possible to configure LUCY autoupdate recipient list of from an LDAP Server. | ||
+ | |||
+ | :!: Note, this configuration will not be active if there are global settings for recipients import disabled. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | You may use regular Active Directory search filters, for example: | ||
+ | < | ||
+ | (|(objectClass=inetOrgPerson)(objectClass=user)). | ||
+ | </ | ||
+ | |||
+ | See [[https:// | ||
+ | |||
+ | The Base DN of the query must be specified in the following format: | ||
+ | < | ||
+ | dc=MyDomain, | ||
+ | </ | ||
===== Importing users via LDAP ===== | ===== Importing users via LDAP ===== | ||
Line 39: | Line 114: | ||
If you want to import users who can access LUCY using their AD account, you can go into the user settings menu (Settings > Users) and click the according button: | If you want to import users who can access LUCY using their AD account, you can go into the user settings menu (Settings > Users) and click the according button: | ||
- | {{ ldap5.png?600 }} | + | {{: |
By default, the User role will be assigned for all imported users. | By default, the User role will be assigned for all imported users. | ||
+ | |||
===== Which LDAP fields can be used? ===== | ===== Which LDAP fields can be used? ===== | ||
Line 51: | Line 127: | ||
* 4.Phone - recipient phone number | * 4.Phone - recipient phone number | ||
+ | To configure other recipient fields to match Active Directory attributes go to the LDAP Fields Associations page (Settings > LDAP Settings > LDAP Fields Associations): | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | :!: Recipient' | ||
+ | |||
+ | |||
+ | ===== Login Lucy through Active Directory (LDAP) ===== | ||
+ | |||
+ | Lucy allows users to login with their Active Directory account. | ||
+ | |||
+ | === Admin console & Enduser portal === | ||
+ | |||
+ | In order users to login Admin console or Enduser portal you should first import accounts to Lucy from your Active Directory. See [[ldap_integration# | ||
+ | |||
+ | :?: Please note that to login Lucy you should use an appropriate user role that can be configured within the LDAP Update Preferences page (Settings > LDAP Settings > LDAP Update Preferences). \\ | ||
+ | |||
+ | User roles used to access Admin console: **Administrator, | ||
+ | User role used to access Enduser portal: **Enduser**. \\ | ||
+ | |||
+ | === Awareness website === | ||
+ | |||
+ | Lucy has an option to send a non-unique link for awareness website, but it requires users to login with their AD account to access the website. It also requires endusers to be imported into Lucy (see previous section). | ||
+ | |||
+ | To enable LDAP login for Awareness website, tick the option " | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | and the option "**Do not send emails**" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | This enables the Global Link that can be used to access Awareness website after successful login via LDAP: | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | The option "Do not send emails" | ||
+ | |||
+ | ===== Troubleshoot problems ===== | ||
+ | |||
+ | * An error occurs during the connection to Azure AD LDAPS: \\ \\ < | ||
+ | * An error occurs when logging in at /admin or /user using Azure AD account: **Invalid LDAP user login or password.** \\ \\ **Solution: |
ldap_integration.1555513507.txt.gz · Last modified: 2019/07/25 12:51 (external edit)