User Tools

Site Tools


ldap_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
ldap_integration [2019/06/04 11:06] lucyldap_integration [2021/11/04 18:57] (current) lucysecurity
Line 3: Line 3:
 LUCY has an LDAP API, which allows the administrator to: LUCY has an LDAP API, which allows the administrator to:
  
-  * import recipients  +  * import recipients and users directly from your directory service 
-  * import users (LUCY administrators)+  * authorize users in the Admin console, Enduser portal and Awareness website
  
-directly from your directory service.+==== Sync tool for Windows ==== 
 + 
 +Besides LDAP API, there is a tool that can be run on Windows machines to sync your Active Directory groups with Lucy, see more [[ldap_synchronization_tool|here]].
  
  
 ===== Setup ===== ===== Setup =====
-To configure the LDAP connection please go in LDAP settings (Settings -> LDAP Settings) and save your server and authentication details. Within the field "Server Address" you need to enter your LDAP server IP address, within the field "Server Port" you should enter TCP/UDP port for LDAP (default port 389 or port 636 for LDAPS) and if "Use Global Catalog" and "LDAP over SSL" are enabled you should use the ports 3268 and 3269. Within the field "Domain Controller" you need to enter your LDAP Server Root RDN (example: "dc=domain,dc=com") and within the field "Login" you need to enter user RDN (example: "cn=Administrator,cn=Users").+To configure the LDAP connection please go in LDAP settings (Settings -> LDAP Settings) and save your server and authentication details. Within the field "Server Address" you need to enter your LDAP server IP address, within the field "Server Port" you should enter TCP/UDP port for LDAP (default port 389 or port 636 for LDAPS) and if "Use Global Catalog" and "LDAP over SSL" are enabled you should use the ports 3268 and 3269. Within the field "Domain Controller" you need to enter your LDAP Server Root RDN (example: "dc=domain,dc=com") and within the field "Login" you need to enter user RDN (example: "cn=Administrator,cn=Users"). \\ 
 + 
 +:!: LUCY summarizes the values for "Domain Controller" and "Login" on the backend. 
 +So if the LDAP login is "cn=ldap,cn=user,dc=domain,dc=com", put "dc=domain,dc=com" to the "Domain Controller" and "cn=ldap,cn=user" to "Login".
  
 Fields "Group Object" and "User Object" are used to filter search from the LDAP objects. Objects within "Group Object" and "User Object" fields need to be separated with a comma and one space.  Fields "Group Object" and "User Object" are used to filter search from the LDAP objects. Objects within "Group Object" and "User Object" fields need to be separated with a comma and one space. 
Line 53: Line 58:
 {{ :default_role.png?400 |}} {{ :default_role.png?400 |}}
  
 +===== Multiple LDAP integrations =====
  
 +LUCY allows to configure and use multiple LDAP servers.\\
 +The dedicated section in the LUCY web interface can be found in the Settings:
 +
 +{{ :ldap_multi_1.png?600 |}}
 +
 +Pressing "Add Server" would result the usual LDAP server configuration page to appear.\\
 +Configure the additional LDAP Server and press Save. It will appear in the list of available LDAP Servers ready for sync and import.\\
 +
 +{{ :ldap_multi_2.png?600 |}}
 +
 +After setting-up multiple LDAP Servers, there would be a dropdown menu in the import settings of the recipient group to chose the specific server for the import.
 +
 +{{ :ldap_multi_3.png?600 |}}
 +
 +The same choice is available for the Autoupdate feature.
 +
 +{{ :ldap_multi_4.png?600 |}}
  
 ===== Importing recipients in a group for a campaign ===== ===== Importing recipients in a group for a campaign =====
Line 70: Line 93:
  
 It is possible to configure LUCY autoupdate recipient list of from an LDAP Server. It is possible to configure LUCY autoupdate recipient list of from an LDAP Server.
-Note, this configuration will not be active if there are global settings for recipients import enabled.+ 
 +:!: Note, this configuration will not be active if there are global settings for recipients import disabled.
  
 {{ :autoupdate_recepients.png?600 |}} {{ :autoupdate_recepients.png?600 |}}
Line 103: Line 127:
   * 4.Phone - recipient phone number   * 4.Phone - recipient phone number
  
 +To configure other recipient fields to match Active Directory attributes go to the LDAP Fields Associations page (Settings > LDAP Settings > LDAP Fields Associations):
 +
 +{{ ::ldap_fields_associations.png?500 |}}
 +
 +:!: Recipient's custom fields are also supported.
 +
 +
 +===== Login Lucy through Active Directory (LDAP) =====
 +
 +Lucy allows users to login with their Active Directory account.
 +
 +=== Admin console & Enduser portal ===
 +
 +In order users to login Admin console or Enduser portal you should first import accounts to Lucy from your Active Directory. See [[ldap_integration#importing_users_via_ldap|this]] section for more details. \\
 +
 +:?: Please note that to login Lucy you should use an appropriate user role that can be configured within the LDAP Update Preferences page (Settings > LDAP Settings > LDAP Update Preferences). \\
 +
 +User roles used to access Admin console: **Administrator, View, User, Supervisor**. \\
 +User role used to access Enduser portal: **Enduser**. \\
 +
 +=== Awareness website ===
 +
 +Lucy has an option to send a non-unique link for awareness website, but it requires users to login with their AD account to access the website. It also requires endusers to be imported into Lucy (see previous section).
 +
 +To enable LDAP login for Awareness website, tick the option "**Enduser Direct login**" within the Base Settings in your campaign:
 +
 +{{ ::enduser_direct_login.png?400 |}}
 +
 +and the option "**Do not send emails**" within the Website section of the Awareness settings:
 +
 +{{ ::do_not_send_emails.png?500 |}}
 +
 +This enables the Global Link that can be used to access Awareness website after successful login via LDAP:
 +
 +{{ ::global_link.png?600 |}}
 +
 +The option "Do not send emails" disables sending awareness emails from campaign, that allows to share the Global Link through your own channel.
 +
 +===== Troubleshoot problems =====
  
 +  * An error occurs during the connection to Azure AD LDAPS: \\ \\ <code>Error connecting to LDAP Server: 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580</code> **Solution:** Invalid Login or Password. \\ Login must be in the format CN=<username>OU=<ou>, for example: CN=UserTest,OU=AADDC Users
 +  * An error occurs when logging in at /admin or /user using Azure AD account: **Invalid LDAP user login or password.** \\ \\ **Solution:** Please make sure you have enabled your NTLM password hash synchronization. Users cannot bind using secure LDAP or sign in to the managed domain, until you enable password hash synchronization to Azure AD Domain Services. Follow the instructions below, depending on the type of users in your Azure AD directory. Complete both sets of instructions if you have a mix of cloud-only and synced user accounts in your Azure AD directory. \\ \\ [[https://aka.ms/aadds-pwsynccloud|Instructions for cloud-only user accounts]] \\ [[https://aka.ms/aadds-pwsync|Instructions for synced user accounts]]
ldap_integration.1559639186.txt.gz · Last modified: 2019/07/25 12:50 (external edit)