Add an LDAP server

You can use LDAP servers for authentication and to retrieve user data.

1. Click [System] - [Connectivity] - [LDAP server] - [LDAP servers].

2. Click [Add] or click on the bar of the LDAP server that you want to configure. The bar expands and you can fill in the required settings.

   Table 1.

   Setting	Description
   [Domain name for LDAP server:]	You can define a custom name for the LDAP server. The custom name must be unique. NOTE An LDAP server can be used for Windows authentication of users.
   [Credentials policy: ]	The credentials policy defines which credentials are used by the JDF Framework service to connect to the LDAP server. You can select one of the following credential policies: [Use the credentials of the currently logged on user] These are the credentials that are stored in the global settings of the LDAP server. These credentials are used for each connected LDAP server. These credentials are not defined in the application by the user. [Use the credentials of the currently logged on user] is the default value for the drop-down list. This value can always be used for each LDAP server. [Use the credentials which are stored on the LDAP server] These are the credentials that you define in [LDAP server user name:] and [LDAP user password:]. [Use the credentials of the Windows user who runs the JDF Framework service] You can select this credential policy only for Secure-based authentication types. This credential policy supports Integrated Windows Authentication (IWA) only. These credentials are defined by the user during the installation of the application. The Windows user can be DocWorker, a local user, or a selected domain user. You can identify the Windows user who runs the JDF Framework in the Services dialogue of Microsoft Windows: .\JdfFramework: local user .\DocWorker: DocWorker Secure authentication type
   [LDAP server user name:]	You must supply a user name and password to retrieve information from the LDAP server. This option becomes available when you select value [Use the credentials which are stored on the LDAP server] in option [Credentials policy: ].
   [LDAP user password:]	You must supply a user name and password to retrieve information from the LDAP server. This option becomes available when you select value [Use the credentials which are stored on the LDAP server] in option [Credentials policy: ].
   [Server address:]	You must define the address of the LDAP server. If you define only the address of the LDAP server, the users are searched through the entire LDAP server. You can also define the server address and the search root. When you define the server address and the search root, the search for users starts at the defined root on the server. For example: LDAP://sro.company.net:389/DC=sro,DC=company,DC=net, where: sro.company.net The address of the domain controller. 389 The port which is used to connect to the LDAP server. The default port number for a non-secure connection is 389. The default port number for a secure connection is 636. DC=sro,DC=company,DC=net The path to search for users in the active directory tree on the LDAP server.
   [Server type:]	Select a server type. The server types which start with “Native…” are preferred. The other server types are available for backwards compatibility.
   [Use secure connection (SSL)]	Select this option if you want to create a secure connection to the LDAP server. You must update the port number in option [Server address:] when you want to use a secure connection. The default port number for a non-secure connection is 389. The default port number for a secure connection is 636. To be able to select this option, the LDAP server has to support this.
   [User filter:]	A default user filter is created automatically when the LDAP server is used for authentication or to retrieve user data. Only users that pass the filter can be imported from the LDAP server. You can edit the filter. The minimum filter is the LDAP attribute for user name, for example: (sAMAccountName=%u). The user filter must contain "%u" as placeholder for the user name. The minimum filter will always work, but it is not time efficient. The filter must be updated when the [LDAP attribute for user name:] is changed.
   [LDAP attribute for user name:]	You can define the LDAP attribute that contains the user name. The default LDAP attribute is used for the user name if this field is left empty. The default LDAP attribute depends on the server type.
   [User group filter:]	A default user group filter is created automatically when the LDAP server is used for authentication or to retrieve user data. Only user groups that pass the filter can be imported from the LDAP server. You can edit the filter. The minimum filter is the LDAP attribute for group name, for example: (cn=%g). The user group filter must contain "%g" as placeholder for the user group name. The minimum filter will always work, but it is not time efficient. The filter must be updated when the [LDAP attribute for group name:] is changed.
   [LDAP attribute for group name:]	You can define the LDAP attribute that contains the group name. The default LDAP attribute is used for the group name if this field is left empty. The default LDAP attribute depends on the server type.
   [Authentication used to connect to LDAP server:]	You can define the type of authentication which the application uses to connect to the LDAP server. See Authentication types
   [Authentication used to connect user to the LDAP server:]	You can define the type of authentication which the application uses to authenticate a user on the LDAP server. See Authentication types
   Allow automatic creation of users:	Every user who logs on to the application with an [LDAP server user name:] and an [LDAP user password:] is created automatically. The [User type] of an automatically created user becomes: [Windows user] if the user is authenticated via Windows authentication. [LDAP user] if the user is authenticated via custom authentication. An automatically created user belongs to the group of [Customers]. The users in the [Customers] group can access the [Web Submission].
   [Separator for multi-valued attributes:]	The LDAP attributes can contain multiple values. Therefore, you have to define a separator to read each separate value correctly. In the [Product and order editor] workspace, you can create lookup items to read information from an LDAP server. Both the lookup item and the LDAP server must use the same separator. Else, the lookup item cannot return multiple values of an LDAP attribute correctly.

3. Click [Save].

Edit profile mappings

You can map information that is available within the LDAP server to the [Profile settings] of the customers. When the LDAP server is used to retrieve user data, the profile attributes receive the value of the mapped LDAP attribute. The [Profile settings] of the customers then automatically receive the data from the LDAP server.

• If the LDAP attribute contains a value, the associated profile attribute is filled in. The customer cannot change the profile attribute.

• If the LDAP attribute does not contain a value, the associated profile attribute is left empty. The customer must define the value of the profile attribute.

• If you deselect a profile attribute, the user can change the value of the profile attribute.

1. Type an LDAP attribute for each enabled profile attribute.

   The LDAP attributes may not be present in all the LDAP servers or might not contain relevant information.

2. Click [Save].

Map LDAP attributes to order items

You can map LDAP attributes to order items. When the LDAP server is used to retrieve user data, the order items receive the value of the mapped LDAP attribute.

1. Click [Add].

2. Select an order item from the drop-down list.

3. Type the LDAP attribute that contains the information that you want to use for the order item.

4. Do this for all order items that you want to map to LDAP attributes.

5. Click [Save].