String search
Word search

Manage the LDAP servers

The connection status of each LDAP server is displayed in column [Status].

  • Green dot:

    The connection to the LDAP server is established.

  • Orange dot:

    The connection to the LDAP server is not checked or the connection is being checked.

    After a reboot of the system, the dots are orange. Click [Test connection] to update the state of each LDAP server.

  • Red dot:

    The connection to the LDAP server cannot be established. Check the settings of the LDAP server.

Additional actions

Description

Test the connection

Click [Test connection] to test the connection to the selected LDAP server. The connection status of each LDAP server is displayed in column [Status]. The following checks are done:

  • Connect + bind to the LDAP server;

  • Read of RootDSE;

  • Probe for a user entry to enumerate user attributes;

  • Probe for a group entry to enumerate group attributes.

Refresh the LDAP information

Click [Refresh] to refresh the generic info about the LDAP, users and groups part of that LDAP.

PRISMAdirect stores some information about each LDAP locally. The information regards generic info about the LDAP, users and groups part of that LDAP. In order for it to be in sync with the real information, a service synchronizes this information automatically once a day, at midnight. If you want to synchronize this information manually, you have to use the [Refresh] functionality which starts an update of the information stored for all the LDAP servers.

Add an LDAP server

You can use LDAP servers for authentication and to retrieve user data. An LDAP server can be used for Windows authentication of users.

  1. Click [System] - [Connectivity] - [LDAP server] - [LDAP servers].

  2. Click [Add] or click on the bar of the LDAP server that you want to configure. The bar expands and you can fill in the required settings.

    Table 1.

    Setting

    Description

    [Domain name for LDAP server:]

    You can define a custom name for the LDAP server. The custom name must be unique.

    [Credentials policy:]

    The JDF Framework service uses these credentials to connect to the LDAP server.

    • [Use the credentials of the currently logged on user]

      These are the credentials that are stored in the global settings of the LDAP server. These credentials are used for each connected LDAP server. These credentials are not defined in the application by the user. This value can always be used for each LDAP server.

    • [Use the credentials which are stored on the LDAP server]

      You must supply a user name and password to retrieve information from the LDAP server. Define the [LDAP server user name:] and [LDAP user password:].

    • [Use the credentials of the Windows user who runs the JDF Framework service]

      You can select this credential policy only for Secure-based authentication types. This credential policy supports Integrated Windows Authentication (IWA) only.

      These credentials are defined by the user during the installation of the application. The Windows user can be DocWorker, a local user, or a selected domain user. You can identify the Windows user who runs the JDF Framework in the Services dialogue of Microsoft Windows:

      • .\JdfFramework: local user

      • .\DocWorker: DocWorker

    [Server address:]

    Type the address of the LDAP server. If you define only the address of the LDAP server, the users are searched through the entire LDAP server. You can also define the server address and the search root. When you define the server address and the search root, the search for users starts at the defined root on the server. For example:

    LDAP://sro.company.net:389/DC=sro,DC=company,DC=net, where:

    • sro.company.net

      The address of the domain controller.

    • 389

      The port which is used to connect to the LDAP server.

      The default port number for a non-secure connection is 389. The default port number for a secure connection is 636.

    • DC=sro,DC=company,DC=net

      The path to search for users in the active directory tree on the LDAP server.

    [Server type:]

    Select a server type. The server types which start with “Native…” are preferred.

    The other server types are available for backwards compatibility.

    [Use secure connection (SSL)]

    Select this option if you want to create a secure connection to the LDAP server.

    You must update the port number in option [Server address:] when you want to use a secure connection. The default port number for a non-secure connection is 389. The default port number for a secure connection is 636.

    To be able to select this option, the LDAP server has to support this.

    [User filter:]

    A default user filter is created automatically when the LDAP server is used for authentication or to retrieve user data. Only users that pass the filter can be imported from the LDAP server.

    You can edit the filter. The minimum filter is the LDAP attribute for user name, for example: (sAMAccountName=%u). The user filter must contain "%u" as placeholder for the user name. The minimum filter will always work, but it is not time efficient.

    The filter must be updated when the [LDAP attribute for user name:] is changed.

    [LDAP attribute for user name:]

    You can define the LDAP attribute that contains the user name.

    The default LDAP attribute is used for the user name if this field is left empty. The default LDAP attribute depends on the server type.

    [User group filter:]

    A default user group filter is created automatically when the LDAP server is used for authentication or to retrieve user data. Only user groups that pass the filter can be imported from the LDAP server.

    You can edit the filter. The minimum filter is the LDAP attribute for group name, for example: (cn=%g). The user group filter must contain "%g" as placeholder for the user group name. The minimum filter will always work, but it is not time efficient.

    The filter must be updated when the [LDAP attribute for group name:] is changed.

    [LDAP attribute for group name:]

    You can define the LDAP attribute that contains the group name.

    The default LDAP attribute is used for the group name if this field is left empty. The default LDAP attribute depends on the server type.

    [Authentication used to connect to LDAP server:]

    You can define the type of authentication which the application uses to connect to the LDAP server. See Authentication types

    [Authentication used to connect user to the LDAP server:]

    You can define the type of authentication which the application uses to authenticate a user on the LDAP server. See Authentication types

    Allow automatic creation of users:

    Every user who logs on to the application with a user name and password known by the LDAP server is created automatically. The [User type] of an automatically created user becomes:

    • [Windows user] if the user is authenticated via Windows authentication.

    • [LDAP user] if the user is authenticated via custom authentication.

    An automatically created user belongs to the group of [Customers]. The users in the [Customers] group can access the web shops.

    [Separator for multi-valued attributes:]

    The LDAP attributes can contain multiple values. Therefore, you have to define a separator to read each separate value correctly.

    In the [Product and order editor] workspace, you can create lookup items to read information from an LDAP server. Both the lookup item and the LDAP server must use the same separator. Else, the lookup item cannot return multiple values of an LDAP attribute correctly.

  3. Click [Save].

Edit profile mappings

For each LDAP server, you can map information available in the LDAP server to the [Profile settings] of the customers. The precondition is that the LDAP server is used to retrieve user data. The [Profile settings] of the customers then automatically receive the data from the LDAP server.

  • If the LDAP attribute contains a value, the associated profile attribute is filled in. The customer cannot change the profile attribute.

  • If the LDAP attribute does not contain a value, the associated profile attribute is left empty. The customer must define the value of the profile attribute.

  • If you deselect a profile attribute, the user can change the value of the profile attribute.

  1. Click [System] - [Connectivity] - [LDAP server] - [LDAP servers].

  2. Select an LDAP server and scroll to section [Edit profile mappings].

  3. Type an LDAP attribute for each enabled profile attribute.

    The LDAP attributes may not be present in all the LDAP servers or might not contain relevant information.

  4. Click [Save].

  5. Check that the LDAP server is used to retrieve user data.

    When the LDAP server is used to retrieve user data, the profile attributes receive the value of the mapped LDAP attribute.

    1. Click [System] - [Connectivity] - [LDAP server] - [Authentication & user data].

    2. If required, drag and drop the LDAP server into field [Servers used to retrieve user data:].

  6. Click [Save].

Map LDAP attributes to order items

You can map LDAP attributes to order items. When the LDAP server is used to retrieve user data, the order items receive the value of the mapped LDAP attribute.

  1. Click [Add].

  2. Select an order item from the drop-down list.

  3. Type the LDAP attribute that contains the information that you want to use for the order item.

  4. Do this for all order items that you want to map to LDAP attributes.

  5. Click [Save].

Parent topic:
Connectivity
Privacy Terms of use Cookie information