Configure LDAP Settings

Configure general information about an LDAP Setting.

Package and Permission Required

The Auth package must be installed.

Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit LDAP settings unless your user account has the Make this user a Super Admin setting selected.

See the Settings permissions or ask your Administrator for assistance.

Configure LDAP Settings

Configure the following LDAP settings as necessary:

Enable Directory Synchronization via LDAP

Enable directory synchronization between ProcessMaker and your LDAP server. If not enabled, ProcessMaker Platform does not synchronize with your LDAP server.

A package and permission is required to do this.

Follow these steps to enable directory synchronization via LDAP:

View your LDAP Settings. The LDAP tab displays.
Enable the Enabled toggle key. This is a required setting to use LDAP with ProcessMaker Platform. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Set the LDAP Synchronization Schedule

Set at which interval to synchronize with your LDAP server. Consider that when setting this interval, the more users, groups, and/or departments your LDAP server contains, the more time ProcessMaker Platform requires to synchronize your LDAP server.

A package and permission is required to do this.

Follow these steps to set how often to synchronize between your LDAP server and ProcessMaker Platform:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Synchronization Schedule setting. The Synchronization Schedule screen displays.
In the Quantity setting, enter how many times to synchronize for each configured frequency. 1 is the default setting.
In the Frequency setting, select the frequency in which to synchronize from the following options:
- Minutes (default setting)
- Hours
- Days
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Set to Which LDAP Server Type to Connect

A package and permission is required to do this.

Follow these steps to select to which LDAP server type ProcessMaker Platform connects to synchronize:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Type setting. The Type screen displays.
Select to which LDAP server type ProcessMaker Platform connects to synchronize:
- Active Directory (default setting)
- 389 Directory Server
- OpenLDAP
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Enter the LDAP Server Address and Port Number

A package and permission is required to do this.

Follow these steps to enter the LDAP server address and port to which ProcessMaker Platform synchronizes:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Server Address setting. The Server Address screen displays.
Enter the IP address or host name for the LDAP server to which ProcessMaker Platform synchronizes.
Click Save. The following message displays: The setting was updated.
Click the Edit iconfor the Server Port setting. The Server Port screen displays.
Enter the port number the LDAP server uses. By default, LDAP uses port 389. If unsure, use one of the following commands depending on your LDAP server's operating system:
- Linux/UNIX: netstat -l and netstat -lnp
- Windows: netstat -a and netstat -ab commands
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Enable TLS to Connect to LDAP

If your LDAP server uses a Transport Security Layer (TLS) certificate, enable TLS to connect to the LDAP authentication source.

A package and permission is required to do this.

Follow these steps to enable TLS to connect to your LDAP authentication source:

View your LDAP Settings. The LDAP tab displays.
Enable the TLS toggle key. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Enter the Domain Components for the Base DN

Enter the Distinguished Name (DN) from the Base object to connect the LDAP server. In most cases, the DN are the domain components (DC) of the DN. For example, the Base DN for processmaker.com is dc=processmaker,dc=com. For more information how to construct DNs, see this LDAP guide.

A package and permission is required to do this.

Follow these steps to enter the domain components (DC) for the base Distinguished Name (DN):

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Base DN setting. The Base DN screen displays.
Enter each DC of the Base DN following the guidelines above.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Enter the Credentials to Connect to LDAP

A package and permission is required to do this.

Follow these steps to enter the credentials to connect to the LDAP server:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Username setting. The Username screen displays.
Enter the username to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
Click the Edit iconfor the Password setting. The Password screen displays.
Enter the password to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Select from Which LDAP Groups to Synchronize

Select to which LDAP groups on your LDAP server to synchronize as ProcessMaker Platform groups. During synchronization the following occurs:

ProcessMaker Platform groups that do not exist are created.
If a selected LDAP group contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP group(s) are created.

Ensure that you have configured at least the following LDAP settings to connect with your LDAP server prior to selecting which LDAP groups to synchronize. Otherwise, no LDAP groups are available to synchronize when editing this setting.

A package and permission is required to do this.

Follow these steps select which LDAP groups to synchronize as ProcessMaker Platform groups:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Groups to Import setting. The Groups To Import screen displays the LDAP groups on your LDAP server. If your LDAP server contains no LDAP groups, this screen displays no groups with which to synchronize.
Enable the toggle key for each LDAP group to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Select from Which LDAP Departments to Synchronize

Select from which LDAP departments on your LDAP server to synchronize as ProcessMaker Platform groups. During synchronization the following occurs:

ProcessMaker Platform groups that do not exist are created.
If a selected LDAP department contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP department(s) are created.

Ensure that you have configured at least the following LDAP settings to connect with your LDAP server prior to selecting which LDAP departments to synchronize. Otherwise, no LDAP departments are available to synchronize when editing this setting.

A package and permission is required to do this.

Follow these steps select which LDAP departments to synchronize as ProcessMaker Platform groups:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Groups to Import setting. The Groups To Import screen displays the LDAP departments on your LDAP server. If your LDAP server contains no LDAP departments, this screen displays no departments with which to synchronize.
Enable the toggle key for each LDAP department to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Enter the LDAP Object Class That Identifies Users

Enter the LDAP object class that identifies users. Objects that match the object class synchronize with users that exist in your ProcessMaker Platform instance. During synchronization the following occurs:

LDAP groups that contain LDAP users and match the entered LDAP object class synchronize.
LDAP groups that do not contain LDAP users do not synchronize, regardless if they match the entered LDAP object class.

A package and permission is required to do this.

Follow these steps to enter the LDAP object class that identifies users:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the User Class Identifier setting. The User Class Identifier screen displays.
Enter the LDAP object class that identifies users. Follow these guidelines depending on which LDAP server type your LDAP server uses:
- Active Directory: Enter samaccountname.
- Open LDAP: Enter uid.
- If unsure which object class to use: Enter *. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Enter the LDAP Object Class That Identifies Groups

Enter the LDAP object class that identifies groups. Objects that match the object class synchronize with groups that exist in your ProcessMaker Platform instance. ProcessMaker Platform groups that do not already exist are created from your LDAP server.

A package and permission is required to do this.

Follow these steps to enter the LDAP object class that identifies groups:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Group Class Identifier setting. The Group Class Identifier screen displays.
Enter the LDAP object class that identifies groups.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.

Map User Properties to LDAP Attributes

Map how ProcessMaker Platform user properties correspond with synchronized LDAP attributes. See _user Magic Variable for ProcessMaker Platform user properties.

Consider the following examples.

ProcessMaker User Property

User Property Function

Mapped LDAP Attribute

FirstName

User's first name

Name

UserName

User's user name

SameAccountName

A package and permission is required to do this.

Follow these steps to map how ProcessMaker Platform user properties correspond with LDAP attributes:

View your LDAP Settings. The LDAP tab displays.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Follow these guidelines to map a ProcessMaker Platform user properties to an LDAP attribute:
1. Click the +Add button. A new row displays the existing mapped user properties.
2. In the ProcessMaker Property setting, enter the ProcessMaker Platform user property to which to map the LDAP attribute.
3. In the LDAP Attribute setting, enter the LDAP attribute from which to map to the ProcessMaker Platform user property.
4. Optionally, click the Delete iconto delete a mapped ProcessMaker Platform user property.
Click Save. The following message displays: The setting was updated.
Review, and then configure other LDAP settings as necessary.