Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configure Lightweight Directory Access Protocol (LDAP) settings.
Manage your LDAP settings.
Understand what LDAP is and how its settings work in your server environment.
Lightweight Directory Access Protocol (LDAP) is a platform protocol used for directory services authentication.
LDAP provides the communication language that your server uses to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with your company entity on the network.
The LDAP settings ensure your company users log on by authenticating directly into an LDAP server and then enable synchronization with LDAP to update user information. Configure LDAP settings for the following purposes:
Synchronize users in your organization as ProcessMaker users.
Authenticate the server source.
Configure how users and groups synchronize.
Log on to ProcessMaker Platform using your LDAP credentials to have a unified login.
Keep using your LDAP credentials after synchronization even if you change a user password in LDAP.
LDAP uses Distinguished Names (DN) to identify users, groups, and other types of entities. The DN describes entities starting from the specific and moving to the general in the hierarchy of entities. In LDAP and Active Directory, which is Microsoft's extension of LDAP, Distinguished Names are constructed hierarchically using the following components.
Other naming attributes described in RFC 2253, such as o= for organization name and c= for country/region name, are not used in Active Directory, although they are recognized by LDAP.
For more information how to construct DNs, see this LDAP guide.
Component and Abbreviation
Usage
Example
domain components (DC)
Enter each DC as read left to right, each separated by a comma without spacing between each.
dc=acme,dc=com
organizational units (OU)
Enter each OU, each separated by a comma without spacing between each.
ou=managers,ou=regionalbranch
common names (CN)
Enter each CN, each separated by a comma without spacing between each.
cn=Louis Canera,cn=John Doe
View all settings for the user synchronization with an LDAP server. View LDAP settings like when users synchronize, server authentication source, and how users and groups synchronize.
Display all LDAP settings in one location. This makes it easy to manage these settings.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to view LDAP settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to view all LDAP settings to synchronize users in your organization:
Ensure that you are logged on to ProcessMaker Platform.
Click the Admin option from the top menu. The Users page displays.
Click the LDAP tab. The LDAP tab displays all LDAP settings.
The LDAP tab displays the following information in tabular format about LDAP settings:
Setting: The Setting column displays the LDAP Setting name.
Configuration: The Configuration column displays the setting value and how it is configured.
Use the Search setting to filter LDAP Settings that display.
Click the Logs button. See View LDAP Logs.
Filter all LDAP Settings in your server to find that one you need.
Use the Search function to filter all LDAP Settings from the LDAP page based on your entered text.
The Auth package must be installed.
Your user account or group membership must have the "Settings: View Settings" permission to search LDAP settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Follow these steps to search for an LDAP Setting:
​View your LDAP Settings. The LDAP tab displays.
In the Search setting, enter the Setting name to filter by LDAP Setting name.
Configure general information about an LDAP Setting.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit LDAP settings unless your user account has the Make this user a Super Admin setting selected.
Enable directory synchronization between ProcessMaker and your LDAP server. If not enabled, ProcessMaker Platform does not synchronize with your LDAP server.
Follow these steps to enable directory synchronization via LDAP:
Enable the Enabled toggle key. This is a required setting to use LDAP with ProcessMaker Platform. The following message displays: The setting was updated.
Set at which interval to synchronize with your LDAP server. Consider that when setting this interval, the more users, groups, and/or departments your LDAP server contains, the more time ProcessMaker Platform requires to synchronize your LDAP server.
Follow these steps to set how often to synchronize between your LDAP server and ProcessMaker Platform:
In the Quantity setting, enter how many times to synchronize for each configured frequency. 1 is the default setting.
In the Frequency setting, select the frequency in which to synchronize from the following options:
Minutes (default setting)
Hours
Days
Click Save. The following message displays: The setting was updated.
Follow these steps to select to which LDAP server type ProcessMaker Platform connects to synchronize:
Select to which LDAP server type ProcessMaker Platform connects to synchronize:
Click Save. The following message displays: The setting was updated.
Follow these steps to enter the LDAP server address and port to which ProcessMaker Platform synchronizes:
Enter the IP address or host name for the LDAP server to which ProcessMaker Platform synchronizes.
Click Save. The following message displays: The setting was updated.
Enter the port number the LDAP server uses. By default, LDAP uses port 389. If unsure, use one of the following commands depending on your LDAP server's operating system:
Linux/UNIX: netstat -l
and netstat -lnp
Windows: netstat -a
and netstat -ab
commands
Click Save. The following message displays: The setting was updated.
If your LDAP server uses a Transport Security Layer (TLS) certificate, enable TLS to connect to the LDAP authentication source.
Follow these steps to enable TLS to connect to your LDAP authentication source:
Enable the TLS toggle key. The following message displays: The setting was updated.
Follow these steps to enter the domain components (DC) for the base Distinguished Name (DN):
Enter each DC of the Base DN following the guidelines above.
Click Save. The following message displays: The setting was updated.
Follow these steps to enter the credentials to connect to the LDAP server:
Enter the username to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
Enter the password to log on to the LDAP server.
Click Save. The following message displays: The setting was updated.
ProcessMaker Platform groups that do not exist are created.
If a selected LDAP group contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP group(s) are created.
Ensure that you have configured at least the following LDAP settings to connect with your LDAP server prior to selecting which LDAP groups to synchronize. Otherwise, no LDAP groups are available to synchronize when editing this setting.
Follow these steps select which LDAP groups to synchronize as ProcessMaker Platform groups:
Enable the toggle key for each LDAP group to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
ProcessMaker Platform groups that do not exist are created.
If a selected LDAP department contains no LDAP users, then a corresponding ProcessMaker Platform group is not created if it does not already exist.
ProcessMaker Platform users that exist synchronize from your LDAP server and are placed into the groups corresponding with your selected LDAP server department(s).
ProcessMaker Platform users that do not already exist but exist in your selected LDAP department(s) are created.
Ensure that you have configured at least the following LDAP settings to connect with your LDAP server prior to selecting which LDAP departments to synchronize. Otherwise, no LDAP departments are available to synchronize when editing this setting.
Follow these steps select which LDAP departments to synchronize as ProcessMaker Platform groups:
Enable the toggle key for each LDAP department to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Enter the LDAP object class that identifies users. Objects that match the object class synchronize with users that exist in your ProcessMaker Platform instance. During synchronization the following occurs:
LDAP groups that contain LDAP users and match the entered LDAP object class synchronize.
LDAP groups that do not contain LDAP users do not synchronize, regardless if they match the entered LDAP object class.
Follow these steps to enter the LDAP object class that identifies users:
Active Directory: Enter samaccountname
.
Open LDAP: Enter uid
.
If unsure which object class to use: Enter *
. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
Enter the LDAP object class that identifies groups. Objects that match the object class synchronize with groups that exist in your ProcessMaker Platform instance. ProcessMaker Platform groups that do not already exist are created from your LDAP server.
Follow these steps to enter the LDAP object class that identifies groups:
Enter the LDAP object class that identifies groups.
Click Save. The following message displays: The setting was updated.
Consider the following examples.
Follow these steps to map how ProcessMaker Platform user properties correspond with LDAP attributes:
Follow these guidelines to map a ProcessMaker Platform user properties to an LDAP attribute:
Click the +Add button. A new row displays the existing mapped user properties.
In the ProcessMaker Property setting, enter the ProcessMaker Platform user property to which to map the LDAP attribute.
In the LDAP Attribute setting, enter the LDAP attribute from which to map to the ProcessMaker Platform user property.
Click Save. The following message displays: The setting was updated.
Click the Settings iconfrom the left sidebar. The Settings page displays a tab for each setting.
Click the Edit icon. See Configure an LDAP Setting.
Click the Copy to Clipboard icon. See Copy an LDAP Setting.
Click the Clear icon. See Clear an LDAP Setting.
Click the Search iconor press enter. The LDAP settings display that match your entered text.
The must be installed.
See the permissions or ask your Administrator for assistance.
.
Configure the following settings as necessary:
.
.
.
.
.
.
.
.
.
.
.
.
.
. The LDAP tab displays.
.
.
. The LDAP tab displays.
Click the Edit iconfor the Synchronization Schedule setting. The Synchronization Schedule screen displays.
.
.
. The LDAP tab displays.
Click the Edit iconfor the Type setting. The Type screen displays.
(default setting)
.
.
. The LDAP tab displays.
Click the Edit iconfor the Server Address setting. The Server Address screen displays.
Click the Edit iconfor the Server Port setting. The Server Port screen displays.
.
.
. The LDAP tab displays.
.
Enter the from the Base object to connect the LDAP server. In most cases, the DN are the domain components (DC) of the DN. For example, the Base DN for processmaker.com
is dc=processmaker,dc=com
. For more information how to construct DNs, see .
.
. The LDAP tab displays.
Click the Edit iconfor the Base DN setting. The Base DN screen displays.
.
.
. The LDAP tab displays.
Click the Edit iconfor the Username setting. The Username screen displays.
Click the Edit iconfor the Password setting. The Password screen displays.
.
Select to which LDAP groups on your LDAP server to synchronize as ProcessMaker Platform . During synchronization the following occurs:
.
.
.
.
.
.
.
. The LDAP tab displays.
Click the Edit iconfor the Groups to Import setting. The Groups To Import screen displays the LDAP groups on your LDAP server. If your LDAP server contains no LDAP groups, this screen displays no groups with which to synchronize.
.
Select from which LDAP departments on your LDAP server to synchronize as ProcessMaker Platform . During synchronization the following occurs:
.
.
.
.
.
.
.
. The LDAP tab displays.
Click the Edit iconfor the Groups to Import setting. The Groups To Import screen displays the LDAP departments on your LDAP server. If your LDAP server contains no LDAP departments, this screen displays no departments with which to synchronize.
.
.
. The LDAP tab displays.
Click the Edit iconfor the User Class Identifier setting. The User Class Identifier screen displays.
Enter the LDAP object class that identifies users. Follow these guidelines depending on which :
.
.
. The LDAP tab displays.
Click the Edit iconfor the Group Class Identifier setting. The Group Class Identifier screen displays.
.
Map how ProcessMaker Platform user properties correspond with synchronized LDAP attributes. See for ProcessMaker Platform user properties.
.
. The LDAP tab displays.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Optionally, click the Delete iconto delete a mapped ProcessMaker Platform user property.
.
ProcessMaker User Property | User Property Function | Mapped LDAP Attribute |
| User's first name |
|
| User's user name |
|
Clear an LDAP configuration.
Clearing an LDAP configuration setting cannot be undone.
Follow these steps to clear the value of an LDAP configuration setting:
View records of scheduled LDAP synchronizations in your server.
Display LDAP logs of LDAP user, group and/or department that have currently synchronized.
Follow these steps to view LDAP logs:
Click the Logs button. The Logs page displays all the LDAP synchronization logs.
The Logs page displays the following information in tabular format about LDAP logs:
ID: The ID column displays the log ID used to identify this synchronization log.
Tag: The Tag column displays the synchronization type among LDAP Users, Groups, or Departments.
Service: The Service column displays LDAP as the service type the log applies.
Message: The Message column displays the synchronization status, the number of updated records, and the number of new registers after synchronization occurs.
Created: The created column displays the date and time when synchronization occurred.
Copy to clipboard an LDAP configuration.
Copy to clipboard an LDAP configuration to have this information in another environment or for testing purposes.
Follow these steps to copy an LDAP configuration setting:
The must be installed.
See the permissions or ask your Administrator for assistance.
. The LDAP tab displays.
Click the Clear iconfor your LDAP configuration setting. The following message displays: The setting was updated.
The must be installed.
See the permissions or ask your Administrator for assistance.
. The LDAP tab displays.
The must be installed.
See the permissions or ask your Administrator for assistance.
. The LDAP tab displays.
Click the Copy to Clipboard iconfor your LDAP configuration setting to copy. The following message displays: The setting was copied to your clipboard.