LDAP Integration - Advanced and Expert settings

Advanced mode

Replicator tab

LDAP service port - The port on which LDAP listens to YSoft SafeQ.

Number of objects in search request - Maximum number of objects requested in one response page during search. Set to -1 for unlimited response.

List of binary attributes - List of attributes that contain binary (non-string) values. Attributes are separated by commas. No spaces are allowed.

Maximum number of reconnection attempts - Maximum number of reconnection attempts when connection with LDAP fails during critical operations.

Delete imported objects in case of an error - Parameter affects only the Full replication (not the Differential replication). YSoft SafeQ launches the procedure for deletion of outdated objects at the end of every full LDAP replication. For example when some user is deleted on the Active Directory side, this user is deleted on YSoft SafeQ side at the end of LDAP replication by the procedure for deletion of outdated objects.

  • If this parameter is set to "disable" and there is any error during the replication (connection error, unexpected values...), procedure for deletion of outdated objects is not launched - this way it is prevented the deletion of valid objects. It is strongly recommended to leave it with default value "disable".

  • If this parameter is set to "enable" and any error during replication occurs, procedure for deletion of outdated objects is launched - this may cause that even valid objects will be deleted during replication and users will be unable to authenticate. "Enable" shall be selected only in case when requested by Y Soft Corporation (for example as a temporary workaround for issues where LDAP contains incorrect values).

Terminate replication if an error occurs - Enable this feature to terminate replication if any error occurs during synchronizing user roles or cost centers (these objects are synchronized before any user account).

Schema tab

The Schema tab enables you to specify your own attributes that contain important user data like attribute containing aliases, login, cards numbers and other data.

Import users - If disabled, only cost centers and groups are imported – not users.

Attribute containing username - Do not include domain in username - Determines how domain will be separated from login:

  • Option none - domain will not be separated from the login and string will be used as it is

  • Option at sign or backslash (@, \) - domain will be separated by (@, \)

  • Option dot (.) - domain will be separated by (.)

Login

Alias

Do not include domain in username

none

at sign or backslash (@, \)

dot (.)

john.doe@ysoft.com

---

john.doe

john

martin@ysoft

---

martin

---

ysoft.cz\bailey

---

bailey

ysoft

jfreeman.ysoft

---

---

jfreeman

john.doe.ysoft.com

---

---

john

Check username uniqueness - if this option is disabled duplicated users can be created. If both this option and the option Overwrite user if already exists in database from Filters tab in Expert mode are enabled the duplicity is excluded, i.e. the original user created in SafeQ Web interface is deleted and the user from the Active Directory is created.

Attributes containing aliases - Attributes containing user aliases. Use commas to separate multiple attributes.

Attribute containing user first name

Attribute containing user surname

Attribute containing user email

Attribute containing user role (membership) - Attribute containing user role (membership). This multi-valued attribute is a collection of the Distinguished Names of all groups the user is a direct member of.

Attributes containing cards/PINs - Attributes containing cards and PINs. Use commas to separate multiple attributes. Multiple values can be replicated from this attribute.

Card number conversions - Function for conversion of card numbers stored in LDAP to values stored in database. For more info about syntax and function examples see Use Card Number Conversion.

Card separator - If multiple card numbers are stored in a single-value attribute in LDAP, the card numbers are separated by the defined separator.

  • Note: The separator must not contain apostrophe character (ASCII code 039).

  • Note: If LDAP replicator is used in On-demand (semi-online) mode, this feature is not supported – only one card number may be stored in each single-value attribute.

Delete all the user’s cards when a user’s account is deactivated - When user's account is deactivated in LDAP, all user's cards will be deleted in database.

  • Note: If this option is enabled, the user’s cards that were added via the YSoft SafeQ web interface or card self-assignment will also be deleted from the database. Because this operation cannot be undone, the recommended value is disabled.

  • Note: Do not enable this option if multiple LDAP accounts are merged into one YSoft SafeQ user account (that is, if multiple LDAP accounts have the same employeeID attribute). Deleting or disabling one of the accounts on the LDAP server causes all cards from the merged user account to be deleted from the YSoft SafeQ database.

Attribute containing PIN code - Attribute containing PIN, which can be converted in case PIN code conversion value is defined. Only single value is replicated from this attribute.

PIN code conversion - Function for conversion of PIN code stored in LDAP attributed defined in Attribute containing PIN code to value stored in database. Please configure "conversionPin" option accordingly to support proper operation. For more info about syntax and function examples see Use Card Number Conversion .

Create money account when creating user account

  • If this option is enabled, SafeQ will automatically create YSoft Payment System account for new users.

  • If user's account is deactivated in LDAP, YSoft Payment System account will be disabled for such user.

  • If user's account is moved to LDAP source where this option is disabled, YSoft Payment System account will be disabled for such user.

  • If user's account is moved to LDAP source where this option is enabled, YSoft Payment System account will be created or enabled for such user.

  • Note: If YSoft Payment System is unavailable, the money account will not be created.

  • Note: There is no way to import initial account balance from LDAP.

 

Expert mode

The Expert mode unlocks the following tabs and features.

Connection tab

The Connection tab has new option called Mode of LDAP server certificate check which defines how the LDAP server certificate is validated (applies to LDAPS protocol only).

Possible values are:

  • hash - Hash of the certificate is stored in conf\ldap-keystore during first connection. If the certificate of LDAP server is changed, the connection is refused. Delete conf\ldap-keystore file in you changed certificate. This is default behavior but we recommend to switch to the secure mode for better security.

  • secure - Certificate of LDAP server is verified by Certificate Authority public key. To use this feature you have to import your CA`s public key into YSoft SafeQ truststore.

Here is example how to import CA certificate to YSoft SafeQ (the password for file can be found in <SafeQ>\binldapreplicator\wrapper.conf at section ssl.keyStorePassword ):

java\bin\keytool.exe -server -import -alias YourCompanyCA -file YourCertificate.cer -keystore conf\ssl-truststore

Note that hostname verification is also switched off by default which can have security consequences, please see the section related to SSL/TLS in LDAP Integration Security for more details.

Timeout - Number of milliseconds after which connection to the LDAP server times out if there was no response. If several reconnection attempts are configured in Replicator tab, LDAP replication will retry the connection after delay specified by ldapReconnectionDelay System settings configuration property.

 

The On demand mode has two expert options:

  • Number of threads - Number of concurrently running threads. Number of threads should not exceed number of LDAP connections. Database should have sufficient number of open connections.

  • Maximum response time - Maximum response time in seconds. Requests that take longer than given time are prematurely canceled.

images/download/attachments/36375695/connection_expert.png

Mapping tab

The Mapping tab allows you to configure options and conversion for user unique mapping, option for extracting external ID and several options for user´s organizational unit mapping.

Options for unique mapping of users - Options for user unique mapping:

  • ID-GUID - for mapping user to GUID

  • ID-[attribute-name] - for mapping user to attribute

  • [name-of-numeric-attribute] - for ID equivalency mapping

 

Conversion for unique mapping of users - Turn on conversion of user unique mapping Options for user unique mapping, e.g. for ”GUID” (=value ”ID-GUID”) is converted to ”objectGUID” (used for Active Directory).

Usually for existing installations value ”true” should be set for backward configuration compatibility.

For new installations it is recommended that you use ”false” and specified item Options for user unique mapping properly, e.g ”Options for user unique mapping = ID-objectGUID” for Active Directory. Typically, false is used for non-AD servers.

 

Option for extracting external ID - Option for extracting ext-id from attribute Options for user unique mapping. Matching parts are used for output. Unmatching input is not processed. For example: regex (d+)-adm-(d+)|adm-(d+) for inputs 12345-adm-6789, 123-adm-456789, adm-123456789, 123456789 will have same output 12345678.

 

Options for user cost center mapping

  • DN:[attribute-name] Cost centers are searched by query in LDAP, cost center is assigned according to LDAP setting (by DN prefix). [attribute-name] determines user ext-id. Example: DN:GUID

  • NUMBER:[attribute-name] Cost center creation during user replication. Number is stored in user’s [attribute-name]. Name is created as ”OU-”[attribute-name], example: NUMBER:department

  • NAME:[attribute-name] Cost center creation during user replication. Name is stored in user’s [attribute-name]. Number is identical to the ID (initialized by sequence). Example: NAME:department

  • NN1:[attribute-name-with-number]:[attribute-name-with-name] Cost center creation during user replication. [attribute-name-with-number] contains cost center number and [attribute-name-with-name] contains its name. Example: NN1:department:company

  • NN2:[attribute-name]:[groups-order]:[pattern] Cost center creation during user replication. The user’s [attribute-name] must include content that matches reg-ex [pattern]. Value must contain at least two reg-ex groups: the first for OU name, the second for OU number. [groups-order] is string ”name,number”, or ”number,name” depending on the mapping order of regex-groups to OU number and OU name in [pattern]. Example: NN2:department:number,name:([^:]*):(.*)

 

Conversion of user cost center mapping - Turn on conversion of user’s cost center unit mapping (Options for user’s cost center mapping). For example, ”GUID” (=value ”DN:GUID”) is converted to ”objectGUID” (used for Active Directory).

Usually for existing installations, set this value to ”enable” (true) for backward configuration compatibility.

For new installations it is recommended that you use ”disable” (false) and the specified item Options for user’s cost center mapping, for example, ”Options for user’s cost center mapping = DN:objectGUID” for Active Directory. Typically, false is used for non-AD servers.

Map cost center only when value exists - When enabled, user’s cost center information is updated only if cost center exists. If disabled, user is saved without cost center information.

Attribute containing unique identifier for groups - Name of LDAP attribute containing unique identifier for groups.

Bind user to ancestor groups - Option that specifies to map user not just to its superior roles but also to roles superior to these roles.

 

images/download/attachments/36375695/09-mapping.png

Filters tab

In the Filters tab you can specify additional filters for users, groups or cost centers searching and some other filters according to your needs.

Additional filter for user searches - You can use this filter if the standard built-in filter includes unwanted objects in the search result. For example, filter for users that have not been disabled (&(objectCategory=Person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Additional filter for group searches - Use this filter if the standard built-in filter includes unwanted objects in the search result.

Additional filter for cost center searches - You can use this filter if the standard built-in filter includes unwanted objects in the search result. This setting is in effect only when Mapping -> Options for user’s cost center mapping is set to DN:keyword (for example DN:GUID). With other options (like NAME, NUMBER,...) this option is not used.

Ignore distinguished name when searching for users - Domain name branches to ignore during searches of users. Separate multiple values with a pipe.

Ignore distinguished name when searching for groups - Domain name branches to ignore during searches of users. Separate multiple values with a pipe.

Ignore distinguished name when searching for cost centers - Domain name branches to ignore during searches of users. Separate multiple values with a pipe.

Overwrite user if already exists in database - Enable this option if you have created internal users prior synchronization from LDAP.

Merge automatically generated accounts in YSoft SafeQ database - If multiple user accounts are automatically generated in the YSoft SafeQ database, they can be automatically merged once accounts are created in LDAP with aliases that are the same as the generated accounts. This should be enabled only when using the anonymous print feature.

 

images/download/attachments/36375695/10-filters.png

Domains

The last option added is the Domains section located under all mentioned configuration tabs. If there are more LDAP servers, you can add each one to this section. Then you can either use the same settings for both (or more) domains, or you can specify different settings for each domain.
This can be done by clicking the icon next to each setting. If the icon is green, the settings is valid for all domains. If the icon is red then the domains are differentiated by the color of text fields:

  • White text field - Shared value for all domains

  • Colored fields - Each colored field represents setting for one domain. By filling the colored text field, you can override the shared value in the white text field.

images/download/attachments/36375695/11-domainssett.png

The order in which domains are defined is important when Options for cost center mapping property is set to value other than DN:[attribute-name]. In this case if you need change order of the domains, you need to delete them and recreate them in desired order.
Changing domain order by switching values in particular input fields will result in unpredictable behaviour and it is not recommended.