LDAP / AD settings
LDAP/AD settings allow the configuration of the authentication module that connects ImageMaster to an existing LDAP or MS Active Directory infrastructure. For more information regarding ImageMaster LDAP / AD functionality, see the corresponding system manual [SM Authentication].
Click the Operational Settings > LDAP / AD tab to configure settings for LDAP/AD. The tab is divided into 2 subpanels:
-
Configuration: general access configuration
-
Mappings: defines the mapping of ImageMaster roles and groups to existing LDAP groups
To configure LDAP settings
-
Go to the Configuration tab.
-
Adjust the fields as required.
For detailed descriptions see table Operational settings – LDAP/AD configuration parameters.
-
When completed, click Save. To reset all settings to their default, click Restore Defaults.
To check a configuration
-
To perform a configuration check, enter the User Name in the field and click Show LDAP/AD User Information.
-
If the check is successful, the overall user information will be shown in the overlay window.
This operation is only possible if manager access is configured or if the LDAP supports access with an anonymous bind.
LDAP groups are listed automatically when the user switches to this panel for the first time. This operation may take a while for larger companies when there are many entries in the directory.
LDAP groups can be mapped to ImageMaster roles and ImageMaster user groups. Several mappings can exist for the same distinguished LDAP/AD group name. The marker “LDAP Managed” helps to identify which mappings originate from LDAP and which ones have been added manually. For manually added groups, only the distinguished group name is available because common name and description are not stored in the configuration.
You can perform the following actions:
-
add/delete a mapping
-
check configuration
To add/delete a mapping
-
Click New to add a new mapping and specify the following parameters:
-
Distinguished Name: Enter the name of the mapping.
-
Assigned Roles: Select the role from the list of available ImageMaster roles.
-
Assigned Groups: Select the group from the list of available ImageMaster groups.
-
-
Click Apply. The list of LDAP/AD groups will be refreshed and the newly created group is added to the hit list. To refresh the list manually, click Refresh LDAP Groups.
-
The common ImageMaster sorting, filtering and navigating is available in the LDAP group hit list. The number of available groups in the hit list is shown above the hit list.
-
Optionally, select a default role from the list below the hit list. This role is always applied when a user has no specific role assigned based on his group membership. By default no role is selected.
-
To remove a mapping, select the entry in the hit list (multiple selection is supported) and click Delete. After deletion, the list and the hit list will be automatically refreshed.
-
When completed, click Save. To reset all settings to their default, click Restore Defaults.
To check a configuration
-
In the section Check Configuration enter the User Name and click Evaluate.
-
The following information will be shown below:
-
user full name
-
user configured e-mail (if available)
-
assigned roles
-
assigned groups
-
The description of the parameters for LDAP/AD configuration is presented in the table below.
Parameter |
Description |
---|---|
Provider URL |
mandatory field the host name and port of the LDAP or AD server |
User Base Template |
the entry point for searching a user |
User Filter |
mandatory field the LDAP filter expression that is used to find a user |
User Search Scope |
the search depth to find a user starting from the entry point the options are: “subtree” or “one level” |
Maximum Referrals |
mandatory field the maximum number of forwards to other LDAP/AD instances |
Attribute Username |
the attribute with the user’s name (login) |
Attribute Full Username |
the attribute with the user’s full name |
User E-Mail Attribute |
the attribute with the user’s e-mail address |
Group Search Base |
a query string for searching groups |
Group Membership Attribute |
the group membership |
Group Object Class |
the group object class |
Requires Manager Bind |
useful if access to the LDAP or AD server cannot be done anonymously |
Manager Distinguished Name |
the distinguished name of the technical user |
Manager Password Alias |
the password used for access by the technical user |