LDAP Configuration#

You can connect Allegra with a directory server (LDAP, Active Directory) to centrally manage passwords. You can also have users registered in the LDAP directory from Allegra and change passwords. This provides you with a complete system for self-registration and password management in Allegra.

To connect Allegra with one or more directory servers, as a system administrator go to the administration workspace > server management > LDAP & SSO.

../../_images/ldapTab.png

Activate the checkbox for LDAP (B) and click on the button (C) to add a connection. You can also configure multiple connections if you want to integrate employees from different regions in a large company without opening the entire parent directory tree. Or you can once set the base DN to the list of users and once to groups and organizational units.

LDAP Connection Settings#

../../_images/ldapConnection.png

The “Bind” username and the “Bind” password are needed to be able to look into the directory server at all. For “anonymous bind” these fields are left empty.

LDAP Schema Position#

../../_images/ldapSchema.png

The required entries can be easily determined if you use a browser for the LDAP server such as Apache Directory Studio.

../../_images/ldapExplorer.png

LDAP Synchronization#

../../_images/ldapPermission.png

Here you can set how the Allegra users should be synchronized with the directory server. Either users or groups can be synchronized. If only read access is available, users from the directory server are created in Allegra, but not vice versa. If read and write access is available, users or groups in Allegra are also created in the directory server.

LDAP User and Group Schema Settings#

../../_images/ldapUserGroup.png

The checkbox (A) determines whether users not found in the directory server should be deactivated in Allegra. The users “admin” and “guest” are excluded. By choosing the right server type (Open LDAP, Active Directory, …) further up, sensible defaults are given in this settings workspace.

LDAP Behavior Read-Only#

Case

Behavior

New LDAP connection with existing users in Allegra

All new users (unknown UID) are created

User is deactivated in Allegra and new synchronization started

User remains deactivated

An attribute of the user (email, last name, first name) is changed and the synchronization started

Allegra attributes are overwritten by LDAP attributes

An LDAP user synchronized in Allegra is deleted in LDAP

It remains in Allegra, no change

Groups are synchronized

New users and groups are created, users are assigned to groups

User is removed from the group in Allegra but is still in the group in LDAP and the synchronization is started

The user is reassigned to the Allegra group

Group attributes in Allegra are changed and a new synchronization is started

Changed group attributes are retained

Existing Allegra group is deleted in LDAP

Group remains in Allegra

LDAP Behavior Write and Read#

Case

Behavior

User is created in Allegra

User is created in LDAP

User is deleted in Allegra

User remains in LDAP

UID of the Allegra user is changed

The UID of the same user is also changed in LDAP

The attributes of the Allegra user are changed

LDAP attributes are changed

Group is created in Allegra

Group is created in LDAP

Group name is changed in Allegra

LDAP group attribute OU is changed

LDAPS with Self-Signed Certificates#

Allegra also supports the secure LDAPS protocol. To operate LDAPS with official certificates, you only need to specify “ldaps” instead of “ldap” at the beginning of the URL for the directory server. To use self-signed certificates, you need to create an ldaps keystore file named “Trackplus.ks” in the ALLEGRA_HOME directory, subdirectory “Keystore”. This item is detailed in the section “Using SSL and TLS Encryption on Email and LDAP Connections”. The LDAP server must also be configured for LDAPS.

For a Windows server, we had to change the ApacheDS configuration file as follows:

<!-- SSL properties -->
<property name="enableLdaps" value="true" />
<property name="ldapsPort" value="10636" />
<property name="ldapsCertificateFile"
        value="C:\jdk1.5.0\bin\zanzibar.ks" />
<property name="ldapsCertificatePassword" value="secret" />
<bean id="configuration"
    class="org.apache.directory.server.\
            configuration.MutableServerStartupConfiguration">

and

<property name="workingDirectory" value="example.com" />
<!-- SSL properties -->
<property name="enableLdaps" value="true" />
<property name="ldapsPort" value="10636" />
<property name="ldapsCertificateFile"
        value="C:\jdk1.6.0\bin\zanzibar.ks" />
<property name="ldapsCertificatePassword" value="secret" />