LDAP Integration of DeepDesk needs to automate the users and group import management.
It is possible to connect to an LDAP Server and import all the data regarding users and groups and insert the users in the right groups.
What we recommend is to configure the objects of the LDAP Server in the right way, easy to access by other softwares, like DeepDesk.
LDAP integration can interface with all server supported by the library Adldap2.
All most important LDAP systems are supported by that library, for example Active Directory and OpenLDAP, the most used systems in the business and educational organizations.
If, for a specific project, you need a particular configuration, it is possibile to integrate other LDAP systems with the development team of DeepDesk.
When all users have been imported from LDAP the Login screen of DeepDesk changes: it will be visibile the select-box for the LDAP Domain. Every LDAP imported users need to select the LDAP Domain to access the system. The Domain Password will not be read or stored in the DeepDesk Database. DeepDesk will call the LDAP Server and only if the LDAP server acknowledges the user and password, then DeepDesk will let the user log into the system.
Note: the LDAP integration in DeepDesk cannot change the LDAP data, it connects in read-only mode to the LDAP Server.
Data are only modified by the LDAP integration inside DeepDesk. Every manual edit in the DeepDesk form of an imported LDAP user will be overwritten if the changed fields are re-imported in DeepDesk via LDAP.
Insert a new LDAP integration
To configure a new LDAPO integration, select the menu System > Permissions > LDAP Integration
You can see the grid with all the LDAP integrations already configured. Click on Add Ldap upper right.
We can add the data for a new LDAP integration.
Fields are divided into 3 tabs: data to connect to the LDAP Server, settings to create users in DeepDesk and settings to create groups in DeepDesk.
The fields have the following meaning:
|Name||Descriptive name of the integration.|
|Domain Controller||The address of the LDAP Domain Controller, eg: ldap.forumsys.com (Tip: this Domain Controller is public and contains data to test the integration, also present in the demo of DeepDesk. You can use ldap.forumsys.com for testing purpose.).|
|Cron Expression||The Cron (link to Wikipedia) Expression to schedule the import Job. You can schedule an import every minute (not suggested!), or twice a day, once a week, etc.|
|Status||It tells if the integration is active or not. If active, but not scheduled with the Cron Expression, you can run it “spot” with the upper right button “Run“.|
|Base DN||Base DN to connect to the LDAP Server, usually where you can find the users to import.|
|Port||Port of the LDAP Server. Standards are: 389 for LDAP and 636 for LDAPS.|
|Timeout||Time for the timeout of the LDAP connection. After that, the server will return an error.|
|Use SSL||Use the SSL protocol for a secure connection.|
|Use TLS||Use the TLS protocol for a secure connection.|
|Follow Referrals||Usually, if the LDAP infrastructure has multiple “join” domains, they compose a Forest. Every “cross-domain” access can be resolved if your LDAP server supports it.|
|Admin Username||The username of a user who can read the LDAP directory. In the case of Active Directory usually this name is the DOMAIN\Username string. In the case of OpenLDAP you should probably use the complete DN, eg: cn=read-only-admin,dc=example,dc=com. We have chosen to le you freely insert the complete DN, to improve the compatibility of our integration with LDAP systems.|
|Admin Password||The password used to connect to LDAP.|
|User Name Attribute||
The LDAP Attribute to identify the unique field “Username” that will be stored in DeepDesk DB.
As described in the user guide, this field is modified by DeepDesk for the LDAP Users, in order to be stored in the format ID\username where ID is the key field (numeric) of the LDAP integration stored in the DataBase of DeepDesk.
This way you can always know from which LDAP server has been imported a user.
When you have users imported from LDAP, the Login screen of DeepDesk changes, introducing a select-box to chose the LDAP domain. Every user imported from LDAP must select the Domain in that field to access. In the field User Name in the Login screen, they have to insert their username, without the string “ID\”.
|User RDN Attribute||The unique field (eg: distinguishedName) to associate users to groups.|
Multiline field to decide which fields to import from LDAP into DeepDesk DB, for the users. See the screenshot for a clear example:
|User Object Filter||LDAP filter to retrieve only a subset of LDAP Objects. It is possibile to set an LDAP Query.|
|Account Prefix||Prefix of the DN of the user.|
|Account Suffix||Suffix of the DN of the user.|
|Disable Users||When importing an LDAP disabled user, you can disable it in DeepDesk. Every LDAP Disabled users have different attributes, depending on the LDAP implementation. In Active Directory and Free IPA the attribute userAccountControl is checked, while in OpenLDAP pwdAccountLockedTime is checked.|
|Custom Code||PHP Code invoked after a user import. This way it is possibile to customize the fileds and the behaviour of the LDAP integration of DeepDesk. The code exposes two fundamental objects: $user (an PHP array with the data of the user imported into DeepDesk) and $ldapUser (an PHP array with the data read from LDAP).
To edit, for example, the language of a user imported from LDAP, use this PHP code:
$user['locale'] = 'en_US';
|Group Enable||If the LDAP Group integration is active.|
|Group Base DN||Base Directory to find the LDAP Groups.|
|Group Name Attribute||LDAP unique attribute to identify the Name of the Group of DeepDesk.|
|Group Members Attribute||LDAP Attribute to identify if a user belongs to a group. For example uniqueMember.|
|Group Object Filter||Query LDAP to filter the imported objects.|
|Group Fields||This multiline field lets you define the fields of the groups you want to import from the LDAP server. See User Fields field for an example.|