LDAP (Lightweight Directory Access Protocol) is an application layer protocol for directory service access. The directory service (LDAP directories) is a hierarchically structured system for storing key-value data. Usually directory services are used to store information about an organization, its assets and users. There are different implementations of LDAP directories. For example, OpenLDAP and FreeIPA for Linux, Microsoft Active Directory for Windows etc.
You can set up synchronization of VMmanager with the LDAP directory. Then user accounts from the directory will be automatically created in the platform.
VMmanager starts synchronization with the LDAP directory at intervals specified in the settings. During synchronization, the platform connects with specified parameters to the LDAP directory and receives a list of users. Information about users in the LDAP directory has a higher priority than the information in the platform.
General synchronization rules:
- If a user from the LDAP directory is not present in the platform, the platform will create an account with LDAP data.
- If a user from the LDAP directory has already been created in the platform, the platform will replace the password to the user account with the LDAP data.
Example: An account with the name firstname.lastname@example.org and the password secret1 has been created in the platform. In LDAP, there is an account with the name email@example.com and the password secret2 . After synchronization, the user firstname.lastname@example.org will only be able to log in to the platform with the password secret2 .
- If the LDAP directory user has already been created in the platform, the platform will change the account level to LDAP data.
Example: An account with the name email@example.com with the "Administrator” level has been created in the platform. In LDAP, there is an account with the name firstname.lastname@example.org in the “Users” group. After synchronization, the account level will change to "User". If the user is the owner of the servers, operations with these servers will remain available to him.
- If the administrator deletes from the platform the user created during synchronization with LDAP, the platform will create this user during the next synchronization.
- If a user is deleted from the LDAP directory, the platform will delete his account during the next synchronization.
- If a user is blocked in the LDAP directory, the platform will set his status to "Blocked in LDAP". Such a user will not be able to log in to the platform.
To configure synchronization, enter → Synchronization with LDAP:
- Select the LDAP directory implementation:
- LDAP — a standard directory service implementation;
- Active Directory ;
- FreeIPA .
- Specify the connection settings:
- Base DN — the directory object from which the search begins. For example, for the example.com directory, specify "dc=example,dc=com".
- If necessary, enable the Use SSL to connect option.
- Main server address.
- Connection Port .
- Bind DN — unique name for authentication. You can specify the name in the format email@example.com or "cn=name,ou=group,dc=example,dc=com".
- For a standard LDAP implementation, specify the following:
- Users DN — parameter for searching and downloading users. For example, "ou=users".
- Groups DN — parameter for searching and downloading user groups. For example, "ou=groups".
- Groupname attribute — attribute for loading the group name. For example, CN or memberof.
- E-mail attribute — attribute for downloading the user's email address. For example, mail.
- Press Next . VMmanager will check the connection to the LDAP directory with the specified parameters.
- Select the DN g roup for the roles. Read more about user roles in VMmanager in User permissions:
- For the platform to perform synchronization on a schedule:
- Enable the Synchronize users automatically option.
- Select the schedule parameters:
- Hourly ;
- Daily → select the time;
- Weekly → select the day → select the time;
- arbitrary time in the cron format → specify the Cron c ommand. For example, 15 10 * * * 0 — synchronize on Sundays at 10:15 or 00 12 1,16 * * * — synchronize on the 1st and 16th of the month at 12:00.
- You can Downl oad a full list of users to synchronization . The list contains the names of users, their roles and information about the presence of similar users in the platform.
- Press Start synchronization . VMmanager will start the synchronization process. Synchronization can take several minutes.
You can change the saved settings under → Synchronization with LDAP.
To synchronize manually, enter → Synchronization with LDAP → Synchronize now or Users → Synchronize with LDAP → Start synchronization.