Add an LDAP Connector Device
Before you are able to import an LDAP group, you must first create a means for Vbrick Rev to communicate with Active Directory and LDAP groups. This is accomplished by creating an LDAP Connector and then running that connector on a host or through a direct connection if you have an on-premise installation. Be aware that the connector will always need to be running on the host you choose for importing and synchronizing your LDAP groups and users if you do not have a direct connection enabled.
To add an LDAP Connector:
Note: Depending upon the Directory Type you choose, most fields are completed for you when adding an LDAP Connector. If you intend to modify those fields and are unsure of exact values, consult the Directory Type’s documentation for more information: |
1. Navigate to the > > option.
2. Click > .
3. Complete each section of the form as described below.
Add the LDAP Connector as a Direct Connection
The section first needs to be completed as either a (normally for on-premise installations) or for use with the LDAP Connector for Rev Cloud that you previously downloaded and installed. In this case, you will need to inactivate Direct Connection and enter at least one (of the laptop/server of the previously installed connector).
This example has Direct Connection in inactive status since Rev Cloud is in use.
Field Name | Required | Description |
---|
Device Name | Yes | The unique Device Name you will use to import your LDAP groups. |
Status | | Designates whether or not your connector is currently active or inactive. |
Direct Connection | | Enabled by default. This setting is used for On-Premise Rev installations to provide a direct connection to Active Directory. If this setting is enabled, you will not be required to download and install the Rev Cloud LDAP connector. You will, however, be required to enter at least one Mac Address which is used to run one or more LDAP Connectors. |
Allow LDAP Authentication for Users | | Enabled by default. Specifies if users will use LDAP authentication. If disabled, user/group sync will use LDAP while user authentication will use SAML. See: Disable LDAP Authentication for Users. |
Add a MAC Address for the LDAP Connector
To use the LDAP Connector for Rev Cloud, make sure you disable the and enter a for each you plan to use. You may configure the status per node or through the entire LDAP Connector as desired (unless there are no active nodes). If more than one node is configured, the system will distribute tasks among the available nodes.
Field Name | Required | Description |
---|
Connector Nodes / MAC Address | Yes | Only visible if Direct Connection is set to inactive status. The for the is required if Direct Connection is inactive and you will be unable to create the connector without it if you plan to run your connector on a host. This should be the address of the host you plan to run your connector from or previously entered connector host location. This is easily obtained by entering the command getmac from a command prompt. The Mac Address is the first line with no dashes. You may add additional nodes by clicking the button. Further, you may change the status of each node at will by clicking the and buttons. Click the button to remove a node. Note: The LDAP Connector for Rev Cloud version in use is displayed under each address. It is not recommended that different versions of the connector be in use at the same time. The first two of each node you add may be viewed on the main page under the column. |
LDAP Connector Status depends on the following node states:
●If LDAP Connector is active and all active LDAP nodes are online: Active
●If LDAP Connector is active and at least one active LDAP node is offline: Warning <# of offline nodes/# of active LDAP nodes>
●If LDAP Connector is active and all active LDAP nodes are offline: Offline (See image above)
●If LDAP Connector is inactive: Inactive
LDAP Server Settings
Once you decide how you are going to run the connector, complete the section.
Field Name | Required | Description |
---|
Directory Type | Yes | The directory type that the supports; Note that when you choose a directory type, the LDAP Server Mapping fields will be automatically populated with the recommended default settings for that type. |
LDAP Server Host | Yes | The IP address or name of the host. |
Port | Yes | The default port is 389. Use 636 if using SSL. |
SSL | | Indicates the LDAP connection is over SSL if selected. |
TLS v1.2 | | Enables TLS v1.2 support. Must have SSL enabled first before this becomes available. |
Username | Yes | The user name/password to connect to LDAP Server. |
Password | Yes | The user name/password to connect to LDAP Server. |
Tip: This topic uses Active Directory as the Directory Type when creating an LDAP Connector. However, selecting Generic LDAP is much the same process. |
LDAP Server Mapping
Most of the section is populated with recommended default values and formats when you choose a in the
LDAP Server Settings section. The image below displays the server mappings for . These fields may be modified if needed. Most fields are required.
Note: Keep in mind that if you change the Root Scopefield in the LDAP ServerMapping section after you have already imported groups and users, you will need to re-import your group. |
LDAP Groups Specification
The section is used to import specific LDAP groups only and is only visible if the checkbox is selected in the previous section.
If you are an organization with hundreds or even thousands of LDAP groups, this may take a considerable amount of time to import. You may use the checkbox to enter the LDAP group you want to import instead. This will open the section where you may enter the Distinguished Name (DN) of the LDAP group to be imported seen in the example below.
By default, the checkbox is deselected which means that all LDAP groups associated with your Active Directory server will need to be retrieved and displayed for potential import when you click the action for an LDAP Connector device or the button from the module, seen in the image below.
Keep in mind:
●You must enter the LDAP DN name exactly as it appears. If it is misspelled or entered incorrectly it will not import. Note: It is not case sensitive.
●If you use this method, you may no longer use the action for an LDAP Connector device or the button from the module until the checkbox is once again deselected.
●If the checkbox is deselected and you want to import new groups, then the button must used to manually sync the connector; or you may also wait until the next scheduled sync interval has been performed. See:
LDAP Server Synchronization Settings.
User Record Mapping
Similar to the section, the section is populated with recommended default values and formats when you choose a in the
LDAP Server Settings section. The image below displays the user record mappings for . These fields may be modified if needed. Most fields are required.
Merge Users
The checkbox is disabled by default. If this is checked/enabled, the LDAP connector will process and merge the incoming user even if the user currently exists in Rev (if unchecked, a “duplicate user” error is generated).
Keep in mind:
●The incoming user will be treated as an update and this is permanent and not reversible.
●The update only occurs if both username and email address match.
●The source of the user account will be modified to LDAP.
●If the Rev user account had additional roles, those will be retained.
●If the Rev user account was manually suspended, that user will remain suspended.
●Active and unlicensed status will remain unchanged.
●LDAP fields override Rev user field values, including any blank fields.
●As noted, if this checkbox remains disabled, then the LDAP connector will continue to display an error message for any duplicate username/email addresses found.
LDAP Server Synchronization Settings
The section is used to specify the sync interval from Active Directory to Vbrick Rev. You can also specify if Suspended user accounts should be deleted when a sync occurs.
Sync intervals are specified in minutes or hours. The recommended interval is 24 hours; particularly if importing and/or syncing large groups of users so you do not tie up server resources during peak usage time by your end users. Note that you must specify a synchronization interval.
Select the in checkbox to delete those LDAP accounts that were synced and imported but then subsequently never logged in to Rev. An example of this may include a user account that was created and imported but then left the company before logging in.
If your sync needs to be reset for any reason, you may use the link in the Actions drop-down on the All Devices form to do so.