Configuration for direct directory service access

Here's how to set up and run the process of synchronizing users using direct communication mode:

1.To add a new domain configuration, go to SE Suite, the SE Configuration component

Authentication (CM008). On the screen that will open, go to the Directory integration

Domains section and click on the Add button.

2.In the General

Connection section of the screen that will open, the data must be configured to connect to the LDAP server.

The domain ID # (A) and address (B) can be found in the properties of the computer - accessed through the Control panel - as shown in the following image:

sda0002

Connection String: Enter the connection string with the LDAP server. "ldap://<hostname>:<port>", remembering that the default value for the Microsoft Active Directory connection port is 389. For example: ldap://contoso.local:389

▪Active Directory: Active Directory is a directory service implementation in the LDAP protocol that stores information about objects on a computer network and makes this information available to users and administrators of this network. It is a Microsoft software used in Windows environments, present in the Active directory.

▪OpenLDAP: OpenLDAP is an open source software that implements LDAP protocol. It is a directory service based on the X.500 standard. OpenLDAP is independent of the operating system. Several Linux distributions include the OpenLDAP package. The software also runs on the following operating systems: BSD, AIX, HP-UX, Mac OS X, Solaris, Microsoft Windows (2000, XP, 2003, 2008, Vista, Windows 7 and Windows 8) and z/OS.

SSL Security: Check this option to use the SSL security protocol when accessing the system. The SSL protocol provides privacy and data integrity between two applications that communicate over the Internet. This is done through the authentication of the parties involved and the encryption of the data transmitted between the parties. Furthermore, this protocol helps prevent intermediaries between the two ends of the communications from gaining undue access or falsifying the data being transmitted.

User: Enter the user's name to connect to the LDAP server. For example: "Synchronization User". The user name is used to connect to the directory service in the synchronization and simulation processes.

Password: Enter the password for user authentication when connecting to the LDAP server.

It is recommended to create a specific user for this connection in the directory service, with the proper permission to search using the filter and the directory informed in the following steps.

3.In the General

Connection section, the data of the NTLMv2 connection must be entered.

NTMLv2 port: This port is used for user authentication via NTLMv2. The connection test attempts an authentication using the credentials (login and password) provided below. If you do not intend to use this authentication mode, it may be ignored.

Login for NTLMv2 connection test: Enter the user login to connect to the LDAP server. For example: "user.synch@contoso.local". This login will be used to test the connection to the directory service.

4.In the General

Search criteria (user/group/team) section, enter the search criteria to search certain LDAP server information. To do that, fill in the Filter (to restrict search result) and Directory (where data will be imported) fields.

To view the directory/user structure contained in the directory service, it is recommended to use external tools such as "Active Directory Users and Computer" or "Apache Directory Studio". Refer to the Examples of LDAP filters for connection to a directory service section, for more examples of filters and directories.

At this time, it is possible to validate the information by running a connection test; to do that, click on the

button.

To see the possible errors that the connection test can display, see the Errors and warnings of the domain configuration/connection test section.

5.After that, save the settings you have made. Then, go to the General

Synchronization section to configure the information that will be synchronized.

To synchronize only user data, do not check the "Department and Position", "Access group" and "Team" options. However, it will not be possible to log into the system without this information.

The Attribute for first synchronization field is used to link an existing user to a domain. When a record with a value equal to that of the directory service is returned, the internal user is automatically linked to the domain, authenticating with the credentials maintained by the service. It is recommended to use the "User ID" field as an attribute for the first synchronization, since it is a field that has a unique value for each user, but other fields such as "Login", "E-mail" or "Name" may also be configured.

6.After that, fill in the fields in the Notification

Frequency section. With this, the administrator will be notified via email if there is any communication error in the synchronization process that causes the process not to run after the inactivity time has been exceeded.

▪ID # in domain controller: Enter the LDAP server attribute that should be used as the user ID #, that is, when importing the data, the attribute selected in this field will be saved in the database as the user ID #.

▪Name: Enter the LDAP server attribute to be used as the username, that is, when importing the data, the attribute selected in this field will be saved in the database as the username.

▪Login: Enter the LDAP server attribute to be used as the user login, that is, when importing the data, the attribute selected in this field will be saved in the database as the user login.

▪E-mail: Enter the LDAP server attribute to be used as the user e-mail, that is, when importing the data, the attribute selected in this field will be saved in the database as the user e-mail.

▪User ID: Enter the LDAP server attribute to be used as the user ID, that is, when importing the data, the attribute selected in this field will be saved in the database as the user ID.

▪Synchronize leader: Check this option to enable system user leader to link the synchronization with the information configured in LDAP. By default, the system uses the "manager" field from the directory service to identify the leader and assemble the organizational hierarchy, comparing with the "distinguishedName" field of each record returned in the search (these two attributes can be customized). In order for the link to occur, both the user and its leader need to be listed in the search made using the given filter and directory. Therefore, you must adjust the search to meet this requirement or enable the "Ignore errors of leader not found" option if you wish to enable this function.

▪Leader ID # attribute (optional): Used to get the ID # of a leader user. By default, the system uses the "distinguishedName" attribute, or "entryDN" if the OpenLDAP connection type is being used.

▪Relationship attribute (optional): Indicates the ID # of the leader related to the users. By default, the system uses the "manager" attribute.

▪Do not synchronize user leaders with a circular reference: Consider three users: A, B and C. Users A and B are each other's leaders and B is C's leader. In this example, A and B would not be imported due to a circular reference, and C would also not be imported because their leader B could not be imported. By checking this option, the circular reference would be ignored, importing only A and B without a defined leader, but keeping B as the leader of user C, as C is not a part of the circular reference.

▪Ignore errors of leader not found: By using this option, if the leader synchronization option is enabled and the user leader is not contained in the user list for synchronization, there will be no errors and the user will be imported normally.

▪Initial parameters: The initial parameters will only be used when the user is created in SE Suite. These parameters will be used as defaults for all the users imported from the LDAP server. In other words, the Language, Enabled user, Locked user, Receive e-mailed news, Enable multiple logins and Max. number of connections options will only be used in the first access of new users, thus, they will not interfere with users already saved in SE Suite.

All attributes that are available for selection are obtained directly from the directory service, using the search set in the filter and directory. If any attribute that was expected is not available for selection, it is possible that no user with this attribute was returned. For example, in the email field, the "mail" attribute was expected, but there is no such attribute for selection. In this case, it must be verified in the directory service if there is any user with this field filled, within the directory informed and following the rules defined in the filter.

8.In the Synchronization

Department and position section, synchronize departments and positions. To do that, complete the following fields:

▪Department ID #: Enter the LDAP server attribute to be used as department ID #, that is, when importing the data, the attribute selected in this field will be saved in the database as department ID #.

▪Department name: Enter the LDAP server attribute to be used as department name, that is, when importing the data, the attribute selected in this field will be saved in the database as department name.

▪Inactive department: The initial parameters will only be used when the department is created in SE Suite. This parameter will be used as the default for all departments imported from the LDAP server.

▪Inactive position: The initial parameters will only be used when the position is created in SE Suite. This parameter will be used as the default for all positions imported from the LDAP server.

▪Position ID #: Enter the LDAP server attribute to be used as a position ID #, that is, when importing the data, the attribute selected in this field will be saved in the database as position ID #.

▪Position name: Enter the attribute of the LDAP server that is to be used as the position name, that is, when importing the data, the attribute selected in this field will be saved in the database as the position name.

▪Default access groups: Default access group for new synchronized departments.

It is recommended that the department or position ID #s do not exceed 50 characters, because when this occurs, the ID # will be truncated and incremented with sequential value.

9.In the Synchronization

Access group section, define the attribute of the LDAP server groups that will be considered the ID # for the creation of the link with the respective SE Suite access group. Group synchronization does not create access groups in SE Suite; it only links groups that already exist in the system with groups from the directory service with the same ID #. It also makes users who are members of the group in the directory service to be members of the access group in SE Suite.

10. In the Synchronization

Team section, synchronize teams by completing the configuration. To do that, fill in the following fields:

▪Team ID #: Select the LDAP server attribute to be used as team ID #, that is, when importing the data, the attribute selected in this field will be saved in the database as team ID #.

▪Team name: Enter the LDAP server attribute to be used as team name, that is, when importing the data, the attribute selected in this field will be saved in the database as team name.

It is recommended that the team ID #s do not exceed 50 characters, because when this occurs, the ID # will be truncated and incremented with sequential value.

12. On the Authentication (CM008) screen, click on the

button to perform the synchronization simulation, without effecting changes to the SE Suite. The system will notify you when the data is sent. Click on the "View" option of the notification or the

toolbar button to view the synchronization simulation.

13.

After that, release the connections for synchronization. To do that, click on the

toolbar button and confirm the request made by the system. At this point, the domain will be released and the

button will be enabled, allowing you to synchronize the system.

14. From this point onwards, it is possible to synchronize and track the process. Each synchronization generates a record in the synchronization history of users and teams (if enabled), allowing you to view the current status and record of the number of processed records. To track the current synchronization, click on the

button.

15. In the User synchronization history section, the system provides the last 10 synchronization records for viewing.

Synchronization can have the following statuses: "Executing", "Executing with errors", "Loading AD information", "Loading SE Suite users", "Comparing the users of SE Suite with the users of AD", "Calculating permissions of users", "Finished" and "Finished with errors".

The "Calculating permissions of users" status indicates that new users are being added, and the system is creating the access permissions structure for them. This step may take a while depending on the number of new users. This step may take a while depending on the number of new users. The progress of user permissions processing can be tracked in the "With permission" column. Statuses that report errors refer to users with missing information, invalid formats, or conflicting information, and the reason for the error can be seen in the import details.

To view the import details (users with errors, updated, imported, and disabled), select the desired record and click on the

button.

To see more details about the possible errors that the synchronization process can display, and how to resolve them, go to the Errors that can occur in synchronization of users section.

16. The Team synchronization history section is similar to the "User synchronization history" section, with differences in the details presented. This section will display teams with error, updated, imported and disabled teams.

17. By enabling synchronization scheduling, the process will run intermittently at midnight every day. Recurrence can be changed by going to the Monitoring

Scheduling (CM019) menu and searching by the name "LDAPSynchronizerJob".

18. There is a configuration in SE Suite that allows authenticating users not linked to a domain via SAML. This configuration is "Enable integrated authentication for users that are not synchronized" and can be found on the Configuration

Authentication (CM008) screen, left side menu, in Directory integration

General options.

This configuration was created for situations in which there is no user synchronization via LDAP or SCIM with SE Suite, but there is a need to authenticate the users manually created in SE Suite with a platform that uses SAML (Azure, Okta, and others).

In these cases, the "Enable integrated authentication for users that are not synchronized" configuration must be enabled and SAML must be configured in SE Suite through the Configuration

Authentication (CM008) screen.

When the "Enable integrated authentication for users that are not synchronized" option is enabled:

▪The records of users that were not provisioned via LDAP or SCIM will be opened in SE Suite for manual editing, including the access password.

▪Single sign-on is possible for users via SAML (if SAML is configured in Configuration

Authentication (CM008), and the user to be authenticated is registered in the platform that uses SAML), or they can log in by entering the password contained in their SE Suite record.

▪Login via Single Sign-On will authenticate the user with the password created for them in the platform that uses SAML (Azure, Okta, etc.), and logging in with user and password (without single sign-on) will authenticate the user with their password and login created in SE Suite.

▪Single Sign-On on the SE Suite login screen has priority, that is, if the "User" and "Password" fields are filled out on the SE Suite login screen and the "Single Sign-On" button is clicked, the values entered in both fields are ignored.