Behavior:
Users that have been created in an Active Directory must be selectively imported into the DocuWare system. How can we perform a unique synchronization, compared to synching the entire Active Directory?
Solution:
The performance of user synchronization can be significantly improved by using the direct LDAP access. Accessing the Active Directory with LDAP is a beneficial approach especially while working with a complex user rights structure.
Utilizing LDAP, access can be limited to specific groups, which prevent searching the entire Active Directory tree structure.
Sample of Basic LDAP structure:
The key point about LDAP synchronization is that you have to able to identify the OUs that hold the objects like groups and users. Here is a quick sample:
Technical procedure:
- DocuWare sends a LDAP request to the server where the LDAP services are installed
- The request is accepted and transformed to a Active Directory query by the LDAP services
- Active Directory evaluates the request and send back the requested information to the LDAP services
- Those generate out of the Active Directory response a LDAP response and send it back to DocuWare
Configuration of the LDAP access to the Active Directory:
Open the DocuWare Administration Tool, Right-click "External User Directories" then select "Create new User External Directory". Enable "LDAP" for the configuration type located in the General section.
If "Create network ID" is enabled, "Domain information" will be needed.
(Note: Port of the LDAP-services (389 = default); choose "Secure" if LDAPS protocol should be used)
If unsure what information is needed for each line, right-click the line and enable "Description" to be provided information regarding the selected option.
*DN (Distinguished Name) = unique identifier name of an object in LDAP directory
Select Group/User distinguished name
Within the Matching settings, use the ellipsis in the Group settings on the right-hand side to insert the DN LDAP container with the DocuWare Groups which should be synchronized. The same procedure must be done within the User settings ellipsis. The integrated LDAP browser allows you to choose the node, where you can select all groups and/or users you want to import.
Select node properties
When configuring "Login name identification attribute" or "Group member identification attribute" under User settings, you will be presented the following browser depicted below. Select the attributes that specify the user or group you wish to synchronize.
Note: "Login name identification attribute" specify the attribute that matches the user's login name for Windows. This value is usually under the "member" attribute.
Test configuration
Once the configuration has been completed, save your changes by hitting Apply at the bottom of the Administration Tool. Use the ellipsis on the right-side of "Test Configuration" to test the configuration, which will display all groups and users which will be synchronized.
Once the test has returned the desired results, save your changes and you may now proceed in creating the Synchronization workflow that will run your LDAP access to Active Directory. Please refer to step 3 in KBA-34826 to create a Synchronization workflow.
KBA is applicable to On-Premise Organizations ONLY.
