Behavior:
Users that have been created in an Active Directory should be imported selectively into the DocuWare system. There should be a selective synchronization to improve the performance compared to synchronizing the whole Active Directory.
Sample Basic LDAP structure:
The key point about LDAP synchronization is that you have to able to identify the OUs that hold the objects like groups and users. Here is a quick sample:
Solution:
The performance of user synchronization can be significantly improved by using the direct LDAP access. Accessing the Active Directory with LDAP is a beneficial approach especially while working with a complex user rights structure.
Due to the possibilities given by LDAP an access can be limited to specific groups which prevent searching the whole Active Directory tree structure.
Technical procedure:
- DocuWare sends a LDAP request to the server where the LDAP services are installed
- The request is accepted and transformed to a Active Directory query by the LDAP services
- Active Directory evaluates the request and send back the requested information to the LDAP services
- Those generate out of the Active Directory response a LDAP response and send it back to DocuWare
Before you configure a new user synchronization workflow for Active Directory, you have to create a LDAP access to the Active Directory.
In this DocuWare Knowledge Base Article we would like to help you to configure a LDAP access to Active Directory.
As an alternative to the integrated LDAP browser you may use the Softerra LDAP Browser: http://www.ldapbrowser.com/download.htm
Configuration of the LDAP access to the Active Directory
- LDAP configuration for user synchronization
1 = descriptive name of the connection
2 = select LDAP
3 = selectActive Directory
4 = select Create Network ID (optional for SSO functionality)
5 = Name of the LDAP-Servers
5.1 = User (incl. Domain name in NETBIOS format) with necessary LDAP rights
5.2 = Passwort for this user
6 = Port of the LDAP-services (389 = default); choose "Secure" if LDAPS protocol should be used
7 = insert Base DN of the LDAP directories (optional)
8.1 = insert DN LDAP container with the DocuWare groups which should be synchronized
You can choose it via integrated LDAP Browser by clicking '...'
8.2 = has to be selected
could to be deactivated to get readable group names.f
8.3 = insert "(objectClass=group)"
9.1 = insert DN of the LDAP container which includes the DocuWare users which should be synchronized.
You can choose it via integrated LDAP browser by clicking '...'
9.2 = Attribute which includes username; this depends on the LDAP system
9.3 = insert "(objectClass=user)"
9.4 = insert attribut "member"
10 = testing configuration by clicking on '...' (see fig. 2).
11 = choose fix domain or select another one
11.1 = Windows logon name attribute (in Active Directory implementations: "sAMAccountName").
11.2 = insert Domaine name NETBIOS format
12 = choose E-Mail adresse attribute.
13 = assing the appropriate organization(s)
*DN (Distinguished Name) = unique identifier name of an object in LDAP directory
- Select group distinguished name
The integrated LDAP browser allows you to choose the node, where you can select all groups and users you want to import, after the configuration of the LDAP access.
- Select node properties
The attributes which have to be entered during the configuration can be selected via clicking at the end of the line.
- Test configuration
A final test of the configuration shows you all groups and users which will be synchronized.