Connecting LDAP(S) to TRUECHART Service
- Derrich Schleich
Apart from the manual (local) creation and management of users, the TRUECHART Service can be linked to an existing LDAP service (such as OpenLDAP, Active Directory, eDirectory, etc.) to control access to users already existing in your directory.
NOTE: For users running trueChart prior to v2021.2.0 , this screen will be found under "Settings". Further functionality remains the same
Connect to an LDAP server
Follow these steps to connect the TRUECHART service to your directory via LDAP:
- Open the TRUECHART Management Console and go to the Settings page
- Select the User Directories menu entry on the left
- Click on Add Directory in the upper right.
- In the New LDAP Connector dialog enter the following information:
- Name and Domain name of the LDAP server
- Host and Port the LDAP service is listening on
- Username and Password to authenticate to the LDAP service
- Sync interval and Search timeout
- Check to connection by clicking on button Test Connection
- Click on "Test connection", then Save changes by clicking on button Save
Connect to an LDAPS server
For using a secure connection to the LDAP server you need to follow the steps for connection to a LDAP server, except some adjustments:
Host: The Hostname must contain the protocol. So for a LDAPS connection the host must contain something like "LDAPS://ldap-host.com". The important thing is that it starts with "LDAPS://"
Port: Needs to be changed to the SSL port of the LDAP server . 636 (default - may differ)
In the LDAP(S) auth the checkbox for SSL must be checked and DC must have certificate also .
Edit the config
To edit the config of an already created LDAP directory connection follow these steps:
- Open the TRUECHART Management Console and go to the Settings page
- Select the User Directories menu entry on the left
- Select the directory configuration to edit in the center
Advanced settings
Server settings
Here the general access parameters must be specified.
| Property | Description |
|---|---|
| Name | The name of the current directory setting |
| Domain | The domain name to be sync with |
| Host | The hostname or IP address to access This should be your Domain Controller |
| Port | Enter 389 This is the default port. Enter this value unless you have some custom configuration for LDAP. |
| Username | Username to be used for access |
| Password | The password for given username to be used for access |
| Sync interval (in minutes) | Sync interval is the time period (in minutes) the TRUECHART Service syncs the users and groups between the directory and itself. The default value is 60 minutes. |
| Search timeout (in seconds) | Specify the timeout for search operation within the directory The default value is 60 seconds. |
LDAP schema
Here the access names to the base directory and special user or user groups are specified.
| Property | Description |
|---|---|
| Base DN | Base DN is the distinguished name of the directory. Example: dc=TRUECHART,dc=de,dc=com |
| User DN (optional) | Optional value to give for user domain names. The given OU "OU=TRUECHARTUsers" is the actual OU in the Active Directory that you chose to put your users in. Please note that this OU does not have to called "TRUECHARTUsers". It can be called anything you want or any OU that has the users you want to be in your TRUECHART Server instance. Please confirm the group is an OU and not a CN. If CN, you can use the designator CN=Users for example. |
| Group DN (optional) | Optional value to give for group domain names. The given OU "OU=TRUECHARTUserGroups" is the actual OU in the Active Directory that you chose to put your users from groups in. Please note that this OU does not have to called "TRUECHARTUsersGroups". It can be called anything you want or any OU that has the users you want to be in your TRUECHART Server instance. Please confirm the group is an OU and not a CN. If CN, you can use the designator CN=Users for example. |
User schema
In the following section, the TRUECHART Service attributes must be mapped from directory values to TRUECHART Service values for the users to be imported.
| Property | Description |
|---|---|
| User object | Example: user |
| User object filter | Example: (&(objectCategory=Person)(sAMAccountName=*)) |
| Attribute: Username | Example: sAMAccountName |
| Attribute: Username RDN | Example: cn |
| Attribute: First name | Example: givenName |
| Attribute: Last name | Example: sn |
| Attribute: Display name | Example: displayname |
| Attribute: Principle name | Example: userPrincipleName |
| Attribute: Email | Example: mail |
| Attribute: Unique user ID | Example: objectGUID |
| Attribute: User groups | Example: memberOf |
Group schema
In the following section, the TRUECHART Service attributes must be mapped from directory values to TRUECHART Service values for the user groups to be imported.
| Property | Description |
|---|---|
| Group object | Example: group |
| Group object filter | Example: (&(objectCategory=Group)(name=*)) |
| Attribute: Unique group ID | Example: objectGUID |
| Attribute: Group name | Example: cn |
| Attribute: Group description | Example: description |
| Attribute: Group members | Example: member |
| Fetch group members recursively | Checked/Uncheck to do so, also import users within sub or nested groups |