You can make PMP to work with a LDAP compliant directory (like Active Directory) in your environment, by following the steps explained below. Note that these steps can be performed in any order, but on the first time it is recommended to follow them in the sequence as given below.
The first step is to provide credential details and importing users from LDAP.
To do this,
Go to "Admin" tab
Click "LDAP"
Go to Step 1 in the UI and click the button "Import Now"
Alternatively, you can also access this from "Admin >> Users >> Import from LDAP" button
In the UI that pops-up,
You can configure the connection
between LDAP Server and PMP to be
over an encrypted channel (SSL) or Non-SSL. If you choose, SSL mode, do
the following. Otherwise, proceed to Step
2.
To enable the SSL mode, the LDAP server should be serving over SSL
in port 636 and you will have to import the LDAP server's root certificate,
LDAP server's certificate and all other certificates that are present
in the respective root certificate chain into the PMP server machine's
certificate store.
To import certificates, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and
execute the following command:
For Windows
importCert.bat <Absolute Path of certificate>
For Linux
importCert.sh <Absolute Path of certificate>
Restart PMP server. Then continue with the following steps.
Enter the url of
the LDAP provider in the format attribute://ldap
server host:port (Example ldap://192.168.4.83:389/)
Enter the credentials of any one of the user already
present in LDAP for authentication. It should be in the format exactly
how the user would have submitted their username when authenticating to
your application. For example, a typical entry would look something like:
cn=Eric,o=adventnet,c=com
Enter the password of the user
This is the 'base' or 'root' from where directory
lookups should take place. Enter the LDAP base (top level of the LDAP
directory tree). Enter it exactly in the format used in your LDAP. No
spaces are allowed between the commas or the '=' equal symbol and that
entries are case sensitive
If you want to add only specific users from your
LDAP directory, just perform a search using the appropriate search filter.
For example, for adding only those users who belong to the category "Managers",
a typical search filter would be like: ou=Managers,ou=Groups,o=adventnet,c=com
Select your LDAP server type
Microsoft Active Directory (or)
Novell eDirectory (or)
OpenLDAP (or)
Others
If your LDAP server belongs to the type Microsoft
Active Directory/Novell eDirectory/OpenLDAP, you can select that type
and click "Save".
If your LDAP server belongs to types other than Microsoft Active Directory/Novell eDirectory/OpenLDAP, yon need to enter three more details to authenticate the users:
Enter the user login attribute in your LDAP
structure in the text field for "Login
Attribute". For instance, for LDAP making use of AD, the entry
would be "sAMAccountName" and for OpenLDAP, the entry would
be "uid". If you are using any other LDAP,
make this entry in accordance with your LDAP structure.
Enter the e-mail attribute for the users in your
LDAP structure in the text field for
"Mail Attribute". For instance,
for LDAP
making use of AD, the entry would be "mail". If you are using any other LDAP,
make this entry in accordance with your LDAP structure.
Enter the distinguished name attribute - that is the LDAP attribute that uniquely defines this object. For instance, for LDAP making use of AD, the entry would be "distinguishedName" and for OpenLDAP, the entry would be "dn". If you are using any other LDAP, make this entry in accordance with your LDAP structure.
Click "Import". Soon after hitting this "Save" button, PMP will start adding all users from LDAP. During subsequent imports only the new users entries in LDAP are added to the local database. During import, every user will be notified through email about their account, along with a password that will be used to login to PMP when LDAP authentication is disabled.
Whenever new users get added to the LDAP, there is provision to automatically add them to PMP and keep the user database in sync. This can be done from the 'LDAP Server Details' page. Click the button 'LDAP Server Details' in Step 1 in the UI. This UI has been designed to serve as an one-stop place for managing all configurations pertaining to the LDAP servers integrated with PMP.
In the 'LDAP Server Details' UI, you can view the list of LDAP servers already integrated, integrate new LDAP servers, delete existing ones, edit entries and manage the entries pertaining to the LDAP servers.
In addition, from the "Actions" section
of this page,
you can edit the existing LDAP server details
you can configure user database synchronization. Enter the time interval at which PMP has to query the LDAP server to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
you can also import users from LDAP
The users added to the PMP database will have the role as "Password Users". If you want to assign specific roles to specific users, proceed with Step 2 below.
|
All the users imported from LDAP will be assigned the 'Password User' role by default. To assign specific roles to specific users,
Go to Step 2 in the UI (Admin >> LDAP) and click the button "Assign Roles Now"
In the UI that opens, all the Users imported from LDAP are shown in the LHS under the column "Password Users"
Select the users for whom you wish to change the role and use the appropriate arrow button to assign them the role of "Password Administrator" or "Password User"
Click "Save" and the required roles are set for the users
The final step is to enable LDAP authentication. This will allow your users to use their LDAP directory password to login to PMP. Note that this scheme will work only for users who have been already imported to the local database from AD.
|
Note: Make sure you have at least one user with the 'Administrator' role, among the users imported from LDAP. |
©2009, ZOHO Corp. All Rights Reserved.