Effector 6.3 developer manual

XML reference 6.3

Effector Studio 6.3 summary

Effector Studio 6.3 manual

Effector 6.2 developer manual

XML reference 6.0

Effector Studio 3.2 summary

Effector Studio 3.2 manual

AD sync

Components

LDAP synchronization is implemented with service EffectorServerToolService which has to be able to connect to the database of the LHS. Users, groups and group memberships are synced from LHS to LHC during login or a result of a specific button.

Installation

  1. Install EffectorServerToolService.
  2. Set the parameters which are necessary for synchronization (Licence handling screen (server)).
  3. Make unavailable the application instances which is involved in synchronization.
  4. Start the synchronization.
  5. After the synchronization (if there is already an existing system) reconcile the groups in the database of the application instance (People table IsGroup = 1) and of the licence handling server (FSYS_LHS_Groups table). People.LHS_Group_ID = FSYS_LHS_Groups.ID and People.LHS_Group_Name = FSYS_LHS_Groups.Name)
  6. At least one, at most two users per application instance have to be in group SuperAdmin before logout from user Admin. If it's not successful (for example there is a force logout by the system) then add the user and group membership to the table FSYS_LHS_UserGroups (User_ID = FSYS_LHS_Users.ID and Group_ID = FSYS_LHS_Groups.ID).
  7. Make available the application instances which is involved in synchronization.

Usable parameters per LHCs

LDAP_IsSyncEnabled: whether the LDAP synchronization is enabled for the given application instance, false by default LDAP_Path%: access of LDAP, for example: LDAP://IP-address LDAP_UserName: username of the service which accesses LDAP (optional) LDAP_Password: encrypted password of the service which accesses LDAP (optional) LDAP_UserNameFormat: format of the username. For example the user can login with username domain\lastname.firstname. With value “domain{0}” user can login with username lastname.firstname. For example: ornqmad{0} LDAP_Containers: tree structure of nodes inside LDAP separated by a semicolon (optional). Its value replaces the reference {1} of setting LDAP_UserNameFormat with each values during login.

For example with this structure

AD tree

if we want to reach the users inside the server node, the following text should be set in LDAP_Containers: ou=servers,dc=mun,dc=edu

LDAP_UniqueIdentifier: It's a property used in LDAP. It's the unique key, based on it you can determine whether there is an executed CRUD operation on the given user (optional with default value: objectGUID). LDAP_AdditionalProperties: List of further LDAP properties used for business logic separated by comma (optional). LDAP_SyncLicenceName: Licence name of new and reactivated users. If this property is unconfigured the system automatically does not give licence to users from LDAP. LDAP_AuthType: None LDAP_GroupsContainer: tree structure of nodes inside LDAP, the system reads the necessary groups from here (optional). LDAP_OnlyGroupMembers: When it's true, the system syncronizes only users with group membership to the LHS. When using with setting LDAP_GroupsContainer it's possible to syncronize only users with specific groups (optional). LDAP_UserNameProperty: Its default value is sAMAccountName. Property UserName of the processed user is based on this field depending on setting LDAP_UserNameFormat (optional).

Process run

Data retrieval from LDAP is executed by EffectorServerToolService based on the interval in the table ServerTool_Job of LHS database.

Each run has a unique ID which is a GUID initialized during the run. It iterates all application instances which are connected to LHS, have a defined LDAP authentication and LDAP synchronization is enabled.

It evaluates whether there are any parameters starting with LDAP_PATH from which all containers listed in LDAP_Containers are available. If any containers are unavailable with the given username/password combination, it's interpreted as a connection error and the system tries to connect to the next LDAP_PATH setting. If the connection is successful the system does not continue the iteration of the LDAP_PATH list.

It collects all user type of objects from the given containers or the root item of the connection (if there is no container defined) and saves them to table FSYS_LHS_LandingZone_LDAPUser with the given GUID. The system saves the related properties to table FSYS_LHS_LandingZone_LDAPUserProperty and the group memberships inside the AD to LDAPUser of table FSYS_LHS_LandingZone_LDAPUserGroup with a unique ID as a foreign key.

Username of new user is generated from sAMAccountName.

Limits

A user in two separated application instances is identified as the same user if settings LDAP_Path, LDAP_UniqueIdentifier and LDAP_UserNameFormat are equal in the two application.

  • Last update: 2 weeks 5 days ago
  • Effector