*iProtect™ LDAP

Technical Manual | TM-20210309-TP-20

iProtect Access / Security | Coupling |

This manual represents the knowledge at the above-mentioned time. TKH security works non-stop to improve her products. For the most recent technical information please contact your consultant or dealer.


1 Introduction

This document describes the LDAP service in iProtect. It explains its purpose and how it should be configured.
LDAP stand for Lightweight Directory Access Protocol and is a standard that describes how to obtain information from a directory service (database). LDAP is an open standard that is described in RFC 3377. The most recent version is LDAPv3, which is the version that is supported by iProtect.

There are many different directory services that support LDAPv3:

• Open LDAP
• Novell eDirectory
• Microsoft Active Directory
• Apache Directory server
• Red Hat Directory server
• …

In organizations Microsoft Active Directory is the most common directory server, because it is also used to administer the user accounts in the Microsoft Windows domain.

The iProtect LDAP service can be used to synchronize personal data from the LDAP directory, instead of copying this data into iProtect by hand.

The LDAP service cannot be used to obtain the user credentials or the authorizations from the LDAP directory. The responsibility of providing access to iProtect and determining the authorizations within the application lies with the iProtect administrator and not with the LDAP administrator.


2 LDAP Service setup

2.1 License

To activate the iProtect LDAP service a special license is required:
• License number 40: LDAP Support

2.2 Configuration

A new LDAP synchronization service can be created in the Database Link form which is available via the menu selection:
Installation | Settings | Database Link

You can add a new Database Link by pressing the right mouse button in the tree view panel and selecting Add database link.

In the Database link details form you select LDAP as database type and the details of this service appear.

With the mandatory Name parameter you give this service a unique name.
The other parameters are divided into 4 subcategories.

2.2.1 Service

With the Active checkbox the synchronization service can be started and stopped.

2.2.2 Remote server

The information necessary to connect to the LDAP-compliant directory server can be provided in this panel.

  • Login name and Password (twice): These credentials will be used by the iProtect system to log in to the remote LDAP directory service.

  • Web IP Address: is the IP address of the LDAP Directory service

  • Secure Socket Layer (SSL): This checkbox determines whether SSL is used to encrypt the communication between the LDAP Service and iProtect. For security reasons, this is strongly advised.

  • Port: This is the port number that is used by the LDAP Service. There are several standard port numbers in use depending on the encryption being used:
    o LDAP without SSL: TCP port 389
    o LDAP with SSL: TCP port 636

  • Time out: This is the duration in seconds that the iProtect waits for the LDAP service to respond before deciding to close the connection and retry the communication.

2.2.3 Parameters

The parameters in this panel determine what and how the data from the LDAP service is synchronized with the iProtect database.

  • Action: This parameter determines the behavior of the service. There are 2 choices:
    o No action: No special action is performed and the service is running in its normal synchronization mode.
    o Synchronize all data: By selection this option a full synchronization of the LDAP database is (re-)started. This should only be performed at the initial activation of the service or when the consistency of the data is corrupted.

  • Mode: This parameter determines what happens to the data that is synchronized:
    o Normal: The normal mode op operation is that for every new or changed person in the LDAP directory a person will be added or changed in the iProtect database. The data fields of the persons in the iProtect database that are provided by the LDAP service are locked in the iProtect database. This means that the iProtect user can not modify this information. We assume that the “truth” is provided by the LDAP service and that the data fields are linked to the LDAP service. This is depicted by a small link symbol in the Person details form.
    o Detach all: With this option the link between the data fields and the LDAP service can be removed. The persons remain in the iProtect database, but their data fields are not updated anymore by the LDAP service.
    o Detach and delete all: This option does the same as the previous option, but now all persons that were linked to the LDAP service are removed from the iProtect database.

  • Synchronize type: This parameter determines how the data is synchronized:
    o Polling: The iProtect server asks the LDAP server periodically if there are changes or new items to be synchronized.
    o Scanning: The data is synchronized once.

  • Poll interval: When the synchronization type Polling is selected this parameter determines the interval between polls (in seconds).

  • Poll delete frequency: When the synchronization type Polling is selected this parameter determines how many normal poll cycles are performed before a full synchronization is done. For deleted objects this is required because is an object is deleted from the LDAP server, its data is not synchronized anymore in the poll cycles. We need a full synchronization to detect deleted objects. So, if the poll frequency is 60 seconds and the Poll delete frequency is 30, it can take up to half an hour before a deleted person in the LDAP directory is also deleted in the iProtect database.

  • Basic search: Here you enter the location (in the LDAP directory) where the data that should be synchronized is located. This path should be entered ad a distinguished name. So, for example:
    OU=Users,OU=TKH Security BV, ,DC=ourdomain,DC=local

  • Search Object: Here you define the filter for the data that is synchronized. For example: if in the location that is defined in the Basic Search parameter, there are different types of objects and you only want to synchronize the Person objects, your search object is:
    (&(objectClass=person))

  • Alternative object ID: By default iProtect uses the primary key provided by the LDAP service as unique identifier for the objects that are synchronized. With this parameter you can define an alternative data field as the primary key, for example the salary number. This field must exist in the LDAP directory service and must be filled in for all objects.

  • Alternative timestamp: By default the internal LDAP service timestamp is used in the synchronization. With this parameter you can define an alternative timestamp.

  • Data type: The data can be transferred as ASCII Strings or as binary data. This is determined by the LDAP Service and should be selected accordingly.

2.2.4 Authorization

On the authorization panel you can determine the accessibility of the data that is entered in the iProtect database by the LDAP synchronization service.
If you select an authorization group all data that is linked to the LDAP service automatically also has this authorization group.
Furthermore, you can determine which data can be read/written by this group


3 Synchronized Data fields

Once the LDAP synchronization service has been defined and saved, the data fields that can be managed by this service. For every data field a Conversion name can be given.
Here you give the name of the attribute of the LDAP object that you want to link with this iProtect database column.
For example: the firstname of a person is defined in the givenName attribute of a user in Microsoft Active Directory. So for the field PERSON.FIRSTNAME you give the conversion name givenName.

3.1 Person

For the PERSON table the following fields can be linked to the LDAP object attributes:
• NAME
• FISTNAME
• PREFIX
• HOMEADDRESS
• HOMECITY
• HOMEZIP
• FREETEXT1
• FREETEXT2
• FREETEXT3
• FREETEXT4
• FREETEXT5
• FREETEXT6
• FREETEXT7

3.2 Employee

For the EMPLOYEE table only the SALARYNR can be linked to a LDAP object attribute.

3.3 Phone

For the PHONE table the following fields can be linked to the LDAP object attributes:
• MAIL
• PHONE


4 Logging & Events

When the LDAP synchronization service is activated a Webservice started event is generated. (type 371)

When the LDAP synchronization service is deactivated a Webservice finished event is generated. (type 372)

In case LDAP attributed are used that have no value is the LDAP directory a message is logged in the log file of the user interface (Catalina.out). For example:

Ldap synchronization error:Unexpected null value, Table=PERSON, Column=NAME

This has no further effect on the iProtect system.

 

Related pages