Features of LDAP integration

LDAP integration features include scheduled refresh, a dedicated listener, and on-demand login.

Scheduled LDAP refresh

A scheduled scan of your LDAP server is usually run once a night. It queries all applicable user records' attributes and compares them with the account on our servers. If there is a difference, we modify our user record with the changed attribute. The load placed upon the LDAP server during the refresh depends on how many records are queried, and the number of attributes being compared. We recommend scheduling the refresh during off-peak hours. A large refresh operation can affect other scheduled operations, such as running reports, and should be planned to minimize any conflicts.

LDAP listener

LDAP listener is our version of a persistent query (or persistent search). We issue a standing query for changes made to your LDAP server, and constantly listen for a response. Assuming your server supports a persistent search, any changes made to any of your applicable LDAP accounts are returned to the LDAP listener and sent to your instance within approximately 10 seconds. This is an extremely useful tool, allowing us to have a nearly real-time copy of your users' account details, without having to wait for the next scheduled refresh.

On-demand LDAP login

After LDAP integration is complete, your instance has the ability to allow new users to login to the system, even if their accounts have not yet been created. When a new user attempts to login to your instance, we look to see if this user has an account. When the account is not found, the instance automatically queries the LDAP server for the username that was entered. If an account is found, we then try to authenticate with the user's password. If the password checks out, the instance creates an account for the user, populates the account with all applicable LDAP information, and logs the user into your instance.