LDAP integration FAQs

Review these frequently-asked questions about LDAP integration in the instance.

What are the prerequisites for an LDAP integration?

  • The directory services server must be LDAP v3 compliant
  • Inbound network access through the firewall must be allowed (to the LDAP server)
  • External IP or Name of the LDAP server
  • User credentials with read-only access
  • For LDAPS, a PKI certificate

When is an LDAP integration usually done?

LDAP integrations are usually done before the instance Go Live, but can be integrated at any time.

Is this a synchronization or a copy?

This question comes up regularly during our pre-integration discussions, and is centered around a concern of a third party (the instance in this case) making changes (writing) to your LDAP server. In an LDAP integration, your instance does not write to the internal LDAP directory. The instance queries for information, and updates its database accordingly.

No changes are made to the internal LDAP server by the instance. The service account is read only.

Is it secure?

Yes. The connection is made from a single machine using a fixed IP address through a specific port on your firewall. Authentication is done with a read-only LDAP account of your choosing. You can use standard LDAP, or load the public side of an SSL certificate installed on your directory, in which case we can use LDAPS. To add another layer of security, we also offer the option of a point-to-point IPSEC VPN tunnel. Speak to your account manager for details and pricing.

Another security aspect to consider is the data shared in an LDAP integration. To limit the data exposed to your instance, specify attributes in your transform map. For more information, see Create a transform map.

How up to date is the information?

Most changes (including additions) to your LDAP server are available to the instance within seconds, depending on how many components of the full LDAP integration are in place.

Which attributes need to be pulled from the directory into the instance?

It is recommended that attributes are defined to import only required data. Defined attributes get mapped into the instance user database.

We cannot answer the question of which specific attributes are needed because this is determined by the scope of the project and business requirements.

What types of LDAP servers does the instance support?

The instance has successfully integrated with Microsoft Active Directory, Novell, Domino (Lotus Notes), and Open LDAP. We use JNDI to interface with the LDAP Server. As long as your LDAP server is LDAP v3 compliant, the integration is successful.

Since my users are already authenticated on my local network, how can I keep them from having to enter a password to access the application?

A single sign-on method is the solution. Along with the data population functionality provided with the LDAP import, you can use the External Authentication functionality supported by the application.

Can I integrate with multiple domains?

Yes, multiple domains can be within the same forest or completely non-trusted domains. The recommended method is to create a separate LDAP server record for each domain. Each LDAP server record must point to a domain controller for that given domain. This means that connections must be allowed to each of the domain controllers.

When you expand to more than one domain, it is critical that you identify unique LDAP attributes to be used as the application usernames and import coalesce values. A common unique coalesce attribute for Active Directory is objectSid. Unique usernames may vary based on your LDAP data design; common attributes are email or userPrincipalName.

How do you handle querying more than 1000 users?

By default, Active Directory 2000/2003 has an LDAP query limit (maxPageSize) of 1000 objects to prevent excessive loads and denial of service attacks. We have two methods of dealing with this limit.

The default method is to break up the query to return less than 1000 objects at a time. For example, query only for object starting with the letter 'a', then query for 'b' objects. The more efficient method for large environments is to enable paging. Paging is supported by default on all Microsoft Active Directory servers. It automatically splits the results into multiple result sets, so we don't have to split up the query into multiple requests.

What type of LDAP query is done?

If an LDAP password is supplied then a "Simple Bind" is performed. If no LDAP password is supplied then "none" is used, in which case the LDAP server must allow anonymous login.

How is LDAP authentication accomplished when the username is provided?

We use provided service account credentials for LDAP to retrieve the user DN from the LDAP server. Given the DN value for the user, we then rebind with LDAP given the users DN and the provided password.

How is the user password stored?

The password that the user enters is contained entirely in their HTTPS session. We do not store that password anywhere.

Are LDAP records synchronized or just copied?

The instance does not synchronize department records. Users and group memberships are kept up-to-date by the LDAP Listener mechanism and a daily full LDAP Browse, but the instance does not delete any of these entries once they disappear from LDAP.

If an entry were to be deleted, the entire history would also get deleted, and any references to it would be cleared or deleted. Configuration Items (CIs), SLA Agreements, Software Licenses, Purchase Orders, and Service Catalog Entries all have a reference to Department, and if Department is deleted, then those references get cleared. There are many references to Users, and so deleting a user would lose all history of what that user did. Currently, the decision to delete or not to delete is made by our customers.

How is a user record defined to use LDAP authentication?

These fields on the user record pertain to LDAP:

  • Source: The Source field identifies whether or not a user is validated using LDAP. If the source field starts with "ldap", then the user is validated via LDAP. If the Source field does not start with "ldap", then the password on the user record is used to validate the user upon login.
  • LDAP Server: The instance supports multiple LDAP servers, so the LDAP Server field determines which server should be used to authenticate the user.

How can we keep LDAP records synchronized?

Schedule a periodic scan of the LDAP server to pick up changes.

I'm ready to configure my LDAP integration. Now what?

Let's go! Start with LDAP integration setup.