LDAP and LDAP Sync - Authenticating Login Data and Synchronizing Users
If your organization manages user data in a Microsoft Active Directory (AD) or Oracle Directory Services (ODS), users can use their standard user credentials to log on to the AE system. LDAP enables your users to log on to the AE by using their company-wide password.
This section gives you an overview of LDAP and LDAP Sync and guides you through the steps required to set up and configure your system to use LDAP to authenticate login data as well as to set up LDAP Sync to synchronize your LDAP directory with your Automic system user base.
If your organization manages user data in a Microsoft Active Directory (AD) or Oracle Directory Services (ODS), users can use their standard user credentials to log on to the AE system. LDAP, the protocol that is used to talk to the directory service database, enables your users to log on to the AE by using their company-wide password. Single Sign-On must be enabled in this case.
You can either activate the LDAP connection individually for each user in the corresponding User object, or use the LDAP key in the UC_SYSTEM_SETTINGS variable to activate it for a complete AE system. Thus, the Automation Engine distinguishes local and LDAP users. You can synchronize LDAP data via TLS/SSL.
This section includes the following pages:
This page includes the following:
LDAP Overview
LDAP (Lightweight Directory Access Protocol) is an application protocol that can be used to manage user data in directory service providers like Active Directory (AD) or Oracle Directory Services (ODS).
Important! Using LDAP to authenticate login data is not set by default and is only possible if the LDAP key in the UC_SYSTEM_SETTINGS variable is set to Y. For more information, see LDAP and UC_SYSTEM_SETTINGS - Systemwide Settings.
In an on-premises environment, you can choose if you want to set up the connection to the LDAP server using TLS/SSL or not. However, AAKE requires a TLS/SSL connection.
A TLS/SSL connection requires configuring the keystore of the Java work process (JWP) and making sure that the LDAP certificates are available in the keystore; otherwise, the JWP cannot establish a secure connection to the LDAP server. How exactly the keystore is configured and the certificates saved to that keystore differs, depending if you are doing so for an on-premises or for an AAKE environment.
Next you need to configure your Clients and specify the LDAP connection data in the UC_LDAP_EXAMPLE variable, which you can duplicate and use as a template. The variable is supplied in Client 0 in the DIV_VARIABLES folder and its settings apply to the whole AE system.
Once the Clients can handle the LDAP connection, you have to make sure that the LDAP Connection checkbox in the User definition is active. The Administration perspective lists all Users and displays if the LDAP connection is active or not for each individual user. You can use the context menu to activate and deactivate it.
For detailed information on how to configure the LDAP connection, see LDAP Connection Setup.
LDAP Sync Overview
LDAP Sync is a command line tool that can be used to synchronize the Microsoft Active Directory (AD) or Oracle Directory Services (ODS) and the Automic system user objects; that is, Automation Engine (AE) users and user groups.
If your organization already stores users and user groups in an Active Directory (AD) or Oracle Directory Services (ODS), you may want to use it to authenticate Automic System users as well. Instead of managing users in the AE manually, you can install and configure LDAP Sync to keep user objects in sync with the AD/ODS user base.
You can define which users or user groups of your AD/ODS should be synchronized with the AE. The periodic synchronization is scheduled according to your requirements.
For more information, see Installing LDAP Sync and LDAP Sync - Synchronizing LDAP and Automic system Users.
Note: Depending on your requirements, or if you are not using an AD/ODS, you can also use this tool without LDAP. Instead, you can use the Password Exit function to verify user authentications. For more information, see Password Exit.