Version
Version
Report Server Version | Plugin Version | Functional Change |
11.0 | V1.7.3 | Added multi-domain synchronization and LDAPS functions based on the original Multiple LDAP Users Synchronization plugin. |
11.0 |
V1.7.5 | 1. Optimized the synchronization speed. 2. Added some functions, including resynchronizing user types during user synchronization, plugin deletion clearing no configurations, supporting some special characters, and allowing users with the same name in multiple domains to be synchronized. 3. Added limitations on user type selection. Specifically, the Platform User type needs to be ticked before the current user type configuration takes effect. |
11.0 | V1.7.7 | Supported clusters. |
11.0 | V1.7.9 | Allowed the letter case of usernames to be unchanged. |
| 11.0 | V1.8.0 | Supported content expansion for synchronization. |
Application Scenario
If user information is stored in multiple LDAP servers, you (as the admin) may want to use a plugin to achieve multi-domain LDAP authentication in the decision-making platform, to synchronize users from LDAP servers to the platform, and to reuse corresponding configurations.
Add the function which allows synchronizing users from multiple LDAP domains based on the original Multiple LDAP Users Synchronization plugin.
Support LDAPS configuration and allow synchronizing multi-domain users.
Support Active Directory (AD) domain structure where a single user belongs to multiple groups (such as using security groups) to link the user and the groups.
Function Introduction
After installing the Multi-Domain LDAP Authentication (Enhanced) plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method. When you synchronize users, you can select Synchronize from Multiple LDAP Servers. LDAPS is supported in both multi-domain authentication and user synchronization.
Note:1. Super admins are not affected by LDAP authentication and still use Built-in Authentication.
2. Users with the same account in different domains share this account on the decision-making platform and can log in with their own passwords.
3. If you disable the plugin, the system automatically switches to Built-in Authentication. But the configurations of Multi-Domain LDAP Authentication set before still work if the plugin is re-enabled.
4. External database PostgreSQL is not supported currently. If you have special requirements, contact technical support.
Introduction
Plugin Installation
You can obtain the plugin at Multi Domain LDAP Authentication (Enhanced).
For details about how to install plugins to the designer, see Designer Plugin Management.
For details about how to install plugins to the server, see Server Plugin Management.
Plugin Introduction
After installing the plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method.
When synchronizing users, you can select Synchronize from Multiple LDAP Servers as the user source.
Example
Configuring LDAP Authentication
Log in to the decision-making platform as the admin, choose System Management > User Management > Global Setting, select Multi-Domain LDAP Authentication as the authentication method for synchronizing users, and enter the configuration information.
After the parameters are entered, click Test Connection and Save. If a prompt box pops up saying "Successful Connection", the authentication method is configured successfully.
After all URLs are added, click Save, log out of the decision-making platform, and perform re-login.
Configuring LDAPS Authentication
Section "Configuring LDAP Authentication" introduces the configuration method for common LDAP authentication. Note the following points if LDAPS connection is required.
1. The URL format is ldaps://IP address:Port number.
2. Enable SSL Authentication and enter the path where the authentication is located.
Note:
Opening the Editing Page of Synchronizing User
1. First use of Synchronize User as the admin
Log in to the decision-making platform as the admin, choose System Management > User Management > All Users, and click Synchronize User.
A prompt box pops up saying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?"
The update logic for different selections is shown in the following table.
Selection | Explanation |
Reserved | If a user is not in the synchronized dataset, the user information and permissions remain unchanged. If a user is in the synchronized dataset (with the same username): The user's username and permissions remain unchanged. The user's name, password, mobile number, and mailbox are updated. If the user's current department, position, and role exist in the synchronized dataset, they are updated. If the user's current department, position, and role do not exist in the synchronized dataset, they remain unchanged. |
Clear | Delete all the platform information of manually added/imported users, including their username, name, password, mobile number, mailbox, department, position, role, and permissions, and you can synchronize users again. |
Note:1. According to the update logic for selection, information of some users may be updated after initial synchronization.
2. Only synchronized users are automatically updated in the future.
3. For subsequent synchronizations, you cannot overwrite the dataset or update its built-in data. Otherwise, conflicts occur, triggering an error prompt.
2. Non-first use of Synchronize User in the decision-making platform
Click Synchronized User Management as the admin and select Edit to open the Synchronize User configuration page.
Configuring Users for Synchronization
Select Synchronize from Multiple LDAP Servers as the user source, and the system automatically reads the configuration in section "Configuring LDAP Authentication. " Test the connection. The configuration of Synchronize User is shown in the following figure.
Note:
Sync Frequency
Two supported types of synchronization frequency: Fixed Interval and Expression Setting
Fixed Interval
If you select Fixed Interval, the system automatically synchronizes user data from the LDAP server to the platform at fixed intervals which default to 43,200 seconds and can be modified.
Note:
Expression Setting
If you select Expression Setting, you can schedule user synchronization to run periodically at specified times, dates, or intervals.
User Editability
User Info Editable in Sync Status is unticked by default. If it is ticked, user information can be edited by corresponding synchronized users.
Synchronized users can edit their names, mobile numbers, and mailboxes. The above fields of existing users will no longer be updated during automatic or manual synchronization.
The specific introduction is shown in the following table.
Note:Enabling LDAP URL
Click or . Then you can set the synchronization status of each domain as Enabled or Disabled.
Click . Then you can edit the synchronous attributes of the domain.
User Attribute
You need to first select ObjectClass in the user attribute field, and then select the attribute value within ObjectClass.
Note:
Configuration Item | Introduction | Required or Optional |
ObjectClass | Select an ObjectClass used to store the user attribute. | Required |
User Duplication Verification Field | User duplication verification can be achieved through User ID or Username. 1. If you select User ID, the User ID field is synchronized. The field value of User ID is the user ID in the LDAP server when you synchronize users. Note:2. If you select Username, the Username field is synchronized. The field value of User ID is randomly generated by the system. Note:3. If the CN field is configured in User Duplication Verification Field and there are users with duplicate CN in the LDAP source data:
| Required |
User ID | Select the UID (User ID) in the user attribute. Note: | Required |
Username | Select the username in the user attribute. Username stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, a message "Incorrect Username or Password" is displayed if the user log in to the platform. | Required |
User Type | Select Platform User or Mobile Platform User. The configuration item is applicable to scenarios where platform users are classified, and can be ignored if no corresponding limitation is made. 1. Plugin of V1.7.5 and later versions User type is resynchronized during each synchronization, and configuration changes or newly added values take effect with each synchronization. If the user type is set to empty during synchronization, the setting does not take effect, and the previous user type setting in the platform is retained. 2. Plugin of V1.7.4 and earlier versions User type only takes effect during the initial configuration of synchronization. If user A's type has already been configured on the platform, even though a new user type is configured for A during LDAP synchronization, A's user type will not add. To make changes, contact the admin to manually modify the configuration of platform user type. | Optional |
| Username Conversion Policy | 1. Plugin of versions earlier than V1.7.9 The case of usernames is uniformly converted to lowercase during user synchronization. 2. Plugin of V1.7.9 and later versions Add a new Username Conversion Policy function that allows users to select Keep Case Unchanged. If this option is ticked, the case of the original username remains unchanged during user synchronization.
Note:If the external database is case-sensitive and historical synchronization of LDAP users has been performed, ticking Keep Case Unchanged causes synchronization failure. You need to clear the historical data and perform re-synchronization. After configuration modification, re-synchronization may cause the loss of certain user configuration permissions. For example, if the user ANNA was originally synchronized and stored as anna, ticking Keep Case Unchanged and re-synchronizing will save the user as ANNA. In this case, the role configuration previously assigned to anna will be lost, and ANNA will not inherit the role configuration of anna. | Optional You are not advised to tick this option if you do not have special requirements. Username stored in the database is in lowercase by default. |
Name | Select the name in the user attribute. | Required |
Mobile | Select the mobile number in the user attribute. | Optional |
Mailbox | Select the mailbox in the user attribute. | Optional |
| Expansion Attribute | Select other contents (batch selection supported) to be synchronized.
Note:This function is supported in V1.8.0 and later versions. After this function is configured, data is stored in JSON format to the Fine_Extra_Properties table in FineDB. | Optional |
Department Attribute
You need to first select ObjectClass in the department attribute field, and select the attribute value within ObjectClass.
The department attribute can be left unconfigured. If ObjectClass is selected, however, the department name/department ID must be configured.
Note:
Configuration Item | Introduction | Required or Optional |
ObjectClass | Select an ObjectClass used to store the department attribute. | Optional The configuration items here should be left empty/be entered for all. |
Department Duplication Verification Field | Department duplication verification can be achieved through Department ID or Department Name. 1. If you select Department ID, the Department ID field is synchronized. The field value of Department ID is the department ID in the LDAP server when you synchronize users. 2. If you select Department Name, the Department Name field is synchronized. The field value of Department ID is randomly generated by the system. | |
Department ID | This field is required only when Department ID is selected in Department Duplication Verification Field. Select the UID (Department ID) in the department attribute. | |
Department Name | Select the department name in the department attribute. |
Role Attribute
You need to first select ObjectClass in the role attribute field, and then select the attribute value within ObjectClass.
The role attribute can be left unconfigured. If ObjectClass is selected, however, the role name/role ID must be configured.
Configuration Item | Introduction | Required or Optional |
ObjectClass | Select an ObjectClass used to store the role attribute. | Optional The configuration items here should be left empty/be entered for all. |
Role Duplication Verification Field | Role duplication verification can be achieved through Role ID or Role Name. 1. If you select Role ID, the Role ID field is synchronized. The field value of Role ID is the role ID in the LDAP server when you synchronize users. 2. If you select Role Name, the Role Name field is synchronized. The field value of Role ID is randomly generated by the system. | |
Role ID | This field is required only when Role ID is selected in Role Duplication Verification Field. Select the UID (Role ID) in the role attribute. | |
Role Name | Select the role name in the role attribute. |
Security Group Attribute (Sync with Security Group as Department)
In AD domain, Security Group is an object used for managing and assigning permissions. Security group, an important concept in AD, allows admins to group a set of users or computers together and assign access permissions for specific resources or objects to the group.
This configuration is used to achieve the synchronization of users that corresponds to members of the security group.
Note:1. Security Group Attribute and Department Attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Department attributes and security group attributes cannot be configured at the same time."
2. Security Group Attribute and the custom department attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Custom department attributes and security group attributes cannot be configured at the same time."
The general applicable structure is shown in the following figure.
The configuration items are shown in the following figure.
Configuration Item | Introduction | Required or Optional |
ObjectClass | Select an ObjectClass used to store the security group (department) attribute. After ObjectClass is selected, load all security groups based on ObjectClass (as options in the drop-down checkbox of Group Selection). | Optional The configuration items here should be left empty/be entered for all. |
Group Name | If the Group Name attribute is selected, value of the LDAP attribute corresponding to the Group Name field is taken as the display value in the drop-down option of Group Selection. | Optional If this field is set to empty, the drop-down option of Group Selection reads CN by default. |
Group Selection Group Department Mapping | After the security group is selected, the group department mapping is automatically loaded into the mapping table, and the Department Name column supports manual input. | Optional The configuration items here should be left empty/be entered for all. |
Note:Demonstration
If the LDAP system authentication and the LDAP domain user synchronization are successful, you can click OK to start synchronization.
The following figure shows that two LDAP URLs are enabled.
Successful synchronization is shown in the following figure.
After entering the username and password stored in the LDAP server, you can log in to the decision-making platform and perform corresponding operations according to the assigned permissions in the platform.
Note:1. If the entered account does not exist in the platform, or the corresponding user in the platform is disabled, or user limitation is enabled in the platform and the user is not included, the platform does not connect with the LDAP server and the message Incorrect Username or Password or Username Unavailable is displayed on the login page.
2. Username stored in the LDAP server cannot include double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the platform.
Password stored in the LDAP server cannot include double-byte Japanese, traditional Chinese, simplified Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the platform.
Notes
Special Character Limitation
1. Name of Security Group
If a security group is created in AD, the following characters are disallowed: / \ [] : ; | = , + * ? < > "
2. Name of User
If a user is created in AD, the following characters are disallowed: / \ [] : ; | = , + * ? < > "
In summary, the special characters supported during synchronization include bracket, underscore, and space.
3. Name of Organizational Unit (OU)
Supported characters include / \ () _ ; , + * < > and space.
Plugin Deletion
1. Plugin of V1.7.5 and later versions
Configuration is retained if the plugin is deleted.
2. Plugin of V1.7.4 and earlier versions
The existing configuration is deleted if the plugin is deleted. Delete it carefully and backup the configuration information.
The configuration-related information is stored in the FINE_CONF_ENTITY table in the FineDB database.
Query statement:
SELECT * FROM FINE_CONF_ENTITY WHERE ID LIKE '%FINE_MULTI_LDAP VALUES%'
Note:
Previous:User identity authentication
