LDAP in easy steps

frank.moore's Avatar


03 Mar, 2011 10:49 PM

I've seen pages such as http://www.hannonhill.com/kb/Administrator/ldap-active-directory/.

This is good info, but I'm a new guy to LDAP and Cascade Server. Is there someone that can tell me how to do the LDAP in ten easy steps, etc? First do this, then that, etc?

  1. 1 Posted by Ross on 04 Mar, 2011 10:08 PM

    Ross's Avatar
    1. Obtain a username and password for your LDAP server that has read access to the users you want to import into Cascade
    2. Download a tool like LDAPExplorerTool that will let you browse for fully-qualified paths to your users
    3. Download the example LDAP configuration file from the Knowledge Base. The following steps will discuss modifying particular sections of that file.
    4. Put your LDAP server's connection details and credentials into the <server> element of the config file:

              <username>CN=John Smith,OU=Employees,DC=myorg,DC=org</username>
              <!-- SSL information goes here, if needed (see step 4) -->
    5. Determine whether your LDAP server uses SSL. If it does, get back to me, and I'll include more detailed SSL configuration information. Remove the <parameter> elements inside <binding> if you're not using SSL.
    6. Modify the <report> section of the config file if you want to be emailed regular LDAP sync reports.
    7. Now look to the <policies> section of the example file. There are two kinds of policies: <user-policy>, which works on all LDAP servers, and <ad-security-group-policy>, which works only on Microsoft's Active Directory. For a <user-policy> you can use most of what is already in the example file if you are working with Active Directory and wish to synchronize ALL users in a particular OU (part of the AD folder tree). If you wish to use a security group to control who has a user account in Cascade, you'll need to use <ad-security-group-policy>. The two policies are identical but for the way that they find which users to synchronize:

      <user-policy> has:

      1. <container-identifier> that points to an OU in your LDAP, which must contain all of the user accounts you want to sync
      2. <object-attribute-filter> or <freeform-filter> which can narrow down which users in the container you want to sync. <freeform-filter> is very powerful, but you must understand LDAP Filter Syntax

      <ad-security-group-policy> has only:

      1. <security-group-id> that points to the Security Group object in Active Directory listing the users to be synchronized.

      BOTH have all the remaining elements you see in the example config file:


      … specify which LDAP attributes represent username, e-mail, and full name in Cascade. Above are Active Directory's defaults.


      … Are accounts seen for the first time in LDAP automatically enabled in LDAP or will a Cascade admin have to enable them manually?


      … Self-explanatory.


      … Controls whether Cascade maintains the user's password or whether it is checked against the LDAP server. I recommend leaving these as they are, because most people's intent is to have the LDAP server manage passwords. If you want to do something different, inquire and we can point you in the right direction.

      <system-groups remove-from-other-groups="yes">  

      … Determines the imported users' group membership. The remove-from-other-groups attribute, if set to yes, will mean that at EVERY LDAP SYNC the user will be removed from groups other than those listed. Not recommended. Set this to no. The <create-if-does-not-exist> element will automatically create the group if it does not exist and assign the listed roles to it. Usually not needed, so I would omit this section from your policy.

      <system-roles remove-from-other-roles="yes">  

      … Determines which global roles are assigned to the imported users.

    8. Install the configuration file using System Menu > Configuration > LDAP. You will need Administrator privileges.

    9. Test your LDAP sync using System Menu > Utilities > Sync LDAP. You can check your Cascade dashboard Messages for a report, or, depending on how you set up the <report> section above, a report may be e-mailed to you.

    That's it, in less than 10 steps. Once you're satisfied everything is working as desired, you can edit the config file again and make synchronization automatic using the <automatic-synchronization> and <schedule> elements. You'll also want to pay attention to the <orphaned-ldap-users> element. As users leave your organization and are removed or disabled in LDAP you can choose to delete them, deactivate them, or just leave them in Cascade. Deletion is usually a reasonable choice, as their username will still appear in places where appropriate (like Last Modified By). The only side effect of deleting a user is that their individual account information will disappear (like Messages and Preferences) and their account can't be Audited directly. You'll still be able to see them in the Audit trail for the various Assets they've worked with.

  2. 2 Posted by frank.moore on 08 Mar, 2011 05:42 PM

    frank.moore's Avatar

    Thanks! I'm going to study this. :)

  3. 3 Posted by frank.moore on 08 Mar, 2011 07:41 PM

    frank.moore's Avatar

    Had a question though, how does Cascade Server know which people to pull in? Does it just pull in everyone and I can go in and assign users to groups manually, or does it need to be able to map AD groups to Cascade Server groups?

  4. 4 Posted by Ross on 16 Mar, 2011 04:35 PM

    Ross's Avatar

    The system-groups element in each user-policy or ad-security-group-policy determines which Cascade groups that policy maps to. It's up to you whether you have just one policy that maps a huge AD group into Cascade (giving you lots of manual control) or lots of policies that map specific AD groups to specific Cascade groups (via system-groups.

  5. 5 Posted by frank.moore on 17 Mar, 2011 11:01 PM

    frank.moore's Avatar

    Thanks for that info. I see that we can create users in CS or pull in users with LDAP. The users pulled in with LDAP can be authenticated with their network login which is handy.

    Can I create a user in CS such as “frank.moore” (my network login), and then have it authenticate in LDAP when I try to login?

  6. frank.moore closed this discussion on 17 Aug, 2011 10:00 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac