tag:help-archives.hannonhill.com,2010-02-09:/discussions/how-do-i/360-ldap-in-easy-stepsCascade CMS: Discussion 2018-10-18T20:36:12Ztag:help-archives.hannonhill.com,2010-02-09:Comment/57247472011-03-03T22:49:12Z2011-03-03T22:49:42ZLDAP in easy steps<div><p>I've seen pages such as <a href=
"http://www.hannonhill.com/kb/Administrator/ldap-active-directory/">
http://www.hannonhill.com/kb/Administrator/ldap-active-directory/</a>.</p>
<p>This is good info, but I'm a new guy to LDAP and Cascade Server.
Is there someone that can tell me how to do the LDAP in ten easy
steps, etc? First do this, then that, etc?</p></div>frank.mooretag:help-archives.hannonhill.com,2010-02-09:Comment/57247472011-03-04T22:08:20Z2011-03-04T22:08:20ZLDAP in easy steps<div><ol>
<li>Obtain a username and password for your LDAP server that has
read access to the users you want to import into Cascade<br></li>
<li>Download a tool like <a href=
"http://ldaptool.sourceforge.net/">LDAPExplorerTool</a> that will
let you browse for fully-qualified paths to your users<br></li>
<li>Download the <a href=
"http://www.hannonhill.com/kb/Configuring-LDAP/ldap-config.xml">example
LDAP configuration file</a> from the Knowledge Base. The following
steps will discuss modifying particular sections of that
file.<br></li>
<li>
<p>Put your LDAP server's connection details and credentials into
the <code><server></code> element of the config file:<br></p>
<pre>
<code><server>
<ldap-version>3</ldap-version>
<hostname>ldap.internal.myorg.com</hostname>
<port>389</port>
<security>
<username>CN=John Smith,OU=Employees,DC=myorg,DC=org</username>
<password>secretpassword</password>
</security>
<auth-type>simple</auth-type>
<binding>
<classname>com.hannonhill.cascade.model.security.ldap.bind.LDAPCleartextBind</classname>
<!-- SSL information goes here, if needed (see step 4) -->
</binding>
</server></code>
</pre></li>
<li>Determine whether your LDAP server uses SSL. If it does, get
back to me, and I'll include more detailed SSL configuration
information. Remove the <code><parameter></code> elements
inside <code><binding></code> if you're not using
SSL.<br></li>
<li>Modify the <code><report></code> section of the config
file if you want to be emailed regular LDAP sync reports.<br></li>
<li>
<p>Now look to the <code><policies></code> section of the
example file. There are two kinds of policies:
<code><user-policy></code>, which works on all LDAP servers,
and <code><ad-security-group-policy></code>, which works only
on Microsoft's Active Directory. For a
<code><user-policy></code> you can use most of what is
already in the example file if you are working with Active
Directory and wish to synchronize ALL users in a particular OU
(part of the AD folder tree). If you wish to use a security group
to control who has a user account in Cascade, you'll need to use
<code><ad-security-group-policy></code>. The two policies are
identical but for the way that they find which users to
synchronize:<br></p>
<p><code><user-policy></code> has:</p>
<ol>
<li><code><container-identifier></code> that points to an OU
in your LDAP, which must contain all of the user accounts you want
to sync</li>
<li><code><object-attribute-filter></code> or
<code><freeform-filter></code> which can narrow down which
users in the container you want to sync.
<code><freeform-filter></code> is very powerful, but you must
understand <a href=
"http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm">
LDAP Filter Syntax</a></li>
</ol>
<p><code><ad-security-group-policy></code> has only:</p>
<ol>
<li><code><security-group-id></code> that points to the
Security Group object in Active Directory listing the users to be
synchronized.</li>
</ol>
<p><strong>BOTH</strong> have all the remaining elements you see in
the example config file:</p>
<pre>
<code><username-attribute>sAMAccountName</username-attribute>
<email-attribute>userPrincipalName</email-attribute>
<full-name-attribute>displayName</full-name-attribute></code>
</pre>
<p>… specify which LDAP attributes represent username,
e-mail, and full name in Cascade. Above are Active Directory's
defaults.</p>
<pre>
<code><enable-new-users>yes</enable-new-users></code>
</pre>
<p>… Are accounts seen for the first time in LDAP
automatically enabled in LDAP or will a Cascade admin have to
enable them manually?</p>
<pre>
<code><convert-usernames-to-lowercase>yes</convert-usernames-to-lowercase></code>
</pre>
<p>… Self-explanatory.</p>
<pre>
<code><authenticate-against-ldap-server>yes</authenticate-against-ldap-server>
<authentication-mode>ldap</authentication-mode></code>
</pre>
<p>… Controls whether Cascade maintains the user's password
or whether it is checked against the LDAP server. I recommend
leaving these as they are, because most people's intent is to have
the LDAP server manage passwords. If you want to do something
different, inquire and we can point you in the right direction.</p>
<pre>
<code><system-groups remove-from-other-groups="yes">
<group>
<name>analysts</name>
</group>
<group>
<name>development</name>
<create-if-does-not-exist>
<role>Administrator</role>
<role>Publisher</role>
</create-if-does-not-exist>
</group>
</system-groups></code>
</pre>
<p>… Determines the imported users' group membership. The
<code>remove-from-other-groups</code> attribute, if set to
<code>yes</code>, will mean that at EVERY LDAP SYNC the user will
be removed from groups other than those listed. <strong>Not
recommended</strong>. Set this to <code>no</code>. The
<code><create-if-does-not-exist></code> element will
automatically create the group if it does not exist and assign the
listed roles to it. Usually not needed, so I would omit this
section from your policy.</p>
<pre>
<code><system-roles remove-from-other-roles="yes">
<role>Administrator</role>
<role>Publisher</role>
</system-roles></code>
</pre>
<p>… Determines which global roles are assigned to the
imported users.</p>
</li>
<li>
<p>Install the configuration file using <code>System Menu >
Configuration > LDAP</code>. You will need Administrator
privileges.<br></p>
</li>
<li>Test your LDAP sync using <code>System Menu > Utilities >
Sync LDAP</code>. You can check your Cascade dashboard Messages for
a report, or, depending on how you set up the
<code><report></code> section above, a report may be e-mailed
to you.</li>
</ol>
<p>That's it, in less than 10 steps. Once you're satisfied
everything is working as desired, you can edit the config file
again and make synchronization automatic using the
<code><automatic-synchronization></code> and
<code><schedule></code> elements. You'll also want to pay
attention to the <code><orphaned-ldap-users></code> element.
As users leave your organization and are removed or disabled in
LDAP you can choose to delete them, deactivate them, or just leave
them in Cascade. Deletion is usually a reasonable choice, as their
username will still appear in places where appropriate (like Last
Modified By). The only side effect of deleting a user is that their
individual account information will disappear (like Messages and
Preferences) and their account can't be Audited directly. You'll
still be able to see them in the Audit trail for the various Assets
they've worked with.</p></div>Rosstag:help-archives.hannonhill.com,2010-02-09:Comment/57247472011-03-08T17:42:41Z2011-03-08T17:42:41ZLDAP in easy steps<div><p>Thanks! I'm going to study this. :)</p></div>frank.mooretag:help-archives.hannonhill.com,2010-02-09:Comment/57247472011-03-08T19:41:21Z2011-03-08T19:41:21ZLDAP in easy steps<div><p>Had a question though, how does Cascade Server know which people
to pull in? Does it just pull in everyone and I can go in and
assign users to groups manually, or does it need to be able to map
AD groups to Cascade Server groups?</p></div>frank.mooretag:help-archives.hannonhill.com,2010-02-09:Comment/57247472011-03-16T16:35:32Z2011-03-16T16:35:32ZLDAP in easy steps<div><p>The <code>system-groups</code> element in each
<code>user-policy</code> or <code>ad-security-group-policy</code>
determines which Cascade groups that policy maps to. It's up to you
whether you have just one policy that maps a huge AD group into
Cascade (giving you lots of manual control) or lots of policies
that map specific AD groups to specific Cascade groups (via
<code>system-groups</code>.</p></div>Rosstag:help-archives.hannonhill.com,2010-02-09:Comment/57247472011-03-17T23:01:01Z2011-03-17T23:01:01ZLDAP in easy steps<div><p>Thanks for that info. I see that we can create users in CS or
pull in users with LDAP. The users pulled in with LDAP can be
authenticated with their network login which is handy.</p>
<p>Can I create a user in CS such as “frank.moore” (my
network login), and then have it authenticate in LDAP when I try to
login?<br></p></div>frank.moore