Overview ACTIVE DATA CALENDAR LDAP/AD IMPLEMENTATION GUIDE Active Data Calendar allws fr the use f single authenticatin fr users lgging int the administrative area f the applicatin thrugh LDAP/AD. LDAP stands fr Lightweight Directry Access Prtcl which is an applicatin prtcl fr querying and mdifying directry services running ver TCP/IP. A directry is a set f bjects with attributes rganized in a lgical and hierarchical manner. The benefits f using LDAP/AD t authenticate users in the applicatin include the ability t centrally manage updates t passwrds and/r users being placed in an inactive state after leaving an rganizatin. Changing infrmatin in the surce LDAP/AD system means that the Calendar will nt allw a user accunt t authenticate and lgin nce deactivated in LDAP/AD. Examples f Varius Majr Directries Althugh there are many implementatins f directries by ther vendrs, these are the mst cmmnly used in cnjunctin with Active Data Calendar. The Calendar is nt specifically cded t wrk with an exact directry but rather uses LDAP as the standard fr interacting with different types f directries. As each vendr is able t implement the standard, there may be variatins in hw a cnnectin t a directry thrugh LDAP is setup. Sme directries are extremely strict with the parameters needed t successfully cnnect while thers are much mre relaxed with the parameters needed fr a cnnectin thrugh LDAP. The majr differences are ften the LDAP Unique Identifier and the LDAP Server Path, which are defined in mre detail further belw. As the Calendar is a.net applicatin, it is ptimized t wrk with Windws Active Directry (AD) and the server path is ften mre flexible than nn-windws directries which require very precise LDAP paths that can be mre difficult t identify in creating a successful cnnectin. Please cntact technical supprt if yu have questins abut the directry that yur rganizatin uses fr user management. Vendr Micrsft Nvell Sun Directry Active Directry edirectry Sun ONE The nn-windws LDAP directries that have successfully cnnected with Active Data Calendar are as fllws: SunOne, Planet LDAP r ATOM. Super User Accunt and LDAP/AD During the installtin f an Active Data Calendar instance a Super User accunt is created as the first user in the system; it is recmmended t nt use any credentials that match netwrk credentials but rather set up lgin infrmatin that is unique t the Calendar. The Super User accunt is the master user accunt in the system that has glbal unrestricted rights and is the nly accunt that has access t cnfigure and enable/disable LDAP/AD. This user accunt is cnsidered native t the applicatin and never validated against Active Directry but rather the database.
Cnfiguring and Enabling LDAP/AD Once lgged in as the Super User, navigate t Cnfiguratin: Enable LDAP/AD. This screen includes the ability t add an LDAP Server Path and run a test t ensure that the path/cnnectin is wrking t that LDAP Server. T begin the LDAP/AD Cnnectin setup prcess, first click the checkbx t Enable LDAP/AD fr Adding User Accunts and then additinal fields will be displayed fr cmpletin. Directry Type: Windws Active Directry r Nn-Windws LDAP. LDAP Server Path: (255 character limit / alpha-numeric) This is an pen text field that allws fr an LDAP URL t be entered. This URL can pint t the ROOT f a directry structure r specific branches f a directry structure. Example value: LDAP://ldap.mydmain.cm:389/dc=mydmain,dc=cm LDAP Filter (255 character limit - alpha-numeric) This is an pen text field that allws fr a filter t be used when accessing the directry. If nly a subset f a directry is t be targeted in the LDAP cnnectin a filter can be entered that narrws any interactin t the bjects as defined by the LDAP Server Path and the LDAP Filter. Example value: (&(bjectcategry=persn)(bjectclass=user)) LDAP Search Base: There are 3 ptins fr selectin: Base, One Level, r SubTree This limits the interactin f LDAP with a directry even further. Applicatins that mdify a directry shuld be limited in the scpe they are allwed t make changes. Limiting scpe thrugh these settings can be very helpful in maintaining prper security and limiting negative effects and any pssible invalid actins that an applicatin culd cause. Additinally, extremely large directries culd benefit in limiting the search scpe t increase perfrmance when lking thrugh the directry; if it is never needed t search past the base nde there is n reasn t select OneLevel r SubTree as these wuld just add unneeded verhead. If Base is selected, the search against LDAP will nly lk thrugh the highest level nde in the directry as identified by the LDAP Server Path. If OneLevel is selected, the search against LDAP will nly lk thrugh the highest level nde in the directry and 1 level belw the highest nde as identified by the LDAP Server Path. If SubTree is selected, the search against LDAP will nly lk thrugh the highest level nde in the directry and all levels belw the highest nde as identified by the LDAP Server Path.
LDAP Unique Identifier: (255 character limit - alpha-numeric) Type When validating user infrmatin against a directry the unique value that identifies an bject in a directry is needed. This value varies amng directries. Nte that it is pssible fr an rganizatin t decide t use a different field as the unique identifier such as an email address. Generally, Fr windws accunts the lgin name f a user maps t the directry value f samaccuntname while in sme nn-windws implementatin the users lgin name maps t a directry value f uid. Value Used (*Case Sensitive) Windws Active Directry Nn-Windws LDAP samaccuntname uid Use Secure Sckets (SSL): There are ptins fr selectin: Yes r N If the directry bject being validated against has implemented SSL, this value allws fr the cnnectin t LDAP t use security. With Windws Active Directry, the N value shuld always be selected even if SSL is required as packets are autmatically encrypted thrugh the standard TCP/IP prtcl behind the scenes. Other LDAP implementatins may r may nt need t be explicitly set t the Yes value as they may allw fr encrypting the LDAP cnnectins thrugh the standard TCP/IP prtcl behind the scenes as well. The requirements f this value vary amng netwrk setups and implementatins and security shuld be cnfirmed by using applicatins that mnitr LDAP traffic r by cnfirming thrugh access lgs n the directry server. Once yu have added the all required infrmatin n this screen, click the buttn labeled SUBMIT. This buttn will launch a functin windw n the right hand side f the screen where yu will be prmpted t enter: Username: (255 character limit - alpha-numeric) - This is a required field. Passwrd: (255 character limit - alpha-numeric) - This is a required field. *NOTE: The username and passwrd supplied can be any valid, active LDAP/AD username and passwrd. CANCEL: Can be clicked t cancel ut f the functin windw and be returned t the main screen fr Enable & Setup LDAP withut perfrming the test. SUBMIT: Can be clicked t submit yur test accunt infrmatin and be returned t the main screen fr Enable & Setup LDAP where yu will be presented with a cnfirmatin message f the success r failure f yur test.
Testing the LDAP/AD Cnnectin Once yu have submitted yur test infrmatin the sftware will run a test f the infrmatin entered regarding the LDAP cnnectin. Yu will then see ne f tw pssible messages depending n the success r failure f yur test. If yur test was nt successful, please change the LDAP Cnnectin infrmatin that yu have entered and re-run yur accunt test. Otherwise, if yu have received a "success message" yu must still click the FINISH buttn n the Enable LDAP/AD screen t save the LDAP infrmatin and finalize the additin f the cnnectin. Disabling LDAP/AD If the checkbx fr "Enable LDAP/AD" is deselected at any time (after a cnnectin has already been successfully finalized/saved), then any existing accunt infrmatin that has been imprted up t that pint will be maintained as is in the Calendar database. If usernames, passwrds, email addresses, etc. are changed, re-enabling LDAP in the future may cause these accunts t be unusable fr assciatin reasns. Fr this reasn, it is highly recmmended that all effrts be made t avid enabling and disabling LDAP repeatedly. As sn as the Enable LDAP/AD checkbx is deselected, then the standard User navigatin buttns are re-enabled and standard user functins can be used frm within the Active Data Calendar system. LDAP/AD Security and Passwrds When a user accunt attempts t lg int the Calendar and enters a passwrd, the user is validated against Active Directry t authenticate and ensure that they are a valid user accunt and that the
passwrd is crrect. If any authenticatin methds are required by a client that are nt currently supprted, please cntact the Active Data Exchange Prfessinal Services team t discuss any custm enhancements. Each time the passwrd is checked in LDAP/AD, the Calendar has a prcess f re-hashing it and string it in the database in this secure manner t ease any assciated security risks. This is dne in case LDAP/AD is ever disabled s that a recrd f the last lgin infrmatin is stred fr accunts t cntinue t lgin. The passwrd hash cde is a ne way prcess meaning that nce hashed it cannt ever be undne and there is n way t determine the actual passwrd values. An example f a hash cde that equals admin12 is 1844156D4166D94387F1A4AD031CA5FA. Belw is a simple SQL script that is prvided in case there is a need t reset the Super User infrmatin in the database t this knwn hashed passwrd. This can als be dne by running a simple SQL script against the database as fllws: UPDATE Accunt SET acct_idn='admin', acct_passwrd='1844156d4166d94387f1a4ad031ca5fa' WHERE def_rg_unit='*' LDAP/AD Required Data There are 4 pieces f infrmatin that are brught in when users are queried in Active Directry t be brught ver int Active Data Calendar. 1. First Name 2. Last Name 3. Email 4. Lgin Name LDAP/AD User Accunts The applicatin allws fr the imprt f single users frm Active Directry int the Calendar. Once yu have successfully established a test cnnectin in the LDAP/AD cnfiguratin area, yu can then g t Wrkflw: Accunts: Add t search fr users in Active Directry and cpy the users fund int the Calendar applicatin. Please nte that bringing users ver frm LDAP/AD requires a valid and authenticated LDAP/AD accunt. The authenticated accunt must have the ability t query Active Directry and pull back user infrmatin t be stred in the calendar database. Actually adding the users in Calendar requires the ability t have an LDAP/AD accunt with prper read permissins. The fllwing ccurs when imprting users frm LDAP/AD: The 4 pieces f infrmatin nted abve are cpied frm Active Directry and an accunt is created in the Calendar applicatin. Department permissins and rle and accunt status can then be autmatically applied t users as they are brught ver t Calendar. A frm will be presented at the time f bringing the accunt ver t allw initial assignments t the accunt which can be mdified later by selecting t the mdify accunt prcess. The same frm and prcess is als presented when adding grups in the Calendar.
At this pint the user infrmatin stred in Calendar matches the infrmatin stred in LDAP/AD. Please nte that a user accunt s username is the unique identifier in LDAP/AD and cannt be mdified in the Calendar applicatin since it is authenticated frm anther system. There is als n lnger an ability t mdify any f the infrmatin n Step 1 f a user accunt s prfile, such as the first name, last name, email, passwrd, etc. Once this infrmatin is ppulated frm LDAP/AD, it is recmmended t prceed thrugh the rest f the prcess f setting up applicatin specific permissins fr a user accunt such as department permisins and rles, verall system privleges, categry wnership and/r facility wnership (if applicable t a client s installatin). Since the username is a unique identifier fr the Calendar, if it has changed fr any reasn in LDAP/AD then the accunt will need t be re-added t the Calendar. Once deleted the accunts event wnership will be autmatically transferred t the Super User accunt. In rder t cntinue t maintain the cnnectin f the user s event wnership status, it is recmmended t inactivate the accunt first and then bring in the new user accunt frm LDAP/AD and activate it. Once activated, yu can chse t delete the user accunt and yu will be presented with an ptin t transfer event wnership t any accunts in the system. Please see an example f this belw.
LDAP/AD Grups The applicatin allws fr the imprt f grups frm Active Directry int the Calendar. Once yu have successfully established a test cnnectin in the LDAP/AD cnfiguratin area, yu can then g t Wrkflw: Grups: Add t search fr grups in Active Directry and then select t imprt a grup int Calendar. This is the nly area in Calendar where grups and Active Directry interact. Please nte that bringing grups ver frm LDAP/AD requires a valid and authenticated LDAP/AD accunt. The authenticated accunt must have the ability t query Active Directry and pull back grup infrmatin t be stred in the calendar database. Actually adding the grups in Calendar requires the ability t have an LDAP/AD accunt with prper read permissins. The fllwing ccurs when imprting grups frm LDAP/AD: 1. A grup with a name matching the Active Directry grup is created in the Calendar applicatin. 2. All user accunts in the Active Directry grup are imprted int the Calendar 3. All Active Directry users imprted are assigned t the grup created in the Calendar applicatin. At this pint there is a grup name in the Calendar applicatin that matches the grup name in Active Directry. Grup names can be mdified in the Calendar applicatin t be different than the grup name stred in Active Directry fr business requirement purpses. Once grups and users are in the Calendar system, it is recmmended t prceed thrugh the rest f the prcess f setting up applicatin specific permissins fr the grup such as department permisins and rles, verall system privleges, categry wnership and/r facility wnership (if applicable t a client s installatin). The benefit f using grups is that yu can easily apply, mdify r remve these applicatin specific permissins in mass t the grup. Please nte that all f the individual user accunts imprted int the grup frm LDAP/AD can als be mdified separately by ging t Wrkflw: Accunts: Mdify. Persistent Active Directry Interactin As f Active Data Calendar v. 3.9.x and all previus versins, there is n persistent interactin between the Calendar applicatin and Active Directry nce a user/grup is brught int the Calendar frm LDAP/AD. If a user is deleted frm LDAP/AD they will need t be manually remved in the Calendar.
The Calendar applicatin nly checks the fllwing infrmatin regarding users attempting t authenticate. 1. The user lgin name as entered n lgin must be a valid Calendar accunt. 2. The user lgin name as entered n lgin must validate against Active Directry. Grup assignments in Active Directry d nt affect the validity f an Active Directry accunt. These are nly fr setting up permissins and assciated ptins n an rganizatin dmain. As this sits utside f the scpe f the Calendar there is n cnnectin t these accunt permissins and privileges inside f the Calendar as an applicatin. Fr example, a user in Active Directry may be a part f 5 grups when they are first brught int the Calendar applicatin and later n are remved frm all 5 grups and assigned t 3 unique, new grups thrugh Active Directry. Althugh this accunt is valid inside f Active Directry, the Calendar has n ntin f the changes made at the grup level and therefre there will be n changes reflected n accunt/grup infrmatin in the Calendar applicatin. The riginal assignments will be retained. Supprt Please cntact Prduct Supprt at (610)-997-8100 r supprt@activedatax.cm fr further assistance.