Articles with the tag:
Close
Changelog
Close
Help Center
Control Panel

Altering LDAP settings

Control Panelv.2.2 Control Panel changelog

Version 2.2.0

Release date: 11/02/2017

General

  • Added the documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.

LDAP

  • Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
  • Login and email are now split into two separate fields;
  • Added the support for big data;
  • Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
  • Fixed the user re-creation issue;
  • Fixed the duplicate username issue;
  • Fixed the already existing email issue;
  • Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
  • Instead of re-creating a user with an unknown SID but an existing email the data is updated;
  • Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

  • Added the AD FS support;
  • Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017

HTTPS

  • Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

  • Added the new sso.auth service;
  • Added the new SSO settings page;
  • Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017

General

  • The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016

LDAP

  • Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
  • Changed email formation for LDAP users;
  • Fixed the problem of creation of users with invalid emails;
  • Fixed the problem of duplicate users;
  • Added icons and hints to the users in the list for the admin;
  • Blocked for editing the user profile fields imported using LDAP;
  • Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
  • Added new API Settings method - Sync LDAP;
  • Added new translations;
  • Bug fixes.

Version for Windows

  • Made changes at the Update page for the Control Panel for Windows;
  • Updates are performed using the downloaded installation packages for each module.
  • The current installed component version numbers are obtained via API request to the Community Server.
  • The new versions available for download are obtained via the request to the http://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.

If you've just deployed Enterprise Edition on your server, the first thing that you need to do is to create accounts for all your company employees. But if it numbers more than 50 persons, the process of creating new portal users will take a lot of time. Since now you don't need to worry about it, because Control Panel offers you the LDAP Support option which allows to import the necessary users and groups from an LDAP Server (e.g. OpenLDAP Server or Microsoft Active Directory) to your portal, literally, in several minutes. The newly created users, in turn, don't need to memorize new passwords and logins because they will sign in to portal using their credentials stored in your LDAP Server.

To access Control Panel, sign in to your portal and click the 'Control Panel' link on the Start Page. Alternatively, you can go to the portal 'Settings' and click the 'Control Panel' link on the left-side panel.

Importing users and groups

Before you start importing If you connect to Active Directory which has more than 1000 users, you will need to increase the AD limit MaxPageSize = 1000 using the ntdsutil. The detailed instructions on how this can be done are available here.
  1. In the Control Panel, open the LDAP page.
  2. Click the Enable LDAP Authentication switcher and use the Show link next to the LDAP Settings title to display the parameter form.
  3. Check the Enable StartTLS box if you want to secure your connections by using the StartTLS technology.
  4. Fill out the fields necessary for user import (the obligatory fields are marked with an asterisk):
    LDAP settings - users LDAP settings - users
    Warning Please note that in case you have already imported some users and changed some of the settings (e.g. Server, User Filter, User DN, Group Filter, Group DN), the existing users and all their data, including documents, emails, etc. not matching these new settings will be DISABLED. We strongly recommend creating a backup before you change any settings.
    • in the Server field, enter the LDAP server URL address in the form protocol://host, e.g. LDAP://example.com for a regular LDAP connection or LDAPS://example.com for a secure LDAP connection over SSL. You can also specify the server IP address instead of its DNS name: LDAP://192.168.3.202,
    • specify a Port Number that is used to access LDAP server. The default port for regular LDAP connections is 389. If you have enabled the StartTLS option, leave the port unchanged. If you want to use LDAP connections over SSL, replace the port number with 636.
    • in the User DN (User Distinguished Name) field, specify the absolute path to the top level directory containing users you want to import. This parameter defines the node where the search starts. You can specify the root directory, e.g. dc=example,dc=com, to search for users within the entire directory, or specify a certain search area, e.g. ou=groupname,dc=example,dc=com, to search for users within the specified group.
    • fill out the User Filter field if you need to import the users who correspond to the specified search criteria. The default filter value (uid=*) allows to import all users.
      You can find the search filter syntax examples here.
    • the following parameters are set by default, but you can change them if it's necessary:
      • Login Attribute (an attribute in a user record that corresponds to the login that LDAP server users will use to log in to ONLYOFFICE)
      • First Name Attribute (an attribute in a user record that corresponds to the user's first name)
      • Second Name Attribute (an attribute in a user record that corresponds to the user's second name)
      • Title Attribute (an attribute in a user record that corresponds to the user's title)
      • Mail Attribute (an attribute in a user record that corresponds to the user's email address)
      • Location Attribute (an attribute in a user record that corresponds to the user's location)
      • Mobile Phone Attribute (an attribute in a user record that corresponds to the user's mobile phone number)
      Please note: the default settings are specified for OpenLDAP Server. For Active Directory, you need to change the following settings:
      • User Filter - (userPrincipalName=*)
      • Login Attribute - sAMAccountName
  5. Click the Group membership switcher if you want to add groups from LDAP server to your portal and fill out the necessary fields:
    Please note, that if you decide to add groups, only users who belong to at least one group will be added.
    LDAP settings - groups LDAP settings - groups
    Warning Please note that in case you have already imported some users and changed some of the settings (e.g. Server, User Filter, User DN, Group Filter, Group DN), the existing users and all their data, including documents, emails, etc. not matching these new settings will be DISABLED. We strongly recommend creating a backup before you change any settings.
    • in the Group DN (Group Distinguished Name) field, specify the absolute path to the top level directory containing groups you want to import, e.g. ou=Groups,dc=example,dc=com.
    • fill out the Group Filter field if you need to import the groups which correspond to the specified search criteria. The default filter value (objectClass=posixGroup) allows to import all groups.
    • the following parameters are set by default, but you can change them if it's necessary:
      • User Attribute (an attribute that determines whether this user is a member of the groups)
      • Group Attribute (an attribute that specifies the users that the group includes)
      • Group Name Attribute (an attribute that corresponds to a name of the group where the user is included)
      Please note: the default settings are specified for OpenLDAP Server. For Active Directory, you need to change the following settings:
      • Group Filter - (objectClass=group)
      • User Attribute - distinguishedName
      • Group Attribute - member
  6. In the Login and Password fields, enter the credentials of the user who have rights to read data from LDAP server.
  7. Click the SAVE button.
  8. In the 'Confirmation of import' window that appears click the OK button to start importing users.

The import process will take some time depending on number of users, groups, computer specifications etc.

Please note: the portal user email will be taken from the Mail Attribute setting. If it is missing, it will be formed in the following way: Login Attribute + @ + LDAP Domain.
  • In case there is a previously created user with such email on the portal, this user will be automatically synchronized with the LDAP user.
  • In case such email does not exist, the user will not receive any portal notifications.

Authenticating LDAP users

Each imported user will be able to sign in to the portal using the login that is formed according to the following schemes:

  • Login Attribute, e.g. Andrew.Stone
  • Login Attribute + @ + LDAP Domain, e.g. Andrew.Stone@example.com
  • LDAP Domain + \ + Login Attribute (incomplete domain names are supported), e.g. example\Andrew.Stone

Imported user profiles in the People module will be marked with the LDAP Icon icon for the portal administrator. The user profile fields that have been imported using LDAP are blocked for editing.

Synchronizing LDAP data

If you change data in your LDAP server (e.g. add new users/groups, rename existing groups or edit some information in a user record), you can easily synchronize the portal data with the new information from your LDAP server. To do that, just click the SYNC button at the bottom of the LDAP page. Alternatively, you can use the SAVE button below the LDAP Settings section.

The information about a separate user will also be synchronized after this user has logged in to the portal.

How to import users from OpenLDAP Server to ONLYOFFICE
Close
Download Host on your own server Available for Docker,
Windows, Linux and virtual machines
You Might Also Like This:
Close