Help Center

Control Panel

How to import users from Active Directory to ONLYOFFICE

Portal Configuration. Getting Started Updating ONLYOFFICE Groups for Windows to the latest version Connecting ONLYOFFICE Docs to ONLYOFFICE Groups

Altering LDAP settings in the server version in the SaaS version

Control Panel v3.5 ONLYOFFICE Control Panel changelog

Open in new window

Version 3.5.2

Release date: 02/29/2024

General

Added the ability to restrict access rights to the application files for the Others group.
Fixed issue with redirect to the portal main page when opening Control Panel after a day on Ubuntu 22.10.
Fixed retrieving data error when opening the backup page.
Fixed issue when backup with Mail is not performed after disabling and enabling encryption (added text about stopping services and the instruction to the Help Center).
Fixed issue when features are not saved to the new tariff when setting a quota for the portal.
Edited sources build.

Version 3.5

Release date: 03/14/2023

General

Changed API methods for migration, implemented progressQueue.
Changed settings for connecting third-party storages. Added tooltips for fields. Added the 'Server Side Encryption Method' block for Amazon AWS S3.
Added logos for dark theme in the Branding section. Logos for the About page are now separate fields in the Advanced tab.
Added the ability to set the portal memory quota.

Version 3.1.1

Release date: 08/08/2022

General

Fixed issue with file indexing.
Fixed elasticsearch container errors when updating ONLYOFFICE Groups.
Fixed issue with brand logos after updating in the Docker installation.
Fixed texts and layout for the Migration feature.

Version 3.1

Release date: 05/25/2022

General

Added the Data Import page that allows to import data from Nextcloud, ownCloud and GoogleWorkspace to ONLYOFFICE Workspace.
Moved Elasticsearch to a separate container.
Fixed bugs.

Version 3.0

Release date: 06/07/2021

Update

License agreement dialog when installing docker components added.
The inactive button with an action for uninstalled components (downloading and installing the available version) fixed.

Indexing progress display added.

LoginHistory and AuditTrail

New empty screens added.

Restore

New checks when restoring data from a local or a 3rd party storage.

SSO

SSOAuth was removed from Control Panel. It's now available as a portal setting in Community Server.

General improvements and bug fixes

Bugs 47721, 49101, 49187, 49273, 49272, 49324, 46386, 49585 from the internal bugtracker fixed.
3rd party licenses and copyright updated.

Version 2.9.1

Release date: 12/10/2020

Bug fixes

Bug Fixes & Performance Improvements.

Version 2.9

Release date: 10/14/2020

General

Control Panel is available in the free Community version with all settings excepting the editors logo replacement;
Added the vsyscall check to the installation scripts when installing Mail Server on Debian with kernel 4.18.0 and later;
Redesign of the navigation menu: added Common and Portal settings sections, added icons to menu items;
Added the advanced rebranding page in the Common Settings;
Added the possibility to reindex the full-text search;
Updated node.js, updated packages (transition to samlify for SSO);
Added the Encryption at rest block in the Storage section;
Added the Private Room section for the server version only;
Added the upgrade page with a proposal to upgrade to Enterprise Edition;
Added the activate page with a possibility to upload a license file;
Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

LDAP

Added the Sign in to domain option on the authorization page.

Single Sign-on

Transition to the new samlify library;
Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

Version 2.7

Release date: 04/25/2019

LDAP

Added more fields mapped for the users loaded via LDAP: user photo, birthday, contacts, primary phone number;
Added the setting to autosync LDAP on schedule;
Added the possibility to give administrator rights to the user group at the portal via LDAP;
Updated the rules for LDAP users.

Version 2.5.1

Release date: 04/07/2018

LDAP

Fixed the Server internal error error when using the groups enclosed inside each other in the AD (bug #37414).

Single Sign-on

Fixed the issue when the user data between the Service Provider and the portal was transferred via HTTP only, even when HTTPS was enabled.

Version 2.4.0

Release date: 01/13/2018

Single Sign-on

Fixed the Invalid ssoConfig error which occurred when the link to the IdP contained the question mark '?', e.g.: IdP Single Sign-On Endpoint URL: https://accounts.google.com/o/saml2/idp?idpid=777777;
Fixed the Invalid authentication token error which prevented from adding a user to the portal using the AD FS, in case the + or - characters were present when sending the encrypted data.

Version 2.3.0

Release date: 12/15/2017

General

Added the changelog for Control Panel and link to it;
Fixed the bug when JWT parameters were not sent when updating Document Server(bug #36270);
Fixed the bug when Audit Trail heading was present at the login history page (bug #36026);
The current machine is now checked for being linked with the domain name for multiple portals.

LDAP

Fixed the bug with the LDAP Domain not found error which occurred if the DN record had no DC records (the users with Sun/Oracle DS were affected); now if the LDAP domain could not be specified, the LDAP domain will acquire the unknown value or the ldap.domain value from the web.appsettings.config configuration file;
Fixed the bug with the Sizelimit Exceeded error when trying to get more than 1000 users from the Active Directory;
Increased the login speed with the Group Membership setting enabled;
Added additional logging;
Fixed the bug with LDAP operation hanging when using Mono v5.2.0 and older;
Fixed the bug with the error when trying to login using the email address entered in the fields different from the Mail Attribute;
Fixed the bug occurring in the enclosed groups, when the users were displayed not in all groups.

Version 2.2.0

Release date: 10/31/2017

General

Added the documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.

LDAP

Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
Login and email are now split into two separate fields;
Added the support for big data;
Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
Fixed the user re-creation issue;
Fixed the duplicate username issue;
Fixed the already existing email issue;
Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
Instead of re-creating a user with an unknown SID but an existing email the data is updated;
Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

Added the AD FS support;
Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017

HTTPS

Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

Added the new sso.auth service;
Added the new SSO settings page;
Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017

General

The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016

LDAP

Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
Changed email formation for LDAP users;
Fixed the problem of creation of users with invalid emails;
Fixed the problem of duplicate users;
Added icons and hints to the users in the list for the admin;
Blocked for editing the user profile fields imported using LDAP;
Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
Added new API Settings method - Sync LDAP;
Added new translations;
Bug fixes.

Version for Windows

Made changes at the Update page for the Control Panel for Windows;
Updates are performed using the downloaded installation packages for each module.
The current installed component version numbers are obtained via API request to the Community Server.
The new versions available for download are obtained via the request to the https://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.

If you've just deployed ONLYOFFICE Workspace on your serveryour SaaS ONLYOFFICE Workspace service plan stipulates it, the first thing that you need to do is to create accounts for all your company employees. But if it numbers more than 50 persons, the process of creating new portal users will take a lot of time. The Control PanelYour portal offers you the LDAP Settings option which allows you to import the necessary users and groups from an LDAP Server (e.g. OpenLDAP Server or Microsoft Active Directory) to your portal, literally, in several minutes. The newly created users, in turn, don't need to memorize new passwords and logins because they will sign in to portal using their credentials stored on your LDAP Server.

To access Control Panel, sign in to your portal and click the 'Control Panel' link on the Start Page. Alternatively, you can go to the portal 'Settings' and click the 'Control Panel' link on the left-side panel.Go to the portal Settings and click the 'LDAP Settings' link in the Integration section.

Importing users and groups

Before you start importing If you connect to Active Directory which has more than 1000 users, you will need to increase the AD limit MaxPageSize = 1000 using the ntdsutil. The detailed instructions on how this can be done are available here.

In the Control Panel, open the LDAP page in the PORTAL SETTINGS sectionIn the Settings of your portal, open the LDAP Settings page in the Integration section on the left sidebar.
Click the Enable LDAP Authentication switcher (use the Show link next to the LDAP Settings title to display the parameter form if it is not the first time you are altering the settings).
Check the Enable StartTLSStartTLS box if you want to secure your connections by using the StartTLS technology (in this case, the default port 389 is used). Check the Enable SSL box if you want to use the SSL protocol (in this case, the port number will change to 636 automatically).
Fill out the fields necessary for user import (the obligatory fields are marked with an asterisk):

Warning Please note that in case you have already imported some users and changed some of the settings (e.g. Server, User Filter, User DN, Group Filter, Group DN), the existing users and all their data, including documents, emails, etc. not matching these new settings will be DISABLED. We strongly recommend creating a backup before you change any settings.
- in the Server field, enter the LDAP server URL address in the form protocol://host, e.g. LDAP://example.com for a regular LDAP connection or LDAPS://example.com for a secure LDAP connection over SSL. You can also specify the server IP address instead of its DNS name: LDAP://192.168.3.202;
- specify a Port Number that is used to access LDAP server. The default port for regular LDAP connections is 389. If you have enabled the StartTLS option, the default port 389 is also used. If the SSL option is enabled, the port number automatically changes to 636;
- in the User DN (User Distinguished Name) field, specify the absolute path to the top level directory containing users you want to import. This parameter defines the node where the search starts. You can specify the root directory, e.g. dc=example,dc=com, to search for users within the entire directory, or specify a certain search area, e.g. ou=groupname,dc=example,dc=com, to search for users within the specified group;
- specify the Login Attribute value (an attribute in a user record that corresponds to the login that LDAP server users will use to log in to ONLYOFFICE);
  Please note: the default settings are specified for Active Directory. For OpenLDAP Server, you need to change the following settings:
  - User Filter - (uid=*)
  - Login Attribute - uid
- fill out the User Filter field if you need to import the users who correspond to the specified search criteria. The default filter value (uid=*) allows importing all users;
  You can find the search filter syntax examples here.
- specify the Login Attribute value (an attribute in a user record that corresponds to the login that LDAP server users will use to log in to ONLYOFFICE).
  Please note: the default settings are specified for OpenLDAP Server. For Active Directory, you need to change the following settings:
  - User Filter - (userPrincipalName=*)
  - Login Attribute - sAMAccountName
The Attribute Mapping section allows you to set up a correspondence between the user data fields on the portal and the attributes in the LDAP server user record. Click the Add Attribute button, choose the necessary data field from the list and specify the user attribute used in your LDAP server. The following parameters are set by default, but you can change them if it's necessary:
- First Name (an attribute in a user record that corresponds to the user's first name)
- Second Name (an attribute in a user record that corresponds to the user's second name)
- Mail (an attribute in a user record that corresponds to the user's email address)
- Title (an attribute in a user record that corresponds to the user's title)
- Primary Mobile Phone (an attribute in a user record that corresponds to the user's mobile phone number)
- Location (an attribute in a user record that corresponds to the user's location)
You can also add the following attributes: Additional Mail, Additional Mobile Phone, Additional Phone, Date of Birth, Profile Photo, Sex, Skype.Date of Birth, Sex, Profile Photo, Additional Phone, Additional Mobile, Additional Mail, Skype.
Click the Group membership switcher if you want to add groups from LDAP server to your portal and fill out the necessary fields:
Please note that if you decide to add groups, only users who belong to at least one group will be added.

Warning Please note that in case you have already imported some users and changed some of the settings (e.g. Server, User Filter, User DN, Group Filter, Group DN), the existing users and all their data, including documents, emails, etc. not matching these new settings will be DISABLED. We strongly recommend creating a backup before you change any settings.
- in the Group DN (Group Distinguished Name) field, specify the absolute path to the top level directory containing groups you want to import, e.g. ou=Groups,dc=example,dc=com.
- fill out the Group Filter field if you need to import the groups which correspond to the specified search criteria. The default filter value (objectClass=posixGroup) allows importing all groups.
- the following parameters are set by default, but you can change them if it's necessary:
  - User Attribute (an attribute that determines whether this user is a member of the groups)
  - Group Name Attribute (an attribute that corresponds to a name of the group where the user is included)
  - Group Member Attribute (an attribute that specifies the users that the group includes)
  Please note: the default settings are specified for OpenLDAP Server. For Active Directory, you need to change the following settings:
  - Group Filter - (objectClass=group)
  - User Attribute - distinguishedName
  - Group Member Attribute - member
- in the Group DN (Group Distinguished Name) field, specify the absolute path to the top level directory containing groups you want to import, e.g. ou=Groups,dc=example,dc=com.
- User Attribute (an attribute that determines whether this user is a member of the groups);
- fill out the Group Filter field if you need to import the groups which correspond to the specified search criteria. The default filter value (objectClass=group) allows importing all groups;
- the following parameters are set by default, but you can change them if it's necessary:
  - Group Name Attribute (an attribute that corresponds to a name of the group where the user is included)
  - Group Attribute (an attribute that specifies the users that the group includes)
  Please note: the default settings are specified for Active Directory. For OpenLDAP Server, you need to change the following settings:
  - Group Filter - (objectClass=posixGroup)
  - User Attribute - uid
  - Group Member Attribute - memberUid
Set up Admin Access Rights Settings: click the corresponding button, select full access and specify the group that should have full administrative rights. Choose a portal module from the list and specify the group that should have administrative rights to the selected module.
Turn on the User Authentication switcher if the current Windows user does not have rights to read from LDAP server/Active Directory. In the Login and Password fields, enter the credentials of the user who have rights to read data from LDAP server (set to the current Windows session login and password by default).
Check the Send Welcome Letter box in the Advanced Settings section if you want to send invitations by email to all new users. The welcome message contains a button that allows users to go to the portal login page and activate the email. This option is only available if the mail attribute mapping is configured.
Click the SAVE button.
In the 'Confirmation of import' window that appears click the OK button to start importing users.

The import process will take some time depending on the number of users, groups, computer specifications, etc.

Please note: the portal user email will be taken from the Mail Attribute setting. If it is missing, it will be formed in the following way: Login Attribute + @ + LDAP Domain.

In case there is a previously created user with such email on the portal, this user will be automatically synchronized with the LDAP user.
In case such email does not exist, the user will not receive any portal notifications.

There are some special features starting from Community Server v. 10.0SaaS v. 11.5:

the portal owner is not affected by changing access rights via LDAP;
if the portal owner has been excluded from the user/group filter, he ceases to be an LDAP user but always remains active;
when disabling LDAP, all access rights provided for users via LDAP are taken away;
- if the user who have disabled LDAP should lose admin rights, his admin rights are unaffected and the user receives a notification;
if a user has been excluded from the user/group filter, he remains active and receives a notification that the LDAP password is no longer active and it should be changed at the profile settings page;
if a user attempts to take away admin rights from himself (both via access rights settings and by excluding himself from the user/group filter), his admin rights are unaffected and the user receives a notification.

Authenticating LDAP users

Each imported user will be able to sign in to the portal using the login that is formed according to the following schemes:

Login Attribute, e.g. Andrew.Stone
Login Attribute + @ + LDAP Domain, e.g. Andrew.Stone@example.com
LDAP Domain + \ + Login Attribute (incomplete domain names are supported), e.g. example\Andrew.Stone

On the authorization page, the Sign in to domain option is available which allows transferring a password in an explicit form. Portal users outside of the domain can uncheck this setting. In such a case, a password will be transferred in a hashed form.

Imported user profiles in the People module will be marked with the LDAP icon for the portal administrator. The user profile fields that have been imported using LDAP are blocked for editing.

Synchronizing LDAP data

If you change data in your LDAP server (e.g. add new users/groups, rename existing groups or edit some information in a user record), you can easily synchronize the portal data with the new information from your LDAP server.

To adjust the synchronization options, turn on the Auto Sync switcher and set the necessary time to perform the automatic synchronization: you can synchronize data every hour at specified minutes, or every day at a specified time, as well as every week or month at a specified day and time. Click Save to apply the settings. It's also possible to synchronize data manually by clicking the SYNCSync users button at the bottom of the LDAP page. Alternatively, you can use the SAVE button below the LDAP Settings section.

The information about a separate user will also be synchronized after this user has logged in to the portal.

How to import users from Active Directory to ONLYOFFICE

Download Host on your own server Available for
Docker, Windows and Linux

Articles with the tag:

Changelog

Help Center

Control Panel

Altering LDAP settings in the server version in the SaaS version

Importing users and groups

Authenticating LDAP users

Synchronizing LDAP data