Altering LDAP settings in the SaaS version

If your SaaS service plan stipulates it, the first thing that you need to do is to create accounts for all your company employees. But if it numbers more than 50 persons, the process of creating new portal users will take a lot of time. Your portal offers you the LDAP Settings option, which allows you to import the necessary users and groups from an LDAP Server (e.g., OpenLDAP Server or Microsoft Active Directory) to your portal, literally, in several minutes. The newly created users, in turn, don't need to memorize new passwords and logins because they will sign in to the portal using their credentials stored on your LDAP Server.

Go to the portal Settings and click the 'LDAP Settings' link in the Integration section.

Importing users and groups

Before you start importing If you connect to Active Directory, which has more than 1000 users, you will need to increase the AD limit MaxPageSize = 1000 using the ntdsutil. The detailed instructions on how this can be done are available here.

In the Settings of your portal, open the LDAP Settings page in the Integration section on the left sidebar.
Click the Enable LDAP Authentication switcher (use the Show link next to the LDAP Settings title to display the parameter form if it is not the first time you are altering the settings).
Check the StartTLS box if you want to secure your connections by using the StartTLS technology (in this case, the default port 389 is used). Check the Enable SSL box if you want to use the SSL protocol (in this case, the port number will change to 636 automatically).
Fill out the fields necessary for user import (the obligatory fields are marked with an asterisk):
Warning Please note that in case you have already imported some users and changed some of the settings (e.g., Server, User Filter, User DN, Group Filter, Group DN), the existing users and all their data, including documents, emails, etc. not matching these new settings will be DISABLED. We strongly recommend creating a backup before you change any settings.
- in the Server field, enter the LDAP server URL address in the form protocol://host, e.g., LDAP://example.com for a regular LDAP connection or LDAPS://example.com for a secure LDAP connection over SSL. You can also specify the server IP address instead of its DNS name: LDAP://192.168.3.202;
- specify a Port Number that is used to access the LDAP server. The default port for regular LDAP connections is 389. If you have enabled the StartTLS option, the default port 389 is also used. If the SSL option is enabled, the port number automatically changes to 636;
- in the User DN (User Distinguished Name) field, specify the absolute path to the top-level directory containing the users you want to import. This parameter defines the node where the search starts. You can specify the root directory, e.g., dc=example,dc=com, to search for users within the entire directory, or specify a certain search area, e.g., ou=groupname,dc=example,dc=com, to search for users within the specified group;
- specify the Login Attribute value (an attribute in a user record that corresponds to the login that LDAP server users will use to log in to ONLYOFFICE);
  Please note: the default settings are specified for Active Directory. For OpenLDAP Server, you need to change the following settings:
  - User Filter - (uid=*)
  - Login Attribute - uid
- fill out the User Filter field if you need to import the users who correspond to the specified search criteria. The default filter value (uid=*) allows importing all users;
  You can find the search filter syntax examples here.
The Attribute Mapping section allows you to set up a correspondence between the user data fields on the portal and the attributes in the LDAP server user record. Click the Add Attribute button, choose the necessary data field from the list, and specify the user attribute used in your LDAP server. The following parameters are set by default, but you can change them if it's necessary:
- First Name (an attribute in a user record that corresponds to the user's first name)
- Second Name (an attribute in a user record that corresponds to the user's second name)
- Mail (an attribute in a user record that corresponds to the user's email address)
- Title (an attribute in a user record that corresponds to the user's title)
- Primary Mobile Phone (an attribute in a user record that corresponds to the user's mobile phone number)
- Location (an attribute in a user record that corresponds to the user's location)
You can also add the following attributes: Date of Birth, Sex, Profile Photo, Additional Phone, Additional Mobile, Additional Mail, Skype.
Click the Group membership switcher if you want to add groups from the LDAP server to your portal and fill out the necessary fields:
Please note that if you decide to add groups, only users who belong to at least one group will be added.
Warning Please note that in case you have already imported some users and changed some of the settings (e.g., Server, User Filter, User DN, Group Filter, Group DN), the existing users and all their data, including documents, emails, etc. not matching these new settings will be DISABLED. We strongly recommend creating a backup before you change any settings.
- in the Group DN (Group Distinguished Name) field, specify the absolute path to the top level directory containing groups you want to import, e.g., ou=Groups,dc=example,dc=com.
- User Attribute (an attribute that determines whether this user is a member of the groups);
- fill out the Group Filter field if you need to import the groups that correspond to the specified search criteria. The default filter value (objectClass=group) allows importing all groups;
- the following parameters are set by default, but you can change them if it's necessary:
  - Group Name Attribute (an attribute that corresponds to a name of the group where the user is included)
  - Group Attribute (an attribute that specifies the users that the group includes)
  Please note: the default settings are specified for Active Directory. For OpenLDAP Server, you need to change the following settings:
  - Group Filter - (objectClass=posixGroup)
  - User Attribute - uid
  - Group Member Attribute - memberUid
Turn on the User Authentication switcher if the current Windows user does not have rights to read from the LDAP server/Active Directory. In the Login and Password fields, enter the credentials of the user who has rights to read data from the LDAP server (set to the current Windows session login and password by default).
Check the Send Welcome Letter box in the Advanced Settings section if you want to send invitations by email to all new users. The welcome message contains a button that allows users to go to the portal login page and activate the email. This option is only available if the mail attribute mapping is configured.
Click the SAVE button.
In the 'Confirmation of import' window that appears, click the OK button to start importing users.

The import process will take some time depending on the number of users, groups, computer specifications, etc.

Please note: the portal user email will be taken from the Mail Attribute setting. If it is missing, it will be formed in the following way: Login Attribute + @ + LDAP Domain.

In case there is a previously created user with such email on the portal, this user will be automatically synchronized with the LDAP user.
In case such an email does not exist, the user will not receive any portal notifications.

There are some special features starting from SaaS v. 11.5:

the portal owner is not affected by changing access rights via LDAP;
if the portal owner has been excluded from the user/group filter, he ceases to be an LDAP user but always remains active;
when disabling LDAP, all access rights provided for users via LDAP are taken away;
- if the user who has disabled LDAP should lose admin rights, his admin rights are unaffected and the user receives a notification;
if a user has been excluded from the user/group filter, he remains active and receives a notification that the LDAP password is no longer active and it should be changed at the profile settings page;
if a user attempts to take away admin rights from himself (both via access rights settings and by excluding himself from the user/group filter), his admin rights are unaffected, and the user receives a notification.

Authenticating LDAP users

Each imported user will be able to sign in to the portal using the login that is formed according to the following schemes:

Login Attribute, e.g., Andrew.Stone
Login Attribute + @ + LDAP Domain, e.g., Andrew.Stone@example.com
LDAP Domain + \ + Login Attribute (incomplete domain names are supported), e.g., example\Andrew.Stone

On the authorization page, the Sign in to domain option is available, which allows transferring a password in an explicit form. Portal users outside of the domain can uncheck this setting. In such a case, a password will be transferred in a hashed form.

Imported user profiles in the People module will be marked with the LDAP icon for the portal administrator. The user profile fields that have been imported using LDAP are blocked for editing.

Synchronizing LDAP data

If you change data in your LDAP server (e.g., add new users/groups, rename existing groups, or edit some information in a user record), you can easily synchronize the portal data with the new information from your LDAP server.

To adjust the synchronization options, turn on the Auto Sync switcher and set the necessary time to perform the automatic synchronization: you can synchronize data every hour at specified minutes, or every day at a specified time, as well as every week or month at a specified day and time. Click Save to apply the settings. It's also possible to synchronize data manually by clicking the Sync users button at the bottom of the LDAP page. Alternatively, you can use the SAVE button below the LDAP Settings section.

The information about a separate user will also be synchronized after this user has logged in to the portal.

Host ONLYOFFICE Workspace on your own server

Download