You can synchronize your users and groups from an Active Directory or LDAP user directory.
When syncing a user directory, users and groups are considered separately in the sync. Groups are synced first, followed by users. Users can only be added to groups synced in the first step. However, all users matching the user filters are synced, regardless of whether they belong to the groups synced in the group sync.
- Go to Administration > User directories
- Select Create user directory to add a new user directory
- Enter a name
- Choose a type: Active Directory or LDAP
- Fill out the fields on each tab as detailed below
Connection
- Hostname: Enter the server that manages your user directory.
- Port: Enter a port. The default LDAP port is 389. The default encryptedSSL communication port is 636.
- SSL: If you check SSL, your AD server requires an officially signed certificate. It's not possible to use a self-signed certificate for the Haiilo cloud.
- AD Domain (only if Active Directory is selected as the type in step 4): Enter a domain if you want to limit access to your platform to users with emails from a specific domain, such as haiilo.com.
- Base DN: Enter the base distinguished name. This indicates which specific area of your user directory you want to provision. Optionally, additional DNs can be specified under the User and Groups tabs to more precisely define which users or groups are provisioned.
- Username: Enter the username of a user in the user directory with sufficient read permission for the objects that will be synchronized (Bind DN).
- Password: The password for the above username.
- Select Test Connection to check if your directory is accessible with the entered settings.
User
These settings define which users are synchronized. Without settings, everyone in the directory will be searched.
- Additional user DN: Enter additional DNs to narrow down the users that are searched. This is added to the previously configured Base DN.
- User object class: Enter the class of users to search for, preferably so that only "person" is searched for.
- User object filter: Specify an LDAP filter syntax to synchronize only users of certain groups. Users who are no longer members of this group are treated as orphaned users. More complex filters are also possible. Due to the limitations of the LDAP protocol, wildcards cannot be used for DN attributes.
- Remove local groups: Check if you want to remove the synced users from any local groups they've been manually added to.
- Remove other directory groups: Check if you want to remove the synced users from any other user directory groups they've been manually added to.
- User unique ID: We recommend using only "objectGUID" because this attribute is unique and doesn't change.
- The remaining fields are optional. If you want to map them, we suggest using the placeholder or recommended values. Additionally, you can synchronize users' profile fields from your directory.
Groups
- To synchronize groups from a user directory, check Synchronize groups.
- Additional group DN: Enter the location that defines the groups.
- Group object class: Enter the class of groups to search for.
- Group object filter: Specify an LDAP filter syntax to synchronize only certain groups.
- Group unique ID and Group displayname: Haiilo checks these for group memberships. If both values are equal, the user will be assigned to this group. Nested groups aren't considered.
- User attribute for group memberships: If you use OpenLDAP, this field must be specified.
- Preserve groups: If Synchronize groups is disabled, you can check this field to preserve any previously synced groups for this specific user directory. This way, you can freeze the previously synced groups. If left unchecked, any previously synced groups and their memberships will be removed in the next sync.
Synchronization
- Page size: Defines how many items are synchronized per query. The LDAP protocol limit is 1000, so don't choose a higher value.
-
Follow referrals: Users can be stored in the directory as a reference to another domain or directory and by checking this option, the references are taken into account. These references allow, for example, to partition a directory tree and distribute it among multiple LDAP servers. This means that LDAP servers may not store the entire directory information tree but may still contain references to other LDAP servers that provide requested information instead.
- Example: When Haiilo Home synchronizes with a directory, an LDAP server can refer you to another server by returning referrals. A referral is an entry with the referral objectClass that contains at least one attribute named ref that has an LDAP URL of the referred entry on another LDAP server as its value.
- If your sync is timed out ("timeout error"), it may be because you are trying to follow a reference that's not accessible or you don't have enough permissions.
- Activation: If checked, new and restored users are activated during synchronization. Otherwise, you have to manually set the status of the users to Active in the user management.
- Just-in-time sync: If checked, users are only created and their data synchronized when they log in. This setting makes sense if only users who log in are to be imported. For this, automatic synchronization should be disabled so that not all users already exist in Haiilo.
- Orphaned users: Choose what happens to users that currently exist as active users on Haiilo, but no longer exist in the user directory. If you choose Ignore, they will remain unchanged.
- Restore users: If checked, a user who has been deactivated or deleted from Haiilo but is present again in the user directory during the sync will be reactivated. It's not possible to restore anonymized users. A previously anonymized user can only be created as a new user.
Scheduling
- Choose the synchronization frequency. If you choose Disabled, you run the sync manually.