LDAP/Microsoft Active Directory

LDAP Introduction

So, LDAP can hold any kind of data, but it is usually used to provide a central repository of user information and passwords. This allows other enterprise applications to check passwords against a single LDAP repository, rather than each application storing them individually. This reduces maintenance costs and improves security.

In addition to login names and passwords, Agiloft allows other information, such as email addresses, groups, teams and custom fields to be mapped between LDAP attributes and their equivalents in Agiloft.

The use of LDAP for more than login/passwords provides some interesting challenges for Agiloft as detailed below:

1) Both LDAP and Agiloft may contain custom attributes (aka fields), Unfortunately, there is no way to find all the custom attributes in an LDAP database, other than by reading the users one-by-one and noting their attributes. For LDAP databases with hundreds of thousands of users, this could take hours.

Agiloft resolves this problem by searching the first 1,000 users for attributes, and asking the administrator to nominate one user that contains the additional attributes that must be mapped. The actual values of the attributes in this user do not matter, they just need to exist. For example, if the user has a Telephone Number attribute of 0, the system will add Telephone Number to the list of mappable attributes.

Workflow rules that send email to a Team need to know what users are part of what teams. The Agiloft system can instantly search its own tables with an SQL query to find all the matching users, but there is no way to perform an equivalent search on the LDAP database. Instead it would be necessary to read every LDAP user in turn to determine whether they were a member of that team. For large LDAP repositories, this would be very slow.

This class of issues is resolved as follows: When a user logs into Agiloft using LDAP authentication, a dummy entry is created for them in the Agiloft user table and the data cached in this entry is refreshed from LDAP each time they subsequently login. This allows the system to rapidly find Team members and avoid unnecessary calls to the LDAP server. Of course, password information is not cached, so centralized password control is maintained.

This strategy allows Agiloft to automatically restrict Team emails to those LDAP users who actually use Agiloft. If you want all users to receive email, you can set it up to automatically sync with LDAP at regular intervals and use it at least once, but some administrators see this as an advantage since users who do not use Agiloft may not expect to receive email from it.

LDAP Integration

LDAP can be used by Agiloft in three ways:

LDAP Mapping Wizard

LDAPAgiloft
sAMAccountNameLogin
givenNameFirst Name
sn (surname)Last Name
nameFull Name
mailEmail

See Also:

Groups

Teams