(Versions 7+)
This guide describes how to use Active Directory or OpenLDAP with Password Server.
In this guide, we assume a scenario where Mr. Smith is an admin who has a directory server with srv.mydomain as its domain, two groups (Finance and HR), and two users (sbrown, in Finance, and rlee in HR).
Related Topics:
The first step is to add a user directory entry in:
Users & Roles > Manage Directories
On this page, you can create a new entry by pressing:
Add New LDAP Directory button - to connect to an OpenLDAP or similar LDAP directory server.
A directory page will open with some default values initialized which will be appropriate for the type of directory you selected. These should be reviewed to ensure that they are appropriate for your situation and may be edited later if changes are required.
Most fields will display a pop-up help item when you either select the text field or mouse over the "?" icon.
Name: This is a name for the directory which will be used elsewhere in Password Server to refer to this directory connection.
Authentication Type: The authentication method used when connecting to the directory server.
Other LDAP servers may use Kerberos or Basic, depending on configuration.
Alias: The directory identifying portion of a fully-qualified username (user@alias). This is used to resolve conflicts with local users or users from multiple directories.
The username "sbrown@mydomain" will properly refer to the imported sbrown user.
Host: The host name or address of the directory server. This may be a specific machine name or IP or a DNS entry that resolves to directory server. This value is used to connect to the directory service.
By specifying the domain of your directory, instead of the address of a single DC (Domain Controller), will allow the connection to failover if the DC is busy or unavailable. LDAP/AD will resolve and load balance to the appropriate connection.
Port: The port number to use when connecting to the directory server.
Use SSL: Connecting using TLS/SSL requires a valid TLS/SSL certificate.
Larger organisations may use multiple domains and forests, which is possible to setup with the Password Server. There are a couple different options to handle this scenario:
Select a credential to use when connecting to the directory server for administrative operations by:
A) using system or anonymous credentials, or
B) by specifying credentials and entering an admin User Name and Password
Use the web server's credentials:
Connect to the directory as the user that the web server is configured to run as. This may require configuring the web server or website application pool to run as a directory user rather than a local user.
Use the following credentials:
Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN). Until it
does, use a sAMAccountName instead.
All users and roles can be granted access to Password Server by adding them as members to a Security Group (recommended) and filtering on group membership. However, this is not necessary using the basic directory settings.
Auto Import: When this is checked, a user will be auto-imported into the system when they first login. Enabling this option requires that the Password Server connect to the directory server to search for users.
The system will look for users from the following directory locations:
Directory root
Allow Password Changes (Enterprise+): Setting this will enable the setting of user passwords in the connected directory. This setting requires that Admin User Name and Admin Password specify a user that has permission to set passwords to work correctly.
Base Distinguished Name: This field is used as the base path from which to import users and groups. We then recommend to filter on group membership.
For example, Mr. Smith might type in "OU=MainBranch,DC=srv,DC=mydomain" to import users from that particular path.
If the path is left empty, the root naming context for the directory will be used.
For most directory connections, especially a large or spread out directory, it's recommended to add all users to one Security Group and use an Additional User Filter (see below: Recommended User Filter).
For many directory connections adding values in User Relative DN and Group Relative DN will help, and will narrow the scope of the active directory.
User Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import users.
For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain", then:
Group Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import groups. For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain" then:
"CN=Groups,OU=MainBranch,DC=srv,DC=mydomain"
Also Assign Roles from User's Nest Groups (v7.4.0+): Enabled by default. When enabled, users will inherit membership in AD/LDAP groups that have been imported as Roles in the same manner that membership is inherited in the directory.
Active Directory uses a different method to resolve Nested Group membership so its performance is not affected.
Help to narrow down the scope of the directory search for Users or Groups and may provide better manageability and performance.
See a list of Directory Search Filters
memberOf:1.2.840.113556.1.4.1941 is CN=PPassUsers,OU=MainBranch,DC=srv,DC=mydomain
For more details: see AD User Filter for Group Membership
First import your Groups, which will create the Groups from your directory as "Roles".
Then as your users are imported, the application will automatically assign the Roles to match the assignments in the directory. However, note that it is not necessary to do in this order.
Groups can be imported by:
Users can be imported by:
You may then need to enter credentials to connect to the directory server with, unless default credentials were entered during directory setup.
Enter Credentials: For the import pages, various username formats are accepted, including UPN format (username@domain). Including the domainmay be necessary for directories with multiple domains / forest. For more specific info, see the troubleshooting page: Unable to Bind.
Change Filters & Directory Settings: By default, the list will be filtered based on the Directory settings specified under "Adding a User Directory", and selecting Change Filters will allow the custom search options to narrow down the scope of the items in this list.
Get Groups List: Pressing this button will attempt to query and show a list of groups which are available for import.
For example, Mr. Smith might see "Finance" and "HR" in the table and import both of them. He should then be able to see that these two Groups are imported as Roles.
Get Users List: Pressing this button will attempt to query and show a list of users which are available for import.
For example, Mr. Smith might see "sbrown" and "rlee" in the table, and decide to import only "sbrown". Since "sbrown" belongs to the "Finance" group, "sbrown" will automatically be granted the "Finance" role.
Troubleshooting:
If you are having trouble with Bind errors, the Search Results are empty, or have other Errors:
Please see Import Users / Groups are missing
Various User Name formats are accepted at login. See the possible Username Formats below.
Auto-Import users: must first login using the Web application.
For multiple users with same usernames: the user will need to qualify their username with the Alias specified in directory settings, as otherwise it may be ambiguous which user is being referenced.
Group membership and other directory fields will by synchronized when:
Upgrade of the software
Manual synchronization: can be triggered for all directory users by an Administrator, from Manage Users & Roles, either:
Various username formats are accepted at login. Note that the import page also accepts UPN format.
username@alias - using the Directory Alias, from the Directory settings page
Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN).
Until it does, use:
- sAMAccountName instead (username, domain\username).
- Set the "Alias" field in your Directory settings to be the same as your domain, for example:
- username@alias = username@domain
(No longer necessary in Versions 7.4.0+)
Changes to your AD/LDAP structure may cause Users and Roles in Password Server to become desynced from their AD/LDAP counterparts.
To correct this issue for a User, go to Users & Roles > Manage Users and click on the [Edit] link next to the name of the user that has become desynced.
Update the User's Distinguished Name to match your AD/LDAP, then click Save.
To correct this issue for a Role, go to Users & Roles > Manage Roles, find the Role that has become desynced and click Actions > Set Distinguished Name
Update the Role's Distinguished Name to match your AD/LDAP, then click Save.
(Versions 7+)
This guide describes how to use Active Directory or OpenLDAP with Password Server.
In this guide, we assume a scenario where Mr. Smith is an admin who has a directory server with srv.mydomain as its domain, two groups (Finance and HR), and two users (sbrown, in Finance, and rlee in HR).
Related Topics:
The first step is to add a user directory entry in:
Users & Roles > Manage Directories
On this page, you can create a new entry by pressing:
Add New LDAP Directory button - to connect to an OpenLDAP or similar LDAP directory server.
A directory page will open with some default values initialized which will be appropriate for the type of directory you selected. These should be reviewed to ensure that they are appropriate for your situation and may be edited later if changes are required.
Most fields will display a pop-up help item when you either select the text field or mouse over the "?" icon.
Name: This is a name for the directory which will be used elsewhere in Password Server to refer to this directory connection.
Authentication Type: The authentication method used when connecting to the directory server.
Other LDAP servers may use Kerberos or Basic, depending on configuration.
Alias: The directory identifying portion of a fully-qualified username (user@alias). This is used to resolve conflicts with local users or users from multiple directories.
The username "sbrown@mydomain" will properly refer to the imported sbrown user.
Host: The host name or address of the directory server. This may be a specific machine name or IP or a DNS entry that resolves to directory server. This value is used to connect to the directory service.
By specifying the domain of your directory, instead of the address of a single DC (Domain Controller), will allow the connection to failover if the DC is busy or unavailable. LDAP/AD will resolve and load balance to the appropriate connection.
Port: The port number to use when connecting to the directory server.
Use SSL: Connecting using TLS/SSL requires a valid TLS/SSL certificate.
Larger organisations may use multiple domains and forests, which is possible to setup with the Password Server. There are a couple different options to handle this scenario:
Select a credential to use when connecting to the directory server for administrative operations by:
A) using system or anonymous credentials, or
B) by specifying credentials and entering an admin User Name and Password
Use the web server's credentials:
Connect to the directory as the user that the web server is configured to run as. This may require configuring the web server or website application pool to run as a directory user rather than a local user.
Use the following credentials:
Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN). Until it
does, use a sAMAccountName instead.
Auto Import: When this is checked, a user will be auto-imported into the system when they first login. Enabling this option requires that the Password Server connect to the directory server to search for users.
The system will look for users from the following directory locations:
Directory root
Allow Password Changes (Enterprise+): Setting this will enable the setting of user passwords in the connected directory. This setting requires that Admin User Name and Admin Password specify a user that has permission to set passwords to work correctly.
Base Distinguished Name: This field is used as the path from which to import users and groups.
For example, Mr. Smith might type in "OU=MainBranch,DC=srv,DC=mydomain" to import users from that particular path.
If the path is left empty, the root naming context for the directory will be used.
For most directory connections, especially a large or spread out directory, it's recommended to add all users to one Security Group and use an Additional User Filter (see below: Recommended User Filter).
For many directory connections adding values in User Relative DN and Group Relative DN will help, and will narrow the scope of the active directory.
User Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import users.
For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain", then:
Group Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import groups. For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain" then:
"CN=Groups,OU=MainBranch,DC=srv,DC=mydomain"
Also Assign Roles from User's Nest Groups (v7.4.0+): Enabled by default. When enabled, users will inherit membership in AD/LDAP groups that have been imported as Roles in the same manner that membership is inherited in the directory.
Active Directory uses a different method to resolve Nested Group membership so its performance is not affected.
Help to narrow down the scope of the directory search for Users or Groups and may provide better manageability and performance.
See a list of Directory Search Filters
memberOf:1.2.840.113556.1.4.1941 is CN=PPassUsers,OU=MainBranch,DC=srv,DC=mydomain
For more details: see AD User Filter for Group Membership
First import your Groups, which will create the Groups from your directory as "Roles".
Then as your users are imported, the application will automatically assign the Roles to match the assignments in the directory. However, note that it is not necessary to do in this order.
Groups can be imported by:
Users can be imported by:
You may then need to enter credentials to connect to the directory server with, unless default credentials were entered during directory setup.
Enter Credentials: For the import pages, various username formats are accepted, including UPN format (username@domain). Including the domainmay be necessary for directories with multiple domains / forest. For more specific info, see the troubleshooting page: Unable to Bind.
Change Filters & Directory Settings: By default, the list will be filtered based on the Directory settings specified under "Adding a User Directory", and selecting Change Filters will allow the custom search options to narrow down the scope of the items in this list.
Get Groups List: Pressing this button will attempt to query and show a list of groups which are available for import.
For example, Mr. Smith might see "Finance" and "HR" in the table and import both of them. He should then be able to see that these two Groups are imported as Roles.
Get Users List: Pressing this button will attempt to query and show a list of users which are available for import.
For example, Mr. Smith might see "sbrown" and "rlee" in the table, and decide to import only "sbrown". Since "sbrown" belongs to the "Finance" group, "sbrown" will automatically be granted the "Finance" role.
Troubleshooting:
If you are having trouble with Bind errors, the Search Results are empty, or have other Errors:
Please see Import Users / Groups are missing
Various User Name formats are accepted at login. See the possible Username Formats below.
Auto-Import users: must first login using the Web application.
For multiple users with same usernames: the user will need to qualify their username with the Alias specified in directory settings, as otherwise it may be ambiguous which user is being referenced.
Group membership and other directory fields will by synchronized when:
Upgrade of the software
Manual synchronization: can be triggered for all directory users by an Administrator, from Manage Users & Roles, either:
Various username formats are accepted at login. Note that the import page also accepts UPN format.
username@alias - using the Directory Alias, from the Directory settings page
Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN).
Until it does, use:
- sAMAccountName instead (username, domain\username).
- Set the "Alias" field in your Directory settings to be the same as your domain, for example:
- username@alias = username@domain
(No longer necessary in Versions 7.4.0+)
Changes to your AD/LDAP structure may cause Users and Roles in Password Server to become desynced from their AD/LDAP counterparts.
To correct this issue for a User, go to Users & Roles > Manage Users and click on the [Edit] link next to the name of the user that has become desynced.
Update the User's Distinguished Name to match your AD/LDAP, then click Save.
To correct this issue for a Role, go to Users & Roles > Manage Roles, find the Role that has become desynced and click Actions > Set Distinguished Name
Update the Role's Distinguished Name to match your AD/LDAP, then click Save.
(Versions 7+)
This guide describes how to use Active Directory or OpenLDAP with Password Server.
In this guide, we assume a scenario where Mr. Smith is an admin who has a directory server with srv.mydomain as its domain, two groups (Finance and HR), and two users (sbrown, in Finance, and rlee in HR).
Related Topics:
The first step is to add a user directory entry in:
Users & Roles > Manage Directories
On this page, you can create a new entry by pressing:
Add New LDAP Directory button - to connect to an OpenLDAP or similar LDAP directory server.
A directory page will open with some default values initialized which will be appropriate for the type of directory you selected. These should be reviewed to ensure that they are appropriate for your situation and may be edited later if changes are required.
Most fields will display a pop-up help item when you either select the text field or mouse over the "?" icon.
Name: This is a name for the directory which will be used elsewhere in Password Server to refer to this directory connection.
Authentication Type: The authentication method used when connecting to the directory server.
Other LDAP servers may use Kerberos or Basic, depending on configuration.
Alias: The directory identifying portion of a fully-qualified username (user@alias). This is used to resolve conflicts with local users or users from multiple directories.
The username "sbrown@mydomain" will properly refer to the imported sbrown user.
Host: The host name or address of the directory server. This may be a specific machine name or IP or a DNS entry that resolves to directory server. This value is used to connect to the directory service.
By specifying the domain of your directory, instead of the address of a single DC (Domain Controller), will allow the connection to failover if the DC is busy or unavailable. LDAP/AD will resolve and load balance to the appropriate connection.
Port: The port number to use when connecting to the directory server.
Use SSL: Connecting using TLS/SSL requires a valid TLS/SSL certificate.
Larger organisations may use multiple domains and forests, which is possible to setup with the Password Server. There are a couple different options to handle this scenario:
Select a credential to use when connecting to the directory server for administrative operations by:
A) using system or anonymous credentials, or
B) by specifying credentials and entering an admin User Name and Password
Use the web server's credentials:
Connect to the directory as the user that the web server is configured to run as. This may require configuring the web server or website application pool to run as a directory user rather than a local user.
Use the following credentials:
Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN). Until it
does, use a sAMAccountName instead.
All users and roles can be granted access to Password Server by adding them as members to a Security Group (recommended) and filtering on group membership. However, this is not necessary using the basic directory settings.
Auto Import: When this is checked, a user will be auto-imported into the system when they first login. Enabling this option requires that the Password Server connect to the directory server to search for users.
The system will look for users from the following directory locations:
Directory root
Allow Password Changes (Enterprise+): Setting this will enable the setting of user passwords in the connected directory. This setting requires that Admin User Name and Admin Password specify a user that has permission to set passwords to work correctly.
Base Distinguished Name: This field is used as the base path from which to import users and groups. We then recommend to filter on group membership.
For example, Mr. Smith might type in "OU=MainBranch,DC=srv,DC=mydomain" to import users from that particular path.
If the path is left empty, the root naming context for the directory will be used.
For most directory connections, especially a large or spread out directory, it's recommended to add all users to one Security Group and use an Additional User Filter (see below: Recommended User Filter).
For many directory connections adding values in User Relative DN and Group Relative DN will help, and will narrow the scope of the active directory.
User Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import users.
For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain", then:
Group Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import groups. For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain" then:
"CN=Groups,OU=MainBranch,DC=srv,DC=mydomain"
Also Assign Roles from User's Nest Groups (v7.4.0+): Enabled by default. When enabled, users will inherit membership in AD/LDAP groups that have been imported as Roles in the same manner that membership is inherited in the directory.
Active Directory uses a different method to resolve Nested Group membership so its performance is not affected.
Help to narrow down the scope of the directory search for Users or Groups and may provide better manageability and performance.
See a list of Directory Search Filters
memberOf:1.2.840.113556.1.4.1941 is CN=PPassUsers,OU=MainBranch,DC=srv,DC=mydomain
For more details: see AD User Filter for Group Membership
First import your Groups, which will create the Groups from your directory as "Roles".
Then as your users are imported, the application will automatically assign the Roles to match the assignments in the directory. However, note that it is not necessary to do in this order.
Groups can be imported by:
Users can be imported by:
You may then need to enter credentials to connect to the directory server with, unless default credentials were entered during directory setup.
Enter Credentials: For the import pages, various username formats are accepted, including UPN format (username@domain). Including the domainmay be necessary for directories with multiple domains / forest. For more specific info, see the troubleshooting page: Unable to Bind.
Change Filters & Directory Settings: By default, the list will be filtered based on the Directory settings specified under "Adding a User Directory", and selecting Change Filters will allow the custom search options to narrow down the scope of the items in this list.
Get Groups List: Pressing this button will attempt to query and show a list of groups which are available for import.
For example, Mr. Smith might see "Finance" and "HR" in the table and import both of them. He should then be able to see that these two Groups are imported as Roles.
Get Users List: Pressing this button will attempt to query and show a list of users which are available for import.
For example, Mr. Smith might see "sbrown" and "rlee" in the table, and decide to import only "sbrown". Since "sbrown" belongs to the "Finance" group, "sbrown" will automatically be granted the "Finance" role.
Troubleshooting:
If you are having trouble with Bind errors, the Search Results are empty, or have other Errors:
Please see Import Users / Groups are missing
Various User Name formats are accepted at login. See the possible Username Formats below.
Auto-Import users: must first login using the Web application.
For multiple users with same usernames: the user will need to qualify their username with the Alias specified in directory settings, as otherwise it may be ambiguous which user is being referenced.
Group membership and other directory fields will by synchronized when:
Upgrade of the software
Manual synchronization: can be triggered for all directory users by an Administrator, from Manage Users & Roles, either:
Various username formats are accepted at login. Note that the import page also accepts UPN format.
username@alias - using the Directory Alias, from the Directory settings page
Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN).
Until it does, use:
- sAMAccountName instead (username, domain\username).
- Set the "Alias" field in your Directory settings to be the same as your domain, for example:
- username@alias = username@domain
(No longer necessary in Versions 7.4.0+)
Changes to your AD/LDAP structure may cause Users and Roles in Password Server to become desynced from their AD/LDAP counterparts.
To correct this issue for a User, go to Users & Roles > Manage Users and click on the [Edit] link next to the name of the user that has become desynced.
Update the User's Distinguished Name to match your AD/LDAP, then click Save.
To correct this issue for a Role, go to Users & Roles > Manage Roles, find the Role that has become desynced and click Actions > Set Distinguished Name
Update the Role's Distinguished Name to match your AD/LDAP, then click Save.