Difference between revisions of "LDAPS User Sync Profile"

From Studentnet Wiki
Jump to navigation Jump to search
 
(28 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=== Base Settings ===
+
LDAPS User Sync Profiles are used to process users from Active Directory (AD) and put them in the dashboard
 +
==Minimum requirements for a user to be synced from AD to Cloudwork==
 +
Each user that needs to be synced into Cloudwork require the following attributes in AD:
 +
*Givenname
 +
*Surname
 +
*Samaccountname
 +
*Mail
  
-Description : A short description to identify the sync profile
+
==Information and Settings to have ready before creating sync profile==
 +
===Directory Configuration===
 +
In your directory:
 +
*Open your firewall and allow IP ranges from [https://wiki.studentnet.net/index.php/IP_Range#Cloudwork_IP_Range here]
 +
*Create a user in your directory which has read permissions and save the following details about newly created user:
 +
**Username:
 +
**Password:
 +
**Directory Location:
 +
*Have the LDAP path for the container you want synced:
 +
*Note down the IP address your directory server is on:
 +
*Note has the mail attribute populated with the user's email address? If not where is this stored?
  
-Ldap Server : IP address or host name of the directory server to collect information from. Password reset will only work over LDAPS:// 
+
==Creating a the LDAP User Sync Profile==
 +
#In the '''Cloudwork Dashboard'''>'''Sync Profile'''>'''New Sync Profile'''>'''LDAP Users Sync Profile'''
 +
#Fill in the form:
 +
#*'''Description''': Name or Description of Sync profile
 +
#*'''Ldap User''': Directory and username of newly created user
 +
#*'''Ldap Password''': Password of newly created user
 +
#*'''Search Container''': The LDAP path for the container you want synced
 +
#*'''Role''': Depending on user type, select the appropriate type of '''Teacher''', '''Student''', '''Alum''', '''Staff''', '''Employee''' or '''Parent'''
 +
#Click submit
  
-Ldap User : Username to bind to when collecting
+
==Field Information==
 +
=== Base Settings ===
  
-Ldap Password : Password to use when collecting information from the server
+
{| class="wikitable"
 +
|+ style="caption-side:bottom; color:#000000;"|''Base Settings''
 +
|-
 +
! style="color:black" | Field
 +
! style="color:black" | Description
 +
|-
 +
|[[Image:userdesc.png]]
 +
|A short description to identify the sync profile
 +
|-
 +
|[[Image:userldapserver.png]]
 +
|IP address or host name of the directory server to collect information from. Password reset will only work over LDAPS://
 +
|-
 +
|[[Image:userldapuser.png]]
 +
|Username of user who has read permission to bind to when collecting
 +
|-
 +
|[[Image:userldappassword.png]]
 +
|Password of user in '''Ldap User''' with read permissions when collecting information from the server  
 +
|}
  
 
=== User Settings ===
 
=== User Settings ===
  
[[Image: usersearchcontainer2.png]]
+
(If there is no image for AD Example the attribute is not processed by AD)
 
 
-Search Container : The qualified name for the container to look for users. eg, OU=students, OU=users, DC=yourdomain, DC=com
 
 
 
[[Image: usersearchcontainer.png|frameless|This is how the search container will look in Active Directory]]
 
 
 
-Role : Users created with this sync profile will have the selected role
 
 
 
-Mail Field : User attribute containing primary email address
 
 
 
-Alternative Email Addresses Field : Additional email addresses for a user can be imported here
 
 
 
-Import UPN as an alternative email address : This option will make sure a user's UPN will always be present in the Alternative Addresses for that user
 
 
 
-Username Field : User attribute containing the username
 
 
 
-Allow email address in username : Allows users to have an email address as their username, this may have unexpected side-effects and each email address must be unique
 
 
 
-GUID Field : User attribute containing a unique and immutable identifier
 
 
 
-First Name Field : User attribute containing the user's surname
 
 
 
-SIS Id Field : The LDAP attribute that stores the SIS ID for a user. This field is important for Canvas and other services
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
 +
{| class="wikitable"
 +
|+ style="caption-side:bottom; color:#000000;"|''User Settings''
 +
|-
 +
! style="color:black" | Field
 +
! style="color:black" | Description
 +
! style="color:black" | Active Directory Example if available
 +
|-
 +
|[[Image: usersearchcontainer2.png]]
 +
|The qualified name for the container to look for users. eg, OU=students, OU=users, DC=yourdomain, DC=com
 +
|[[Image: usersearchcontainer.png]]
 +
|-
 +
|[[Image: Userroles.png]]
 +
|Users created with this sync profile will have the selected role
 +
|Roles are assigned by the sync profile so won't be found in AD
 +
|-
 +
|[[Image: Usermailfield.png]]
 +
|User attribute containing primary email address
 +
|[[Image: Userademail.png | 350px]]
 +
|-
 +
|[[Image: Useraltemail.png]]
 +
|Additional email addresses for a user can be imported here
 +
|
 +
|-
 +
|[[Image: Userupn.png]]
 +
|This option will make sure a user's UPN will always be present in the Alternative Addresses for that user
 +
|
 +
|-
 +
|[[Image: Userusername.png]]
 +
|User attribute containing the username
 +
|[[Image: Useradusername.png | 350px]]
 +
|-
 +
|[[Image: Userallowemail.png]]
 +
|Allows users to have an email address as their username, this may have unexpected side-effects and each email address must be unique
 +
|
 +
|-
 +
|[[Image: Userguid.png]]
 +
|User attribute containing a unique and immutable identifier
 +
|
 +
|-
 +
|[[Image: Userlastname.png]]
 +
|User attribute containing the user's surname
 +
|[[Image: Useradlastname.png | 350px]]
 +
|-
 +
|[[Image: Usersisid.png]]
 +
|The LDAP attribute that stores the SIS ID for a user. This field is important for Canvas and other services
 +
|
 +
|-
 +
|[[Image: Userformfeild.png]]
 +
|The LDAP attribute that stores Form or Year Group information for students.
 +
|
 +
|-
 +
|[[Image: Userresetemail.png]]
 +
|LDAP Field to look for an email address to use in password reset requests. Setting this field prevents users from configuring their own password reset information.
 +
|
 +
|-
 +
|[[Image: Userresetmobile.png]]
 +
|LDAP Field to look for a mobile number to be used during password requests. Setting this field prevents users from configuring their own password reset information.
 +
|
 +
|-
 +
|[[Image: Userextraatt.png]]
 +
|Anything extra about a user that isn't found elsewhere in this form that you wish to add
 +
|
 +
|-
 +
|[[Image: Userextrasearch.png]]
 +
|LDAP query paramaters that will be be used to further restrict Cloudwork's default user syncing
 +
|
 +
|-
 +
|}
  
 +
===Advanced Settings===
  
 +
{| class="wikitable"
 +
|+ style="caption-side:bottom; color:#000000;"|''Advanced Settings''
 +
|-
 +
! style="color:black" | Field
 +
! style="color:black" | Description
 +
|-
 +
|[[Image: advparentorg.png]]
 +
|Users and Org Units created by this profile will be created under this Org Unit.
 +
|-
 +
|[[Image: advsquash.png]]
 +
|When this option is enabled, Cloudwork will not create any of the Org Units in the search container field. Users and sub Org Units will be created directly under the parent Org Unit
 +
|-
 +
|[[Image: advdeleteaction.png]]
 +
|When a user is deleted or moved to a location that Cloudwork can't see, Cloudwork will perform the chosen action
 +
|-
 +
|[[Image: advdomain.png]]
 +
|The email domain for groups. If Force Mail Domain is selected, user accounts created or updated by replace the email domain with this domain
 +
|-
 +
|[[Image: advdirectoy.png]]
 +
|The directory type that the users are syncing from
 +
|-
 +
|[[Image: advwelcomeemail.png]]
 +
|Cloudwork will use this template to send welcome emails, if the "send Welcome" option is enabled.
 +
|-
 +
|}
  
  
 +
===Troubleshooting===
  
 +
{| class="wikitable"
 +
|+ style="caption-side:bottom; color:#000000;"|''Troubleshooting''
 +
|-
 +
! style="color:black" | Error Message
 +
! style="color:black" | Troubleshooting
 +
|-
 +
|Error getting last_name for <ldap path>
 +
|make sure users have last name(sn) in their listed attributes
 +
|-
 +
|<Sync Profile Name> could not be processed due to an error: Could not connect to <ldap path>
 +
|Make sure server where directory is is turned on, make sure firewall configuration allows for Cloudwork IP range
 +
__FORCETOC__
 
[[Category: Sync Profiles]]
 
[[Category: Sync Profiles]]

Latest revision as of 07:01, 25 September 2023

LDAPS User Sync Profiles are used to process users from Active Directory (AD) and put them in the dashboard

Minimum requirements for a user to be synced from AD to Cloudwork

Each user that needs to be synced into Cloudwork require the following attributes in AD:

  • Givenname
  • Surname
  • Samaccountname
  • Mail

Information and Settings to have ready before creating sync profile

Directory Configuration

In your directory:

  • Open your firewall and allow IP ranges from here
  • Create a user in your directory which has read permissions and save the following details about newly created user:
    • Username:
    • Password:
    • Directory Location:
  • Have the LDAP path for the container you want synced:
  • Note down the IP address your directory server is on:
  • Note has the mail attribute populated with the user's email address? If not where is this stored?

Creating a the LDAP User Sync Profile

  1. In the Cloudwork Dashboard>Sync Profile>New Sync Profile>LDAP Users Sync Profile
  2. Fill in the form:
    • Description: Name or Description of Sync profile
    • Ldap User: Directory and username of newly created user
    • Ldap Password: Password of newly created user
    • Search Container: The LDAP path for the container you want synced
    • Role: Depending on user type, select the appropriate type of Teacher, Student, Alum, Staff, Employee or Parent
  3. Click submit

Field Information

Base Settings

Base Settings
Field Description
Userdesc.png A short description to identify the sync profile
Userldapserver.png IP address or host name of the directory server to collect information from. Password reset will only work over LDAPS://
Userldapuser.png Username of user who has read permission to bind to when collecting
Userldappassword.png Password of user in Ldap User with read permissions when collecting information from the server

User Settings

(If there is no image for AD Example the attribute is not processed by AD)

User Settings
Field Description Active Directory Example if available
Usersearchcontainer2.png The qualified name for the container to look for users. eg, OU=students, OU=users, DC=yourdomain, DC=com Usersearchcontainer.png
Userroles.png Users created with this sync profile will have the selected role Roles are assigned by the sync profile so won't be found in AD
Usermailfield.png User attribute containing primary email address Userademail.png
Useraltemail.png Additional email addresses for a user can be imported here
Userupn.png This option will make sure a user's UPN will always be present in the Alternative Addresses for that user
Userusername.png User attribute containing the username Useradusername.png
Userallowemail.png Allows users to have an email address as their username, this may have unexpected side-effects and each email address must be unique
Userguid.png User attribute containing a unique and immutable identifier
Userlastname.png User attribute containing the user's surname Useradlastname.png
Usersisid.png The LDAP attribute that stores the SIS ID for a user. This field is important for Canvas and other services
Userformfeild.png The LDAP attribute that stores Form or Year Group information for students.
Userresetemail.png LDAP Field to look for an email address to use in password reset requests. Setting this field prevents users from configuring their own password reset information.
Userresetmobile.png LDAP Field to look for a mobile number to be used during password requests. Setting this field prevents users from configuring their own password reset information.
Userextraatt.png Anything extra about a user that isn't found elsewhere in this form that you wish to add
Userextrasearch.png LDAP query paramaters that will be be used to further restrict Cloudwork's default user syncing

Advanced Settings

Advanced Settings
Field Description
Advparentorg.png Users and Org Units created by this profile will be created under this Org Unit.
Advsquash.png When this option is enabled, Cloudwork will not create any of the Org Units in the search container field. Users and sub Org Units will be created directly under the parent Org Unit
Advdeleteaction.png When a user is deleted or moved to a location that Cloudwork can't see, Cloudwork will perform the chosen action
Advdomain.png The email domain for groups. If Force Mail Domain is selected, user accounts created or updated by replace the email domain with this domain
Advdirectoy.png The directory type that the users are syncing from
Advwelcomeemail.png Cloudwork will use this template to send welcome emails, if the "send Welcome" option is enabled.


Troubleshooting

Troubleshooting
Error Message Troubleshooting
Error getting last_name for <ldap path> make sure users have last name(sn) in their listed attributes
<Sync Profile Name> could not be processed due to an error: Could not connect to <ldap path> Make sure server where directory is is turned on, make sure firewall configuration allows for Cloudwork IP range