The menu item LDAP interface configuration is where you edit the connection settings, user import settings, and attribute assignment settings of the configuration file ldap.json. The file ldap.json is stored in the repository under the following path:

Administration//IndexServer Scripting Base//_ALL//ldap.json

Alternatively: The file ldap.json can also be stored in the ELO Indexserver config directory. This file is only read out if the ldap.json file does not exist in the repository.

The configuration only applies to a single repository. If you edit the configuration in the ELO Administration Console, you need to restart the ELO Indexserver of the repository. If there are multiple ELO Indexservers, you need to restart all of them.

Please note: You should not use LDAP to authenticate the ELO Service account (or the service account used). This allows the server-side ELO applications to run independently of the LDAP configuration. Disabling the LDAP connection can cause the ELO applications to no longer start. You will not be able to enable the LDAP connection in the ELO Administration Console.

You can make settings for multiple domains.

Under Domain selection, you see a list of available domains.

Add (green plus icon): To add settings for a domain, click Add.

Delete (red X icon): To delete the settings of a domain, click Delete.

Reload data from server (yellow circle arrow icon): Click the Reload data from server button to reload the Domain selection area.

Connection settings

Domain name: Specify the DNS name of the domain here. The setting is used if the userPrincipalName is derived from the sAMAccountName.

LDAP URL The entries to the LDAP URL field determine the TCP connection to the LDAP server.

It is possible to load balance traffic to a domain by using multiple LDAP servers.

LDAP authentication account: SSO requires a technical account to search LDAP for the user name transferred by the SSO mechanism (usually sAMAccountName). Enter a userPrincipalName.

Please note: The account must have sufficient permissions to read the user attributes and group memberships.

LDAP password: In the LDAP password field, you can enter the unencrypted password of the LDAP authentication account. The ELO Indexserver stores the password encrypted on restart.

Connection timeout in seconds: The LDAP interface terminates the connection to the LDAP server after this number of seconds. It then attempts to establish a connection with the next server in the list.

Search timeout in seconds: When searching for users or groups, this timeout value is passed to the LDAP server.

User import

DN for person search: Use this field to specify which branches of the LDAP directory to search for users.

Please note: The list must not be empty.

Search filter for persons: You can use this filter to restrict the search for users.

Search filter for e-mails: The first time the user authenticates with an e-mail address, this filter is used to search for the user in the LDAP directory.

Required group membership: With this setting, you can use the common name to restrict authentication to users who are members of a certain group in the LDAP directory.

DN for group search: In this field, you specify which branches of the LDAP directory the groups that are eligible for assignment must be in. If the list is empty, all groups of the user are included in the group assignment.

Search filter for groups: You can use this filter to restrict the search for groups of a user.

Maximum nesting depth: This field can be used to specify the depth of group nesting. This refers to the collection of user groups for group synchronization.

Attribute assignment

Domain prefix: The domain prefix is required if multiple domains are configured and the sAMAccountName is saved as the Windows attribute for the ELO user.

There must be a separator at the end of the domain prefix. This separates the prefix from the user name. Ideally, you should use a backslash.

Information: If you are using SSO, the domain prefix must match the NetBIOS domain name.

You will find the corresponding domain prefix for SSO in the USERDOMAIN environment variable on the client computer.

For SSO with domain prefix, you need to set the option "ntlm.domainUserFormat" in the ELO Indexserver config.xml file.

If you set the option sAMAccountName in the User authentication via field and specify a domain prefix, the Windows user contains the account name with the domain prefix in front.

Example:

• sAMAccountName = fritzfrei
• Domain prefix = ELO\
• Windows user = ELO\fritzfrei

Placeholder for ELO user names: The ELO user name can be made up of different LDAP user attributes. You can specify a format expression with placeholders. Enclose the placeholders in $ signs. They must also correspond to the LDAP attribute names.

User authentication via: In the drop-down menu User authentication via, you can specify whether you want to set the sAMAccountName or the userPrincipalName as the Windows user attribute (see ELO user manager).

Please note: The setting selected in the User authentication via field must match the settings in the Search filter persons field (Attribute assignment tab). Pay attention to capitalization.

Supervisor attribute name: In this field, you specify which attribute is used to determine the supervisor of the ELO user. This is usually the attribute manager.

Please note: The superior must already exist in ELO.

ELO administrator of this user: In the field ELO administrator of this user, you can specify which ELO user to set as administrator for users created via the LDAP interface. You can enter the ID, GUID, or user name.

Save attributes in ELO: In this field, you specify which attributes are to be transferred from LDAP to ELO.

To add an attribute, enter the name of the attribute in the field. Next, click Add ( green plus icon).

To remove an attribute, click the X icon next to it in the list of attributes.

Information: Mandatory attributes cannot be deleted. In this case, the X icon is grayed out.