Skip to content
PDF

Enabling access management with LDAP in the Management System

The Nerve Management System allows the import of users and roles for access management through its LDAP integration. Data is synchronized with an LDAP server and the authentication of users is done against this LDAP server instead of the Management System itself. The user authentication provided is LDAP Simple Authentication (username and password) with the option to enable SSL/TLS for a secure connection between the LDAP server and the Management System.

An existing LDAP server is required to enable active directory access management. The configuration of the LDAP synchronization in the Management System requires expert knowledge. It is recommended that the configuration is performed by an LDAP admin.

Expand Access > LDAP to reach the LDAP configuration. It is separated into three sections.

!LDAP

Item Description
LDAP Authentication(off/on) Toggle this to activate or deactivate access management with LDAP once the configuration on this page has been completed.
Connection: This section contains the required parameters to connect to an LDAP server.

Name
This is a user defined name for the configuration. Enter any name that accurately describes the connection.

URL
This can be either an IP address or the hostname of the LDAP server.

Port
Enter the port used for the LDAP service.
Note that the standard port 389 is automatically filled in. Also, port 636 is automatically filled in if Secure connection option SSL/TLS is activated.

Bind DN
Enter the user in LDAP that is used for establishing the connection. This is either a user that is used for external connections or an admin user. The user needs to be entered in the form of a distinguished name.

Password
Enter the password of the Bind DN user.

Secure connection option SSL/TLS
Toggle to enable a secure connection here. The secure connection is implicitly accepted and certificates are exchanged by enabling this option. The standard port 636 for secure connections over SSL/TLS is filled in automatically in the Port field.

Test connection
This button is only available after the required fields have been filled in. Once clicked, a green check mark signifies a successful connection while a red cross signifies an unsuccessful connection attempt.
Groups and Users synchronization parameters: Specify the required parameters for users and groups synchronization here. The options are grayed out by default. Once a connection to an LDAP server has been tested successfully, marked by a green check mark, the options will become available. Two query buttons are available here to test each configuration.

Groups:
  • Search Base
    This is the directory point where the groups synchronization is started from.
  • Filter
    Enter a logical expression here to filter for desired groups. The filter has to be in the format that is used in LDAP. Hover over the text field to see the full filter displayed in a quick tip. An example filter could look like this:
    (&(cn=Nerve*)( objectClass=groupOfNames)))
  • Group name
    Enter the LDAP attribute that is used as a group name.
    Example: If cn is entered, roles in the Management System receive the value of the cn attribute as their name.
  • Admin group
    Enter the group name from LDAP that will receive the Admin role in the Nerve Management System.
  • Default role
    Specify a role in the Management System that is used as a permission template for all groups coming from LDAP. The only exception is the Admin group.
    Note that it is recommended to create a new role first. Refer to Adding a new role if roles have not been defined yet.
  • Test Groups Sync
    Test whether the filter and settings for groups synchronization work with this button. A pop-up window opens where it is possible to check a preview list of groups that will be synchronized.
Users:
  • Search Base
    This is the directory point where the users synchronization is started from.
  • Filter
    Enter a logical expression here to filter for desired users. The filter has to be in the format that is used in LDAP. Hover over the text field to see the full filter displayed in a quick tip. An example filter could look like this:
    (&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Nerve,cn=Roles,dc=example,dc=com))
  • First name
    Enter the LDAP attribute that will be used as the first name for users.
  • Last name
    Enter the LDAP attribute that will be used as the last name for users.
  • Email
    Enter the LDAP attribute that will be used as the email for users.
  • Username
    Enter the LDAP attribute that will be used as the username for authentication.
  • Test Users Sync
    Test whether the filter and settings for users synchronization work with this button. A pop-up window opens where it is possible to check a preview list of users that will be synchronized.
User and group relationship:
  • User -> Group relationship
    Tick this option to select users as the source and groups as the target for synchronization.
  • Group -> User relationship
    Tick this option to select groups as the source and users as the target for synchronization.
  • Member
    Enter the LDAP attribute of the source representing the relationship.
    Example: memberOf as the attribute of the user if a user -> group relationship was selected.
  • Target
    Enter the LDAP attribute of the target.
    Example: dn as the attribute of the group if a user -> group relationship was selected.
Synchronization: Recurring sync
Activate Recurring sync to set an exact time or interval for recurring synchronization between the Management System and the LDAP server. This can be done in two ways:
  • Exact time of day
    If an exact time is specified, the process is executed once a day at the specified time.
  • Interval in hours
    Selecting an interval in hours executes the synchronization after the specified time has passed.
Sync now
Select Sync now to perform an actual synchronization of users and groups. A result message is shown in the upper right corner at the end of the synchronization process.

Note

The configuration above is dependent on the LDAP server configuration. Consult the LDAP admin when configuring the LDAP integration in the Management System.

As there are many fields and buttons that serve different purposes, consult the summarized workflow below for a quick overview.

  1. Enter the required information in the Connection fields.
  2. Select Test connection. If a green check mark appears, the connection was successful.
  3. Fill in the Groups parameters under Groups and Users synchronization parameters.
  4. Select Test Groups Sync. A pop-up window will appear.
  5. Check the preview list of groups that will be synchronized.
  6. Fill in the Users parameters under Groups and Users synchronization parameters.
  7. Select Test Users Sync. A pop-up window will appear.
  8. Check the preview list of users that will be synchronized.
  9. Select Sync now to apply the configuration.
  10. Optional: Toggle LDAP synchronization(off/on) at the top.
  11. Select Save at the bottom to save the configuration.

Toggling the LDAP synchronization(off/on) switch is marked as optional here, as it can also be toggled at a later time. Save the configuration and toggle the switch to use the LDAP integration when desired. Below is an example configuration:

!Example LDAP configuration

Differences in user and role management when LDAP authentication is activate

When LDAP authentication is active, editing of users and roles is disabled or limited. The differences are:

  • The LDAP username is used for authentication instead of the email address.
  • Passwords cannot be changed or reset.
  • New users cannot be added.
  • Existing users, LDAP or local, cannot be edited or deleted.
  • Profile pictures cannot be set.
  • Names and descriptions of roles cannot be edited.
  • Permissions of roles can be edited.
  • Roles coming from LDAP synchronization cannot be deleted.

All changes to users are taken over from the LDAP server after a synchronization is performed. Once LDAP synchronization is deactivated, local users can be edited again. LDAP users, however, still cannot be edited. Note that LDAP users stay in the list of users even when LDAP synchronization is deactivated. However, the users and roles lists can be filtered by local or LDAP. Refer to Users and Roles and permissions for more information on local user and role management in the Management System.