Skip to main content
Code42 Support

Integrate your Code42 environment with complex LDAP directory structures

Available in:

  • CrashPlan PRO
    • Standard
    • Premium
    • Enterprise
Applies to:

Overview

LDAP configurations with complex directory structures require specific configuration steps to include the correct users in your Code42 environment. This tutorial provides tips and techniques that you can use to work with directory information trees (DIT) that contain multiple or nested levels of objects, or to create LDAP queries that include some entries, but exclude others.

Before you begin

  • Integrate and test your LDAP server with your Code42 environment.
  • Ensure your Code42 environment user account has one of following roles in order to configure LDAP settings:
    • SYSADMIN
    • Server Administrator

Considerations

  • This article assumes you are familiar with basic LDAP principles.
  • In order to sign in with or test LDAP accounts, you must enable LDAP authentication for your Code42 environment.
  • Information provided here about LDAP servers also applies to Active Directory (AD) servers unless otherwise noted.
  • Using LDAP Org name script organization mapping requires that each organization in your Code42 environment has a unique name.

Example LDAP schema

The example screenshots, search bases, and filters in this article use the following example schema in the domain example.com:

LDAP Schema Example

This test server includes three OUs at the same level in the DIT, or "siblings":

  • GroupA
  • GroupC
  • GroupD

GroupA has one child OU named GroupB. Each group contains a single child object, which is a user.

Code42 server configuration options

Choose one of these two ways to configure your authority server to integrate with complex LDAP directory structures:

  • Multiple LDAP server entries: Add a separate LDAP server entry for each Organizational Unit (OU) that you need to search, and enable these LDAP servers for your organizations.
  • Extensible match filters: Configure search filters to include and exclude parts of the hierarchy instead of using the search base.
LDAP Integration Method Advantages Disadvantages
Multiple LDAP server entries
  • Simpler to configure
  • Lower lookup times
  • Less flexible
  • Cannot include and exclude arbitrary child branches of the DIT root
Extensible match filters
  • More flexible
  • Can target any arbitrary combination of branches of the DIT root
  • Not fully supported by Active Directory
  • Can result in long lookup times, depending on the size of your LDAP database

Configure multiple LDAP server entries

When using multiple LDAP server entries, you add a separate LDAP server entry for each OU. Each LDAP server entry queries the same LDAP server, but your authority server treats each entry as a separate LDAP server.

Each LDAP server entry uses a unique LDAP search base:

  • Each search base defines a different OU.
  • The search base includes or excludes areas of the DIT by defining where in the DIT or LDAP hierarchy to start the search.

This example searches for all users under GroupA, GroupB, and GroupC, while excluding any user under GroupD.

Step 1: Add the first LDAP server entry to your authority server

  1. Add an LDAP server to your authority server to target a specific OU, such as:
    ldap://10.10.46.255:389/ou=GroupA,dc=example,dc=com
    When you configure the other LDAP settings, matching entities appear in Attribute Mapping. For this example, based on the schema above, there are two matches (one employee in GroupA, and one in GroupB): Search base A
  2. Click Save.

Step 2: Add additional LDAP server entries to your authority server

  1. Add additional LDAP server entries to your authority server to target each additional specific OU, such as:
    ldap://10.10.46.255:389/ou=GroupC,dc=example,dc=com
    When you configure the other LDAP settings, matching entities appear in Attribute Mapping. For this example, based on the schema above, there is one match, under GroupC:Search base B
  2. Click Save.

Continue to add LDAP server entries for all the OUs required for your Code42 environment.

Step 3: Test the LDAP configuration

Sign in to your Code42 environment as a user from each of your LDAP OUs.

Configure an extensible match filter

When using an extensible match filter, you create a single, complex LDAP filter to search for a specific set of users within your LDAP environment.

This example searches for users under GroupA, GroupB, and GroupC, while excluding any user under GroupD.

Microsoft Active Directory
Active Directory does not support all types of extensible match filters.

Step 1: Test LDAP with a standard search filter

Unlike the Multiple LDAP Server Entries method, extensible match filters always use the top level of the DIT because they rely on filtering, not search scope, to search for users.

  1. Add an LDAP server to your authority server using a search base that starts at the top level of your DIT:
    ldap://10.10.46.255:389/dc=example,dc=com
    
  2. Enter a simple Search filter, such as (mail=?), to test your LDAP configuration.
  3. Verify that the search filter returns matches in Attribute Mapping.
    This example search filter yields four matches, showing that the LDAP search is returning all users in all OUs.
    Simple filler test
  4. Click Save.

Step 2: Create an extensible match filter

Modify your simple test search filter into an extensible match filter to match only the objects you wish to find.

  1. Edit the LDAP server entry used for the test search filter above.
  2. Add your extensible search filter to Search filter.Extensible filter
  3. Adjust your Search Filter as needed until the appropriate set of users is returned under Attribute Mapping.
  4. Click Save.

The filter used in this example searches for users under GroupA, GroupB, and GroupC, while excluding any user under GroupD:

(&(objectclass=inetOrgPerson)(cn=?)(|(ou:dn:=GroupA)(ou:dn:=GroupB)(ou:dn:=GroupC)))

This search filter uses LDAP extensible match syntax to include users (all objects of type "inetOrgPerson") who are also in GroupA, GroupB, or GroupC.

Step 3: Test the LDAP configuration

Sign in to your Code42 environment as a user from each of your LDAP OUs.

Assistance with complex LDAP directory structures

For consulting options regarding advanced LDAP configuration in your Code42 environment, contact sales.

  • Was this article helpful?