Integrate your Code42 environment with complex LDAP directory structures
Available in:
Overview
LDAP configurations with complex directory structures require specific configuration steps to include the correct users in your Code42 environment. This tutorial provides tips and techniques that you can use to work with directory information trees (DIT) that contain multiple or nested levels of objects, or to create LDAP queries that include some entries, but exclude others.
Before you begin
- Integrate and test your LDAP server with your Code42 environment.
- Ensure your Code42 environment user account has one of following roles in order to configure LDAP settings:
- SYSADMIN
- Server Administrator
Considerations
- This article assumes you are familiar with basic LDAP principles.
- In order to sign in with or test LDAP accounts, you must enable LDAP authentication for your Code42 environment.
- Information provided here about LDAP servers also applies to Active Directory (AD) servers unless otherwise noted.
-
Using LDAP Org name script organization mapping requires that each organization in your Code42 environment has a unique name.
Example LDAP schema
The example screenshots, search bases, and filters in this article use the following example schema in the domain example.com:
This test server includes three OUs at the same level in the DIT, or "siblings":
- GroupA
- GroupC
- GroupD
GroupA has one child OU named GroupB. Each group contains a single child object, which is a user.
Code42 server configuration options
Choose one of these two ways to configure your authority server to integrate with complex LDAP directory structures:
- Multiple LDAP server entries: Add a separate LDAP server entry for each Organizational Unit (OU) that you need to search, and enable these LDAP servers for your organizations.
- Extensible match filters: Configure search filters to include and exclude parts of the hierarchy instead of using the search base.
| LDAP Integration Method | Advantages | Disadvantages |
|---|---|---|
| Multiple LDAP server entries |
|
|
| Extensible match filters |
|
|
Configure multiple LDAP server entries
When using multiple LDAP server entries, you add a separate LDAP server entry for each OU. Each LDAP server entry queries the same LDAP server, but your authority server treats each entry as a separate LDAP server.
Each LDAP server entry uses a unique LDAP search base:
- Each search base defines a different OU.
- The search base includes or excludes areas of the DIT by defining where in the DIT or LDAP hierarchy to start the search.
This example searches for all users under GroupA, GroupB, and GroupC, while excluding any user under GroupD.
Step 1: Add the first LDAP server entry to your authority server
- Add an LDAP server to your authority server to target a specific OU, such as:
ldap://10.10.46.255:389/ou=GroupA,dc=example,dc=com
When you configure the other LDAP settings, matching entities appear in Attribute Mapping. For this example, based on the schema above, there are two matches (one employee in GroupA, and one in GroupB):
- Click Save.
Step 2: Add additional LDAP server entries to your authority server
- Add additional LDAP server entries to your authority server to target each additional specific OU, such as:
ldap://10.10.46.255:389/ou=GroupC,dc=example,dc=com
When you configure the other LDAP settings, matching entities appear in Attribute Mapping. For this example, based on the schema above, there is one match, under GroupC:
- Click Save.
Continue to add LDAP server entries for all the OUs required for your Code42 environment.
Step 3: Test the LDAP configuration
Sign in to your Code42 environment as a user from each of your LDAP OUs.
Configure an extensible match filter
When using an extensible match filter, you create a single, complex LDAP filter to search for a specific set of users within your LDAP environment.
This example searches for users under GroupA, GroupB, and GroupC, while excluding any user under GroupD.
Active Directory does not support all types of extensible match filters.
Step 1: Test LDAP with a standard search filter
Unlike the Multiple LDAP Server Entries method, extensible match filters always use the top level of the DIT because they rely on filtering, not search scope, to search for users.
- Add an LDAP server to your authority server using a search base that starts at the top level of your DIT:
ldap://10.10.46.255:389/dc=example,dc=com
- Enter a simple Search filter, such as
(mail=?), to test your LDAP configuration. - Verify that the search filter returns matches in Attribute Mapping.
This example search filter yields four matches, showing that the LDAP search is returning all users in all OUs.
- Click Save.
Step 2: Create an extensible match filter
Modify your simple test search filter into an extensible match filter to match only the objects you wish to find.
- Edit the LDAP server entry used for the test search filter above.
- Add your extensible search filter to Search filter.
- Adjust your Search Filter as needed until the appropriate set of users is returned under Attribute Mapping.
- Click Save.
The filter used in this example searches for users under GroupA, GroupB, and GroupC, while excluding any user under GroupD:
(&(objectclass=inetOrgPerson)(cn=?)(|(ou:dn:=GroupA)(ou:dn:=GroupB)(ou:dn:=GroupC)))
This search filter uses LDAP extensible match syntax to include users (all objects of type "inetOrgPerson") who are also in GroupA, GroupB, or GroupC.
Step 3: Test the LDAP configuration
Sign in to your Code42 environment as a user from each of your LDAP OUs.
Assistance with complex LDAP directory structures
For consulting options regarding advanced LDAP configuration in your Code42 environment, contact sales.
External resources
- Wikipedia: Directory information tree
- LDAPWiki: Extensible Match Search Filters
- Zytrax: LDAP for Rocket Scientists
- Microsoft: Search Filters
- Microsoft: Active Directory: LDAP Syntax Filters