Skip to main content
Contact Support
  
Code42 Support

User management with LDAP integration

  1. Last updated
    08:22, 1 Jun 2017
  2. Save as PDF

Available in:

  • CrashPlan PRO
    • Standard
    • Premium
    • Enterprise
Applies to:

Overview

This article assumes you have already set up basic LDAP authentication and describes how to extend your Code42 environment integration with LDAP.

For information on configuring your Code42 environment to use LDAP for authentication, see Integrating With LDAP For User Authentication.

LDAP script capabilities

Add JavaScript to your LDAP Server Setup to read user attributes and group membership information from your LDAP environment.

  1. Sign in to the administration console on your authority server.
  2. Go to Settings > Security > LDAP.
  3. Select an existing or new LDAP server:
    • Click on an LDAP server name to select an existing LDAP server.
    • Click Add to create a new LDAP server.
  4. Add JavaScript to any of these three fields in LDAP Server Setup:
    • Active script: Activate or deactivate users
    • Org name script: Assign users to specified organizations
    • Role script: Assign roles to users

LDAP script triggers

Two kinds of server events trigger the scripts to run: user creation and LDAP sync. When the scripts run, they read users' LDAP attributes and group membership, and change your Code42 environment to match.

Do not use regular expressions (regex) in Code42 LDAP scripts
Use of regex syntax causes LDAP sync to take much longer to complete than using other string functions.

Capabilities at user creation

When users are created, the Active, Org Name, and Role scripts are run. The scripts immediately affect the newly created users, placing them into the correct organization and granting them appropriate user roles based on their LDAP attributes and group membership.

Capabilities at LDAP sync

LDAP sync executes the Active, Org Name and Role scripts each time it runs. By default, LDAP synchronization runs once every 12 hours, but this interval length can be configured.

Adding Code42 platform users
LDAP integration helps to manage users, but it does not create them on its own. Create users alongside LDAP integration in one of three ways:

At each LDAP sync, the scripts apply to all users. Certain scripts behave slightly differently at LDAP sync than at initial user creation. Behavior for each script is individually described below.

Example use of LDAP scripts

Consider the following situation. Company X's Org Name script depends on the location LDAP attribute. If the location attribute for user jsmith changes from San Francisco to New York, then the LDAP sync process moves jsmith from the San Francisco org to the New York org.

Script assistance
The sections below contain sample scripts that you may use or modify. For help with scripts, please contact Sales for information about our consulting options. Script support is beyond the scope of technical support and requires assistance from our PRO Services team. PRO Services has access to a large library of existing scripts and can help tailor Code42 for Enterprise's LDAP integration as needed.

Active script

By default, LDAP sync automatically deactivates any users that do not match the LDAP search filter. Deactivated accounts are no longer authorized to back up or restore, and associated device archives are automatically placed into cold storage.

The default Active script code, which handles the default Active script behavior, is:

function(entry) {return true;}

If the user is found in LDAP, the default JavaScript function returns the value TRUE. The authority server then treats the user as active.

But what if your company policy requires that LDAP entries for users remain permanently in LDAP, and the user's employment status is maintained via an LDAP attribute? You can use an Active Script to deactivate a user account based on an LDAP user attribute.

Active script example

Deactivate a user if the 'employeeType' attribute equals 'inactive', or activate a user if the 'employeeType' attribute equals any other value.

function(entry) { return entry.employeeType !="inactive" }

User deactivation and reactivation

When a user is deactivated, the user's devices are automatically deactivated. However, when a user is reactivated, the user's devices are not automatically reactivated. Devices can be reactivated in two ways:

  • The reactivated user may sign in to the Code42 app on the deactivated device
  • The administrator may activate the user's device from the administration console

In either case, the device's GUID remains the same. Data that was previously backed up is still available, if the data retention period has not expired. File selections and other settings also remain the same.

Org name script

The Org Name script places a user into a specific organization. JavaScript is used to parse the user's LDAP entry and return a single value. The user is placed into an organization that matches the return value. The Org Name script is applied during user creation, as well as each time the LDAP sync process runs.

Org name script behavior at user creation

The Org Name script uses several parameters given to it, including the name of a target organization and an organization's registration key, to sort users into organizations.

Target organizations do not need to exist before the script runs. If a named target organization does not exist, the Org Name script creates an organization with that name as a child of the organization corresponding to the given registration key.

Any valid parsing can be performed on the DN (distinguished name) of the user's record with JavaScript, and in this way, LDAP OUs (organizational units) can map to Code42 environment organizations automatically.

Org name script behavior during LDAP sync

Unlike Org Name script behavior at user creation, organizations are not created by the Org Name script during regularly scheduled LDAP sync. This is because the Org Name script doesn't have the scope to determine your Code42 environment's organization structure in order to locate users and organizations.

LDAP OUs can still map automatically to your Code42 environment's organizations, but you will need to create the organizations in order for the Org Name script to sort your users during LDAP sync.

Org name script example

The Org Name script can place users into a Code42 environment organization based on the OU specified in each user's LDAP distinguished name. The script does the following:

  1. Parse the user's distinguished name.
  2. If the user is in the LDAP Staff OU, return the value “Staff” to place the user into the Code42 environment's Staff organization.
  3. If the user is in the LDAP Students OU, return the value “Students” to place the user into the Code42 environment's Students organization.
  4. If the user is in neither the Staff nor the Students OU, return the value “Default” to place the user in the Default organization.
function(entry) {
   var ou = entry.dn;
   if (ou != null){
       if ((ou.indexOf("Staff") >= 0 )){  
           return 'Staff';
       }
       else if ((ou.indexOf("Students") >= 0 )){
           return 'Students';  
       }
       else {
           return 'Default';  
       }  
   }
   else {
       return 'Default';  
   }  
}

Role script

The Role script applies a set of user roles to a user account based on the user's LDAP attributes or security group membership.

Role script example

This example analyzes an LDAP environment and grants Code42 for Enterprise user roles based on LDAP memberships.

  1. Determine which LDAP groups the user is a member of.
  2. Map the appropriate Code42 environment roles to the account:
    • If the user is a member of the Admins LDAP group, grant the SYSADMIN role.
    • If the user is a member of the Support LDAP group, grant the All Org Admin role.
    • If the user is a member of the Managers group, grant the All Org Manager role.
    • If the user is a member of the WorkstationAdmins group, grant the Server Administrator role.
function(entry) {
   var memberof = entry.memberOf;

   // Default user roles
   var myRoles=new Array("PROe User","Desktop User");

   // Loop over LDAP groups
   for (var x = 0; x < memberof.length; ++x) {
      if (memberof[x].indexOf("Admins") > -1) {
         myRoles.push("SYSADMIN");
      }
      if (memberof[x].indexOf("Support") > -1) {
         myRoles.push("All Org Admin");
      }
      if (memberof[x].indexOf("Managers") > -1) {
         myRoles.push("All Org Manager");
      }
      if (memberof[x].indexOf("WorkstationAdmins") > -1) {
         myRoles.push("Server Administrator");
      }
   }
   return myRoles;
}

Still unsure?

Please contact sales for information on our consulting options.