User management with LDAP integration
Available in:
Overview
This article assumes you have already set up basic LDAP authentication and describes how to extend your Code42 environment integration with LDAP.
For information on configuring your Code42 environment to use LDAP for authentication, see Integrate with LDAP for user authentication.
LDAP script capabilities
Add JavaScript to your LDAP Server Setup to read user attributes and group membership information from your LDAP environment.
- Sign in to the administration console on your authority server.
- Go to Settings > Security > LDAP.
- Select an existing or new LDAP server:
- Click on an LDAP server name to select an existing LDAP server.
- Click Add to create a new LDAP server.
- Add JavaScript to any of these three fields in LDAP Server Setup:
- Active script: Activate or deactivate users
- Org name script: Assign users to specified organizations
- Role script: Assign roles to users
LDAP script triggers
Two kinds of server events trigger the scripts to run: user creation and LDAP sync. When the scripts run, they read users' LDAP attributes and group membership, and change your Code42 environment to match.
Use of regex syntax causes LDAP sync to take much longer to complete than using other string functions.
Capabilities at user creation
When users are created, the Active, Org Name, and Role scripts are run. The scripts immediately affect the newly created users, placing them into the correct organization and granting them appropriate user roles based on their LDAP attributes and group membership.
Capabilities at LDAP sync
LDAP sync executes the Active, Org Name and Role scripts each time it runs. By default, LDAP synchronization runs once every 12 hours, but this interval length can be configured.
LDAP integration helps to manage users, but it does not create them on its own. Create users alongside LDAP integration in one of three ways:
- Self-service: When users install the Code42 app and sign in as a new user, their accounts are automatically created. If their organizations are configured to use LDAP, then they must use their LDAP credentials, registration key, and Code42 server address to create their account.
- Deploy custom installers: Deploy preconfigured custom installers with software like Microsoft System Center Configuration Manager or JAMF Software's Casper Suite.
- Create users manually: Administrators can create users manually or by uploading a CSV list.
At each LDAP sync, the scripts apply to all users. Certain scripts behave slightly differently at LDAP sync than at initial user creation. Behavior for each script is individually described below.
Example use of LDAP scripts
Consider the following situation. Company X's Org Name script depends on the location LDAP attribute. If the location attribute for user jsmith changes from San Francisco to New York, then the LDAP sync process moves jsmith from the San Francisco org to the New York org.
The sections below contain sample scripts that you may use or modify. For help with scripts, please contact Sales for information about our consulting options. Script support is beyond the scope of technical support and requires assistance from our PRO Services team. PRO Services has access to a large library of existing scripts and can help tailor Code42 for Enterprise's LDAP integration as needed.
Active script
By default, LDAP sync automatically deactivates any users that do not match the LDAP search filter. Deactivated accounts are no longer authorized to back up or restore, and associated device archives are automatically placed into cold storage.
The default Active script code, which handles the default Active script behavior, is:
function(entry) {return true;}
If the user is found in LDAP, the default JavaScript function returns the value TRUE. The authority server then treats the user as active.
But what if your company policy requires that LDAP entries for users remain permanently in LDAP, and the user's employment status is maintained via an LDAP attribute? You can use an Active Script to deactivate a user account based on an LDAP user attribute.
Active script example
Deactivate a user if the 'employeeType' attribute equals 'inactive', or activate a user if the 'employeeType' attribute equals any other value.
function(entry) { return entry.employeeType !="inactive" }
User deactivation and reactivation
When a user is deactivated, the user's devices are automatically deactivated. However, when a user is reactivated, the user's devices are not automatically reactivated. Devices can be reactivated in two ways:
- The reactivated user may sign in to the Code42 app on the deactivated device
- The administrator may activate the user's device from the administration console
In either case, the device's GUID remains the same. Data that was previously backed up is still available, if the data retention period has not expired. File selections and other settings also remain the same.
Users on legal hold cannot be deactivated
If a user is placed under legal hold, the user cannot be deactivated. Their data is retained for the legal hold process.
Depending on your Code42 server version, Code42 responds in the following ways when you mark a user for deactivation (either during an LDAP sync or by manually deactivating a user from the administration console):
- Code42 version 6.5.x and later: Users are blocked instead of deactivated. Once the user is released from legal hold, they are automatically deactivated.
- Code42 version 6.0.x and earlier: User is not deactivated. You must manually deactivate the user once they are released from legal hold.
Org name script
The Org Name script places a user into a specific organization. JavaScript is used to parse the user's LDAP entry and return a single value. The user is placed into an organization that matches the return value. The Org Name script is applied during user creation, as well as each time the LDAP sync process runs.
Org name script behavior at user creation
The Org Name script uses several parameters given to it, including the name of a target organization and an organization's registration key, to sort users into organizations.
Target organizations do not need to exist before the script runs. If a named target organization does not exist, the Org Name script creates an organization with that name as a child of the organization corresponding to the given registration key.
Any valid parsing can be performed on the DN (distinguished name) of the user's record with JavaScript, and in this way, LDAP OUs (organizational units) can map to Code42 environment organizations automatically.
Org name script behavior during LDAP sync
Unlike Org Name script behavior at user creation, organizations are not created by the Org Name script during regularly scheduled LDAP sync. This is because the Org Name script doesn't have the scope to determine your Code42 environment's organization structure in order to locate users and organizations.
LDAP OUs can still map automatically to your Code42 environment's organizations, but you will need to create the organizations in order for the Org Name script to sort your users during LDAP sync.
Org name script example
The Org Name script can place users into a Code42 environment organization based on the OU specified in each user's LDAP distinguished name. The script does the following:
- Parse the user's distinguished name.
- If the user is in the LDAP Staff OU, return the value “Staff” to place the user into the Code42 environment's Staff organization.
- If the user is in the LDAP Students OU, return the value “Students” to place the user into the Code42 environment's Students organization.
- If the user is in neither the Staff nor the Students OU, return the value “Default” to place the user in the Default organization.
function(entry) {
var ou = entry.dn;
if (ou != null){
if ((ou.indexOf("Staff") >= 0 )){
return 'Staff';
}
else if ((ou.indexOf("Students") >= 0 )){
return 'Students';
}
else {
return 'Default';
}
}
else {
return 'Default';
}
}
Role script
The Role script applies a set of user roles to a user account based on the user's LDAP attributes or security group membership.
Role script example
This example analyzes an LDAP environment and grants Code42 for Enterprise user roles based on LDAP memberships.
- Determine which LDAP groups the user is a member of.
- Map the appropriate Code42 environment roles to the account:
- If the user is a member of the Admins LDAP group, grant the SYSADMIN role.
- If the user is a member of the Support LDAP group, grant the All Org Admin role.
- If the user is a member of the Managers group, grant the All Org Manager role.
- If the user is a member of the WorkstationAdmins group, grant the Server Administrator role.
function(entry) {
var memberof = entry.memberOf;
// Default user roles
var myRoles=new Array("PROe User","Desktop User");
// Loop over LDAP groups
for (var x = 0; x < memberof.length; ++x) {
if (memberof[x].indexOf("Admins") > -1) {
myRoles.push("SYSADMIN");
}
if (memberof[x].indexOf("Support") > -1) {
myRoles.push("All Org Admin");
}
if (memberof[x].indexOf("Managers") > -1) {
myRoles.push("All Org Manager");
}
if (memberof[x].indexOf("WorkstationAdmins") > -1) {
myRoles.push("Server Administrator");
}
}
return myRoles;
}
Still unsure?
Please contact sales for information on our consulting options.