Configuring LDAP Sync with Altium NEXUS Server

Parent page: Managing Users

To simplify the process of connecting to and accessing company networks, the Altium NEXUS Server facilitates directory services support through its browser interface.

This offers domain user synchronization based on the Lightweight Directory Access Protocol (LDAP), which queries the network’s central LDAP server to retrieve domain user group and role membership information. Authenticating domain users through established directory services in this way offers the potential of a single login for access to all company systems, including the Altium NEXUS Server.

The NEXUS Server LDAP synchronization queries the network services on a user role basis, where role membership information is gathered for NEXUS Server user access authorization. Polling the domain membership through the LDAP service (synchronizing) allows the system to respond to a domain user configuration change within a synchronization cycle.

LDAP Sync

An LDAP Sync allows the administrator of an Altium NEXUS Server to leverage the network domain’s existing username and password credentials, so that user credentials do not have to be created manually one at a time on the Users page of the NEXUS Server's browser-based interface. When setup correctly, the Users page will automatically populate with user credentials, enabling any user listed to sign into the Altium NEXUS Server using their regular corporate network username and password.

This article details a proven approach that has been successfully used in setting up an LDAP Sync on a domain. Try this approach when setting up an LDAP Sync on your own domain.

What do I need?

• Administrative access to the Altium NEXUS Server.
• Optionally, an extremely helpful utility is an application called LDAP Admin (download LdapAdminExe-<version>.zip from http://www.ldapadmin.org/)

Obtaining the LDAP Search string (Distinguished Name)

When configuring an LDAP Sync task through the Altium NEXUS Server's bowser-based interface, you need to supply the LDAP Distinguished Name (DN). This is entered in string format, and identifies the base object of the LDAP search. To get this string, we're going to use the LDAP Admin utility, so first ensure the zip file is downloaded, and extract out the LdapAdmin executable therein.

Download and extract the LdapAdmin.exe file.

Run the LdapAdmin.exe executable as Administrator (just right-click on it and select Run as administrator).

When the LDAP Admin panel opens, choose Start » Connect to access the Connections dialog, then double-click New connection to access the Connection properties dialog.

Creating a new connection within the LDAP Admin utility.

On the General tab of the Connection properties dialog, configure the connection information in relation to your domain, an example of which might be:

• Connection name: just any arbitrary name to be used for the connection icon.
• Host: testsite.com
• Port: 389

• Base: DC=testsite, DC=com
• Enable the GSS-API option.

• Account: just leave the Use current user credentials option enabled.

An example configured connection, when using standard LDAP. If using LDAPS (LDAP over SSL),
change the Port to 636, and enable the SSL option.

With the connection properties configured, press the Test connection button. If all is set correctly, you should see the Connection is successful message. Click OK to finish creating the new connection.

You now need to identify the string that targets the base object of the LDAP search. To do this:

1. Select your newly-created connection and click OK in the Connections dialog - your network domain and user group hierarchy will be presented.
2. Expand the relevant folder path until you get to the folder containing the required users.
3. Right-click on this folder and choose the Search command from the context menu. This will open the Search panel. The key piece of information you are after is the string already populated in the Path field. Reading from left-to-right, this string represents the path to this folder of users from the bottom-up, within the domain structure. For our example, we'll assume a folder of specific users - Designers - which is a child of the parent folder - Users. For this case, our string is: OU=Designers,OU=Users,DC=testsite,DC=com.
4. Copy and paste this string to a text file for subsequent use in the configuration process, or optionally just leave the Search panel accessible.

At this point, the LDAP Admin utility is no longer required for any further steps.

Configuring an Altium NEXUS Server to use LDAP Sync

Now, let’s focus on the Altium NEXUS Server. Sign into the target Altium NEXUS Server - through its browser-based interface - as an Administrator. If you are intending to create user credentials from LDAP automatically, then you probably want to remove any existing manually created users. So ideally just start with the default Administrator's role users - admin and System (on the Users page of the interface, in the Team area).

If you want the users from the LDAP Sync to be associated with a specific role, you can switch to the Roles page and create a new role as required (e.g. Electrical Designers, Mechanical Designers, PCB Specialists, etc…), leaving it empty of users. For our example, we'll create a role called Designers.

Now switch to the LDAP Sync page, and click the  button to access the ADD LDAP SYNC TASK dialog.

Fill in the following information (based on our example domain structure we have used in the previous section):

General

• Target Role: Designers
• Url: LDAP://testsite.com:389

• DN: OU=Designers,OU=Users,DC=testsite,DC=com

• Filter: leave this field blank to acquire all users from the specified group determined on the domain (in the DN field). If the nominated area of the domain structure contained further groupings of users, you could extract just a subset of those users by using an appropriate filtering string here.

For example, consider if there had been a set of users under the group of Designers, gathered to have administrative powers (CN=Administrators). To target just this set of users, and not all of the Designers (under the OU=Designers area of the domain structure), a query string could be written that targets this point in the domain structure:

(&(objectClass=user)(memberof=CN=Administrators,OU=Designers,OU=Users,DC=testsite,DC=com))

• Scope: sub
• Attributes: sAMAccountName

Authentication

• User Name: domain\<your username> (e.g. testsite\jason.howie)
• Password: <your password>

Attribute Mapping

• First Name: givenName
• Last Name: sn
• Email: mail
• User Name: sAMAccountName
• Overwrite existing users - when enabled, the LDAP Sync will override manually created users with those returned by the sync query, as long as the users' names are an identical match.

User authentication type

• Selection button:  Windows
• Domain: testsite.com

Example LDAP Sync task, configured with all required information when using standard LDAP. If using
LDAPS (LDAP over SSL), the Url entry would be changed to LDAPS://testsite.com:636.

When you have completed entering all settings, click . This will initiate the Sync process, which may take a minute or two, as it processes the information you just entered.

Now access the Users page. This list should now be populated with all users as defined by the OU=<GroupName> setting (see example image below). Now anyone can sign into the Altium NEXUS Server using their regular Windows login.