Configuring LDAP Sync with Altium Infrastructure Server | 1.0 マニュアル

Created: April 6, 2017 | Updated: January 18, 2018

Contents

LDAP Sync
What do I need?
Obtaining the LDAP Search string (Distinguished Name)
Configuring an Altium Infrastructure Server to use LDAP Sync

To simplify the process of connecting to and accessing company networks, the Altium Infrastructure Server facilitates directory services support through its browser interface.

This offers domain user synchronization based on the Lightweight Directory Access Protocol (LDAP), which queries the network’s central LDAP server to retrieve domain user group and role membership information. Authenticating domain users through established directory services in this way offers the potential of a single login for access to all company systems, including the Altium Infrastructure Server.

The Infrastructure Server LDAP synchronization queries the network services on a user role basis, where role membership information is gathered for Infrastructure Server user access authorization. Polling the domain membership through the LDAP service (synchronizing) allows the system to respond to a domain user configuration change within a synchronization cycle.

For more information on the LDAP principles, capabilities and implementation syntax, see https://tools.ietf.org/html/rfc4510 and its constituent documentation pages.

LDAP Sync

An LDAP Sync allows the administrator of an Altium Infrastructure Server to leverage the network domain’s existing username and password credentials, so that user credentials do not have to be created manually one at a time on the USERS page of the Infrastructure Server's browser-based interface. When setup correctly, the USERS page will automatically populate with user credentials, enabling any user listed to sign into the Altium Infrastructure Server using their regular corporate network username and password.

To sign in to the Infrastructure Server using your Windows login credentials - taking advantage of the Infrastructure Server's support for Windows Authentication - enable the Use Windows Session credentials option.

The Altium Infrastructure Server supports both Standard LDAP, and LDAPS (LDAP over SSL).

This article details a proven approach that has been successfully used in setting up an LDAP Sync on a domain. Try this approach when setting up an LDAP Sync on your own domain.

What do I need?

Administrative access to the Altium Infrastructure Server.
Optionally, an extremely helpful utility is an application called LDAP Admin (download LdapAdminExe-<version>.zip from http://www.ldapadmin.org/)

LDAP Admin can be used to identify the exact User Group query strings and syntax required to configure the Altium Infrastructure Server LDAP setup page.

Obtaining the LDAP Search string (Distinguished Name)

When configuring an LDAP Sync task through the Altium Infrastructure Server's bowser-based interface, you need to supply the LDAP Distinguished Name (DN). This is entered in string format, and identifies the base object of the LDAP search. To get this string, we're going to use the LDAP Admin utility, so first ensure the zip file is downloaded, and extract out the LdapAdmin executable therein.

Download and extract the LdapAdmin.exe file.

Run the LdapAdmin.exe executable as Administrator (just right-click on it and select Run as administrator).

When the LDAP Admin panel opens, choose Start » Connect to access the Connections dialog, then double-click New connection to access the Connection properties dialog.

Creating a new connection within the LDAP Admin utility.

On the General tab of the Connection properties dialog, configure the connection information in relation to your domain, an example of which might be:

Connection name: just any arbitrary name to be used for the connection icon.
Host: testsite.com
Port: 389

If you are configuring for LDAPS (LDAP over SSL), then the port needs to be 636.

Base: DC=testsite, DC=com
Enable the GSS-API option.

If you are configuring for LDAPS (LDAP over SSL), then you also need to enable the SSL option.

Account: just leave the Use current user credentials option enabled.

An example configured connection, when using standard LDAP. If using LDAPS (LDAP over SSL),
change the Port to 636, and enable the SSL option.

With the connection properties configured, press the Test connection button. If all is set correctly, you should see the Connection is successful message. Click OK to finish creating the new connection.

You now need to identify the string that targets the base object of the LDAP search. To do this:

Select your newly-created connection and click OK in the Connections dialog - your network domain and user group hierarchy will be presented.
Expand the relevant folder path until you get to the folder containing the required users.
Right-click on this folder and choose the Search command from the context menu. This will open the Search panel. The key piece of information you are after is the string already populated in the Path field. Reading from left-to-right, this string represents the path to this folder of users from the bottom-up, within the domain structure. For our example, we'll assume a folder of specific users - Managers - which is a child of the parent folder - Users. For this case, our string is: OU=Managers,OU=Users,DC=testsite,DC=com.
Copy and paste this string to a text file for subsequent use in the configuration process, or optionally just leave the Search panel accessible.

At this point, the LDAP Admin utility is no longer required for any further steps.

Configuring an Altium Infrastructure Server to use LDAP Sync

Now, let’s focus on the Altium Infrastructure Server. Sign into the target Altium Infrastructure Server - through its browser-based interface - as an Administrator. If you are intending to create user credentials from LDAP automatically, then you probably want to remove any existing manually created users. So ideally just start with the default Administrator's role users - admin and System.

An example target Altium Infrastructure Server, with just the two default administrative users, admin and System.

If you want the users from the LDAP Sync to be associated with a specific role, you can switch to the Roles tab and create a new role as required, leaving it empty of users. For our example, we'll create a role called Managers.

Now switch to the LDAP Sync tab, and click the button to access the Add LDAP Sync Task dialog.

Adding a new LDAP Sync Task through the Infrastructure Server's browser-based interface.

Fill in the following information (based on our example domain structure we have used in the previous section):

General

Target Role: Managers
Url: LDAP://testsite.com:389

If configuring for LDAPS (LDAP over SSL), then the Url in this example would be: LDAPS://testsite.com:636.

DN: OU=Managers,OU=Users,DC=testsite,DC=com

This is the string obtained from the Path field of the Search panel, when using the LDAP Admin utility in the previous section.

Filter: leave this field blank to acquire all users from the specified group determined on the domain (in the DN field). If the nominated area of the domain structure contained further groupings of users, you could extract just a subset of those users by using an appropriate filtering string here.

For example, consider if there had been a set of users under the group of Managers, gathered to have administrative powers (CN=Administrators). To target just this set of users, and not all of the Managers (under the OU=Managers area of the domain structure), a query string could be written that targets this point in the domain structure:

(&(objectClass=user)(memberof=CN=Administrators,OU=Managers,OU=Users,DC=testsite,DC=com))

While the Filter field can be left blank, returning all users along the path defined by the DN field, this can be quite dangerous. That path could be pointing to an area of the domain structure that contains a huge number of users, and could lock-up the whole organization due to excessive load on the Altium Infrastructure Server and Active Directory. It really is better to target one or more sets of specific users, using dedicated filtering. For more information regarding LDAP queries that can be used to target specific sets of users, use the following links:

Common LDAP Queries - specifically the queries dealing with users. This page is actually part of a detailed manual from Google, relating to Google Apps Directory Sync, but is useful for such areas that deal with LDAP.
LDAP Query Basics

Scope: sub
Attributes: sAMAccountName

Authentication

User Name: domain\<your username> (e.g. testsite\jason.howie)
Password: <your password>

Attribute Mapping

First Name: givenName
Last Name: sn
Email: mail
User Name: sAMAccountName

User authentication type

Radio button: Windows
Domain: testsite.com

Example LDAP Sync task, configured with all required information when using standard LDAP. If using LDAPS (LDAP over SSL), the Url
entry would be changed to LDAPS://testsite.com:636.

When you have completed entering all settings, click . This will initiate the Sync process, which may take a minute or two, as it processes the information you just entered. Watch the Sync status messages at the top of the LDAP Sync page, to see when the process completes.

Now click on the Users tab. This list should now be populated with all users as defined by the OU=<GroupName> setting (see example image below). Now anyone can sign into the Altium Infrastructure Server using their regular Windows login.

Please note that additional users can be manually added outside of the LDAP Sync group - so you can indeed have a mixture of manually created users as well as LDAP-specified (automatically created) users.

Example population of users for an Altium Infrastructure Server, through use of an LDAP sync.