How To

Setup LDAP in OMS

Warren Caron
Warren Caron • 10 September 2024
0 comments

LDAP

 

Useful LDAP configuration from Microsoft: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Below is a working LDAP configuration from the TAC Lab.

LDAP General Settings  (on our Lab the server has been updated to dsdc39.ds.jdsu.net )

Server/Host: dsdc39.ds.jdsu.net

Port: 389

Version: 3

Security: TLS

Base DN: dc=ds,dc=jdsu,dc=net (refers to the domain of your organisation)

Bind DN: mnldap@ds.jdsu.net (refers to the account which can be used to connect to the LDAP server, preferably an admin account)

Bind Password:

 

LDAP User Group Settings

Group DN: ou=MIN,ou=AM,ou=UserGroups (refers to the tree path which leads to the group where your users are contained. The order of the "ou=" entries does not matter)

Group Filter: (&(objectClass=Group)(cn=AM-MIN-USERS-Jira-*)) (refers to the group where your users are contained)

Group ID attribute: objectGUID  (not necessary, but if not specified, any changes to the username field will create another user during the sync instead of updating existing user)

Group name attribute: cn

Screenshots below showing User Group objects in the LDAP tree:

image-1675863210048.png

 

LDAP User Settings

User DN: ou=UserAccounts (refers to the “ou” where users can be found)

User Filter: (&(objectClass=user)(objectCategory=person)) (refers to the “filter” properties of your users being “user” and “person” )

User ID attribute: objectGUID  (not necessary, but if not specified, any changes to the username field will create another user during the sync instead of updating existing user)

Username attribute: sAMAccountName (refers to the username of the user when logging into the platform)

We do not recommend using $1 commands with LDAP synchronizations. This command only applies to when you use Import to import LDAP users.

Screenshots below showing User object in the LDAP tree:

image-1675863255425.png

Below is a working configuration from a customer in the field (don't share externaly)
 

To get you started on getting this to work in OMS, the following settings are recommended (please note that the below settings will add ALL users in the group(s) MA-Comm-Gstore*):

 

LDAP User Group Settings

Group DN: OU=My Access,OU=Corporate Resource Groups,OU=Corporate Accounts

Group Filter: (&(objectClass=group)(cn=MA-Comm-Gstore*))

Group ID attribute: objectGUID

Group name attribute: cn

 

LDAP User Settings

User DN:

User Filter: (&(objectClass=user)(objectCategory=person))

User ID attribute: objectGUID 

Username attribute: cn

 

If the above settings work, then try tweaking the filters further to get the appropriate users imported.

That being said, you may not need the user filters since the group filter will limit the users to just those groups specified with MA-Comm-Gstore*.

Lastly, we do not recommend using $1 commands with LDAP synchronizations. This command only applies to when you use Import to import LDAP users.

If needed, please try the following filter instead:

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=MA-Comm-Gstore_Admin,OU=My Access,OU=Corporate Resource Groups,OU=Corporate Accounts,DC=aramco,DC=com)(memberOf=CN=MA-Comm-Gstore_Read_NIMG,OU=My Access,OU=Corporate Resource Groups,OU=Corporate Accounts,DC=aramco,DC=com)))

 

Be the first one to comment

Please log in or sign up to comment.