AssetSonar also integrates with your LDAP (Lightweight Directory Access Protocol) or Active Directory servers. Users in your organization can use their LDAP credentials to access AssetSonar.
- What is LDAP/Active Directory?
- Why integrate your Active Directory with AssetSonar?
- Whitelisting the IPs on your LDAP server
- Basic settings
- Importing users to Custom Roles
- Setting up Organizational Units/Departments
- Defining LDAP attributes
- Email alerts for successful syncs
- Importing/updating users
- Advanced options
- User listings
- Which information is synced when LDAP sync takes place?
1. What is LDAP/Active Directory?
LDAP or Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including the user logon processes, authentication, and directory searches. An LDAP directory is organized in a simple “tree” hierarchy. LDAP is most commonly used in medium to large companies.
2. Why integrate your Active Directory with AssetSonar?
Some of our customers wanted to ‘sync’ their staff database with AssetSonar or wanted to avoid replicating LDAP staff members in AssetSonar. For such cases, we allow integration with LDAP servers.
Enable LDAP Server Integration from Settings → Add Ons.
3. Whitelisting the IPs on your LDAP server
You may need to whitelist our IP addresses on your LDAP server. To whitelist our IPs on your Directory Server, use the following two IPs:
4. Basic settings
Once enabled, you’ll see a list of settings required to complete the LDAP integration successfully. See the image below:
– LDAP Server: The IP address or URL of your company’s Directory Server. (Note: Make sure to fill in the correct IP address to avoid a connection error later).
– LDAP Server Port: The port on which your directory server listens to requests.
– LDAP Admin Login: This should be the complete ‘dn’ (domain component) of the admin user on your company’s directory server who is able to search through all of your directory users.
– LDAP Admin Password: Password of the admin user on your directory server.
– LDAP Login Attribute: The attribute that your users will use to login to their account. The default value is ‘cn’ (common name) but you can change it to any attribute e.g. ‘mail’.
– LDAP Unique Identifier: The attribute that your users will have as their unique identification. They can either use their employee ID or their email address for this field.
– LDAP Encryption Enabled: Select this setting only if your directory server allows secure connections.
Once you’ve filled all the above settings, click ‘Verify Connection’ to ensure successful integration.
5. Importing users to Custom Roles
If you want to map your users and their respective roles in a way that their hierarchy is reflected in AssetSonar, then you can do so by checking the ‘Import Users to Custom Roles’ option.
Once you have checked the setting, the following options would appear on the attribute and column mapping table:
Note: If the data values for Roles and Teams are not already specified in AssetSonar, the users belonging to these Roles and Teams will not get provisioned into AssetSonar. You will receive an email listing the users that could not be provisioned.
If a custom role imported from LDAP not exist in AssetSonar, users belonging to that custom role can be provisioned to a default role in AssetSonar. You can set the Default Role using the option highlighted below:
Let’s say, you imported users belonging to the custom role Customer Success team from LDAP and this custom role is not present in AssetSonar, users belonging to this role will be provisioned as Administrators.
If you do not wish to provision these users as Administrators, you can also select the option ‘Provision to some role’ and provision these users to a custom role that already exists in AssetSonar.
6. Setting up Organizational Units/Departments
Identify the organizational unit (one or more) where your AssetSonar users exist. All users in that organizational unit(s) will have access to AssetSonar, and any user outside the given organizational unit(s) won’t be able to log in. If you have a nested OU structure (e.g. Branding Division being an OU, which has two sub-OUs Marketing and Finance) then all the sub-OUs also need to be listed. In this example, we’ll list 3 OUs; Branding Division, Marketing, and Finance.
If you have User listings enabled, you can map OUs to your User listings (explained later in this blog). Otherwise, skip this step.
7. Defining LDAP attributes
To sync additional LDAP attributes with AssetSonar, you can define columns for them for mapping. See the image below:
Make sure to Save your Settings by scrolling down and hitting the ‘Update’ button.
Apart from all these, you can also map custom fields. To do so, select the ‘Enable Custom Fields Mapping in LDAP’ option. You will then see all the custom fields that you have created and can now map, as shown below:
Note: Once you enable custom field mapping in LDAP, all mandatory custom fields must be mapped. Any member that is being imported from LDAP but has missing values for mandatory fields will not be imported unless the mandatory field has a default value. You would also be able to import users to custom roles but if a specific custom role doesn’t exist, then the user will not be provisioned and instead, an email will be sent enumerating the missing roles.
8. Email alerts for successful syncs
You can also set up alerts to be sent after LDAP users are synced. To do so, go to Alerts → Members section and select the ‘LDAP Users Sync’ option.
This email is only sent to the account owner, admins, and supervisors. You can also send alerts as part of the daily digest. If you click on ‘Sample View’, it shows you the email that will be sent in the alert.
9. Importing/updating users
Once your LDAP settings are in place, you can import the users from your AD using the Import button at the Members tab.
You can also sync (update) the AssetSonar members with your LDAP users, using the Update Existing Members option. The sync process can be automated by enabling the ‘auto-syncing of users’ setting at Settings → Add Ons → LDAP Server Integration.
You can provision Users from multiple sources whether manual or through LDAP into the system and can merge them as data gets updated so you can maintain the latest information on your users especially if they are added through spreadsheets. Merging will take place if the user is brought in through SAML, and/or manual entry (CSV or single port entry) and then merged via LDAP.
Note: A common issue for an unsuccessful import/sync process is not having Last Name and Email attributes configured in your LDAP server. Also, look out for invalid users’ email addresses.
Read more: Types of Members in AssetSonar
10. Advanced options
Settings → Add Ons → LDAP Server Integration has the advanced options.
a) Enable ‘Auto Sync’: Check this option to automate the sync of AssetSonar members with LDAP users. This sync occurs once every day. Enabling this will show some more LDAP sync settings. Read below:
– Automatically deactivate deleted LDAP users: If selected, the users deleted in the LDAP server are automatically deactivated in AssetSonar. This ensures that AssetSonar access will automatically be revoked for the users you’ve deleted in LDAP.
– Automatically reactivate LDAP users: If some inactive AssetSonar users are found in the LDAP server, they will be re-activated on sync.
– Provision all new users: If some LDAP users do not exist in AssetSonar, they will automatically be created during the sync.
– Users created because of the LDAP sync should have alerts enabled. You can change this setting later on the Members Page.
– Users created should be Login Enabled (also affects LDAP manual import).
c) Update User Listings of existing users: If the Organizational Unit (OU) of some LDAP users changes, their User Listing will automatically be updated during the sync.
d) Allow Administrators to sync users: Administrators will be able to sync LDAP users
11. User listings
If you have User listings enabled, you can map OUs to your User listings e.g. if your Marketing Department is in an OU named MKG, and the corresponding user listing is MarketingDpt, you can map MKG to MarketingDpt.
Note: If you have User listings enabled from the Settings, the user listings will then also be updated as per your LDAP settings.
12. Which information is synced when LDAP sync takes place?
Only three fields are synced — First Name, Last Name, and the email.
Provisioning users as they access AssetSonar
If you don’t import or sync members as detailed above, they’ll be created in AssetSonar and synced as they access.
The ‘Sign-in’ experience
Your users can use their LDAP Credentials on your Login screen. If you’d like to remove the ‘Sign in with Google’ and ‘Sign in with Microsoft’ options, you can do so from Settings → Company Settings → Authentication.