Understand user sync through LDAP
Table of Contents
1. Overview
2. Use case
3. LDAP configuration
3.1. Domain controller
3.2. Groups
4. Points to note
5. Related topics
1. Overview
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol that streamlines user management and helps manage directory services over a network. Setting up LDAP allows you to integrate your existing directory with Zoho Creator On-Premise thereby enabling a centralized management of users. User accounts that are stored in your existing directory can be synced to Creator On-Premise regularly, reducing the need to manage users separately in place.
To set up LDAP, you need to configure domain controllers that act as the servers that manage and authenticate user accounts within your directory. Enabling user sync while adding these domain controllers allows user accounts from your directory to synchronize automatically with Creator On-Premise. Further, you can create user groups based on those domain controllers to help define access permissions and roles for the included users. To achieve this:
- Add domain controllers - You can add domain controllers based on your directories' attributes, such as the service endpoint, server type, and so on.
- Create custom groups - You can configure customized groups based on the directory attributes of the added domain controllers.
2. Use case
Say an organization is using Active Directory (AD) and wants to streamline user management in Creator On-Premise and its applications. By syncing AD with Creator On-Premise via LDAP, user accounts and groups are automatically updated in real time at regular intervals. This integration simplifies onboarding, ensures accurate role-based access, and reduces administrative effort by syncing user data from the directory to Creator On-Premise.
3. LDAP configuration
To establish a one-way bridge from your directory to Creator On-Premise that facilitate regular user syncs, you need to add domain controllers. The log details of the sync schedules that take place from your directory to Creator On-Premise can be accessed in the logs folder of Creator On-Premise. After adding domain controllers, you can create groups which accommodate specific users based on your preferences and enable user management.
3.1. Domain controller
In the Zoho Creator On-Premise LDAP configuration, adding a domain controller involves specifying the necessary parameters to ensure seamless synchronization between your directory and Creator On-Premise.
| Section | Attributes | Explanation |
|---|---|---|
| Domain Details | Domain Name | A unique name to identify a specific domain controller while configuring custom groups. Note: Domain Name can contain only:
|
| Domain Controller | Service Endpoint of the domain controller, typically an IP or host name), which Creator On-Premise will connect to for authentication and data synchronization. | |
| LDAP Server Type | The type of LDAP server that Creator On-Premise needs to connect to. This helps Creator On-Premise configure the association based on the specific characteristics of the LDAP server in use. | |
| Mail Attribute Label | The label or attribute that is used to store a user's email address in the LDAP directory. This helps Creator On-Premise to know where to look in the LDAP server for a user's email address, which is used for identification. For example, "mail" is the commonly used label in Microsoft Active Directory and OpenLDAP. Note: This field will be auto-populated and disabled for Microsoft Active Directory, OpenLDAP, and Novell Directory. For other directories, it will be enabled, and the relevant label must be provided manually. | |
| Distinguished Name Attribute Label | A unique value for each entry in an LDAP directory. It represents the unique identifier or hierarchy of where an entry is located in the LDAP directory structure. This helps Creator On-Premise understand how to locate and identify users within the LDAP directory. For example, "distinguishedName" and "SAMAccountName" are some commonly used labels. Note: This field will be auto-populated and disabled for Microsoft Active Directory, OpenLDAP, and Novell Directory. For other directories, it will be enabled, and the relevant label must be provided manually. | |
| SSL Certificate | The Use SSL checkbox can be ticked to verify the certificate from the LDAP server. This allows you to verify the identity of the domain controller and securely encrypt the data being transferred. | |
| Bind User Details | Distinguished Name Password | The credentials of an LDAP user with permission to authenticate to the directory. This user will be able to perform read operations, allowing search and retrieval of user information for synchronization. For example, the distinguished name can be "sam@zylker.com", "cn=sam, ou=users, dc=zylker, dc=com". |
| Authentication | Authentication Type | The method of authentication to be used for user validation ensuring secure communication between Creator On-Premise and your directory. Note: SAML will only be listed as an authentication option for a domain controller if it has been configured previously. The mapped bind user must complete this configuration in the SAML Configuration module on 'accounts.zoho.com'. |
| Sync Schedule | The frequency in which Creator On-Premise should synchronize with the directory, as well as the exact date and time of the initial sync. This ensures that any changes such as user additions or removals are reflected in Creator On-Premise in a timely manner. |
3.2. Groups
After successfully adding domain controllers in Zoho Creator On-Premise, you can proceed to create custom LDAP user groups based on their corresponding directory attributes. This process involves defining specific groups to organize and manage users better from the directory. After group creation, you can easily share applications to these groups, which allows the users in them to access the shared applications according to the permissions assigned to them.
| Attribute | Explanation |
| Group Name | A unique name for the group, ensuring that it can be easily identified and referenced later. Note: Group Name can contain only:
|
| Domain Name | A lookup dropdown, which automatically populates with the domain names of all previously added domain controllers. You can select the specific domain from which the group should source its users. |
| Base Domain | The starting point for the search in the LDAP directory. The search will begin at the specified base domain and include its sub-hierarchy. This limits the scope of the search, making the synchronization process more efficient and accurate by focusing only on the relevant organizational units. For example, if the base domain is "dc=example,dc=com", the search will begin at that domain and include its sub-hierarchy. |
| Search Scope |
|
| Group Description | A description to help identify the purpose or characteristics of the group, making it easier to manage and understand its necessity. Note: Group Description can contain:
|
| User Inclusion | The process of determining which users from the selected base domain and scope are to be included in a custom group.
|
4. Points to note
The log details of the sync schedules that take place from your directory to Creator On-Premise can be accessed using the following path:
C:\Zoho\ZohoCreator\logs\ldap