User Management : LDAP setup
  

LDAP setup

In order to be able to use LDAP, the Enabled parameter check box must be checked in the LDAP Settings section of the Parameters page in the System Administration application.
Qmatic Orchestra has support for managing its users from an LDAP-server, the Microsoft Active Directory Server.
To use the MS Active Directory for Orchestra, you need to complete of the following steps:
1. Map Active Directory Groups to Orchestra objects (Roles, Branch Groups and Branches).
2. Set up security groups and group members in Active Directory.
3. Set up Active Directory connection and user data fields in Orchestra.

Mapping of Active Directory Groups to Orchestra objects (Roles, Branch Groups and Branches)

In a Windows domain managed by Active Directory, the permissions (the access rights) of a user are based on what groups that specific user belongs to. For example, the staff group has some permissions and the admin group has another set of permissions.
In Orchestra, there are three kinds of user permissions that has to be defined in the Active Directory:
1. Roles: Orchestra uses Roles for defining permissions in the Orchestra applications.
2. Branches: Orchestra has many Branches, where each Branch should be separated from the others when it comes to permissions.
3. Branch Groups. In Orchestra, one or more Branches are grouped together into Branch Groups, which should have different permissions.
In order to access the Active Directory, Orchestra requires a so-called bind user. The bind user is an Active Directory user with the ability to search both the user tree and role tree for users and roles.
Note that in most Active Directory set-ups, the Role tree and the User tree are located in the same Branch.
In the User Management application, open the LDAP tab. To create a new mapping, click the Create New Mapping button.

Name

Name of the Active Directory group that should be mapped.

Type

From the drop-down list, select the wanted type of mapping. The available choices are: Role, Branch or Branch Group.

Mapping

Depending on which choice you made under Type, the available Roles, Branches or Branch Groups are available in this drop-down list.
When done, click the Save button.

Active Directory Security Groups

The Active Directory must be set up to differentiate users for the two permission categories, by defining the appropriate Active Directory Security Groups for each category.
For each Role, Branch and Branch Group in Orchestra, we create a corresponding Active Directory Security Group, preferably by prefixing the group name with QM.
For example:
Orchestra role “Branch Admin” will have a corresponding Active Directory group “QMBranchManager”.

Active Directory bind user

Orchestra requires an Active Directory user that can search the Active Directory Users and Roles that are applicable for Orchestra.
Orchestra will require the login name and the domain of this user, that is the LDAP field userPrincipalName.
Example: qmorchestra@somedomain.com, see next section.

LDAP / Active Directory Server Configuration

For more information about this, please see the System Administration chapter in the Reference Manual.

LDAP / Active Directory Server Group Mappings

The mapping between entities in Orchestra and Active Directory groups are set-up in the User Management application, in the LDAP tab.
Any number of mappings can be set up.
Each Role, Branch and Branch Group in Orchestra must have a corresponding group in Active Directory.
The Group Name MUST match the name of the Active Directory security group.
It is possible, but not recommended, to map an Active Directory group to both a Role, a Branch and/or a Branch Group. For example, it is possible to have a QMParisSystemAdmin Active directory group that is mapped to both the Paris Branch and the SystemAdmin role.
It is, however, only possible to have one Active Directory group mapping to each Type. So, for example if you map an Active Directory group called FooInc to a Role called Counter, then try to also map it to a Role called Reception, you will get an error message.
It is important to remember that a User must have at least one Role in Orchestra in order to be able log on to Orchestra.

LDAP / Preferred language

To make Orchestra get the preferred language of an LDAP user from the LDAP server, follow the procedure below.
To set up a language for an LDAP user on an Active Directory server, you use the LDAP field preferredLanguage. This field is not available with the ordinary Active Directory Users and Computers editor. Instead, you have to use adsiedit.msc to edit the preferred language field.
See the Localisation chapter of the Reference Manual, found on Qmatic World, for information about language codes.
Enter the 2-character language code for the preferredLanguage, for example ar for Arabic.

Login with LDAP Users

Once a User logs in using LDAP, that User will be synchronized to central, stored in the users table and be visible on the regular User list.
If such a User has been marked as inactive in the User tab (or if a database user with the same username exists and is inactive), the LDAP user will not be able to log in.
Additionally, if an LDAP User logs in and the User has Role mappings to Roles in the system that have reached the license limit, the User will only be granted access to those modules that the User has previously had and any new Roles that have not reached the license limit.
If the total number of Users in the system is reached, and the LDAP User has not previously logged in, the User cannot log in.