SEEWARNING Before getting started, here is the documentation on the SSO/LDAP mode integrated to SAFE X3:annex documentation.


This function is used to declare a LDAP directory which is take into account if the SSO mode is activated.

Two types of information are declared in this function:

LDAP connection

This panel contains the way in which the connection to the directory is made (the name of the LDAP server, a port number, an access account and a password).

Two additional setup fields define how to inquire the directory.

Field mapping

There is a correspondence between the fields of the LDAP directory and the fields of the X3 user record or the user setup values.

Four field types exist:

Identifier of a LDAP directory element

The X3 field in the user record ADDNAM is a unique identifier in X3 and in the directory. It must have the type 'Identifier' and is associated by default with the directory field distinguishedName.

Second identifier

Case where the setup value SSOREFMAJ is equal to 1:

When the field of type 'identifier' is not updated in the field ADDNAM of the user record, this second identifier is taken into account to match in a unique way a X3 user with a directory user.

As a general rule, the login field of the X3 user record which will be linked to the field sAMAccountName  of the directory is used.

Case where the setup value SSOREFMAJ is equal to 2:

The search is first performed with the field of type 'identifier 2' and then with the field of type 'identifier'.

Record

This is a field from the X3 user record, which will be updated from the directory.

Setup

This is the value of a user setup, which will be updated from the directory.

Field mapping example

Type

X3 field

Title

Directory field

Identifier

ADDNAM

AD reference

distinguishedName

Record

NOMUSR

Name

DisplayName

Record

ADDEML

Email address

email

Identifier 2 

LOGIN

Login

sAMAccountName

Record

OBJGUID

 

objectGUID

Setup

DATSTADEB

Statistics start date

WhenCreated

Prerequisite

SEEREFERTTO Refer to documentation Implementation

Screen management

Entry screen

Two blocks need to be entered: the first one contains the configuration information that enables SAFE X3 to dialog with the directory, the second one defines the information exchanged during this stage.

Block number 1

Code (field COD)

This code identifies the current record in a unique way.
Description (field INTIT)

Enter the description of the relevant record.

This long description is used as a title in screens and reports.
Active (field ENAFLG)

Select this check box to activate the current record.

Disabled records keep their content and setup but cannot be used by recalling their code:

  • On other records such as documents and settings
  • On mass processes

The authorizations for a given function can prohibit the creation of an active record. In this case, the check box is disabled by default. It can only be modified by an authorized user or through a signature workflow.

Configuration

Domain (field DOMAIN)

The domain name is used to find the directory code that will be used to log in the user connected.

If the domain name is empty, the active directory code with empty domain will be used.

If the domain name is not empty, the active directory code with domain -of the connected user- will be used.

In both cases, if an active record is not found, the connection will be denied.

Main server (field SERV1)

Is used to define the server name on which the LDAP directory is to be opened.
The second server is used upon connection error on the first server.

Secondary server (field SERV2)

Is used to define the second server name on which the LDAP directory is to be opened if the first one has errors.
Port number (field PORT)

This is the directory query port. By default this number is set to 389.

Search identifier (field CONNEC)

This identifier is used for the search in the LDAP.

Password (field PASSE)
field MODPAS

This is the password of the identifier used for the search in the LDAP.

Parameter 1 (field PARAM1)

When searching a user in the LDAP directory, the properties associated with a node in a hierarchical tree. This setup is used to defined where the hierarchy must start the search when the user wants to find information linked to the user. Moreover, this search will be carried out by setting a condition based on the value of the field Identifier 1 or Identifier 2 given in the setup table.
Parameter 2 (field PARAM2)

the execution engine of the SAFE X3 platform uses 3 search instructions in the directory. This setup is used to define the search instruction that will be launched by the engine when checking the existence of a user in the LDAP database. It can take the following values:

  • LEVEL results in the use of the Srldaplv instruction, which causes a one level search (search under the level corresponding to the specified node).
  • BASE corresponds to the Srldapbsinstruction, which causes a base search (direct search in the specified node).
  • SUBTREE (or any other value) corresponds to the Srldaptrinstruction, which results in a sub-tree search (search in the whole sub-tree corresponding to the given root).

An example of menu is given in the introduction of the technical appendix of the LDAP setup; in this example, 3 frameworks define these 3 levels of search.

Grid Mapping

Field type (field TYPFLD)

This type of setup is used to manage the fields of the LDAP directory.
- Identifier: this is the unique identifier which makes it possible to link to the X3 table key.
- Identifier2: this is the identifier used if the first one was not successful.
- Record: is used to enter the field of the X3 user table (AUTILIS table).
- Setup: is used to enter the values of the general setups (ADOVAL table).
X3 field (field CODFLD)

Is used to enter a field in the AUTILIS table if the field type is "Identifier/Identifier2/Record" or a general setup code if the field type is "Setup"

Description (field NAMFLD)
Directory field (field ADDFLD)

Is used to enter the attribute name in the LDAP directory.

Formula (field FORFOR)

This formula is used to enter the search criteria in the LDAP in order to update the users.
The %% is used to highlight a formula which is valuated generating the criterion.
The $$ is used to indicate the user field number which will be used as a value of this criteria.
If the user field is in alphanumerical mode and if it is used in a formula, remember to add inverted commas, if necessary.

For instance, let us consider the formula (&(objectclass=user)(sAMAccountName=%%toupper("$$4$$")%%))
The $$4$$ represents the field [F:AUS]LOGIN.
Upon login of a user, this field is replaced by the user login and then evaluated (uppercase) and the search criteria in the LDAP becomes for this user:
(&(objectclass=user)(sAMAccountName=LOGIN))

It is also possible to enter (&(objectclass=user)(sAMAccountName=$$4$$))

Specific Buttons

Validation

This button is used to generate the processing which will be used to access the directory when connecting to SAFE X3.

Copy

Is used to modify the password in the directory.

This is used to test the connection to the LDAP directory.

And then to carry out a LDAP query by setting up the fields of the directory which are to be recovered.

Block number 1

  • Domain (field DOMAIN)
  • Criteria (field FILTRE)

LDAP query complying with the standardized syntax of the directory.

Grid Columns

  • Directory field (field ADDFLD)

Field of the directory which has been set up.

  • Order (field SELECT)

Error messages

The only error messages are the generic ones.

Tables used

SEEREFERTTO Refer to documentation Implementation