The Lightweight Directory Access Protocol (LDAP) is an industry standard protocol used to centrally store usernames and passwords.
Enabling Active Directory LDAP on your Chorus site connects the site to an LDAP server to validate its users. LDAP is generally only appropriate for on-premises deployments of Chorus. The remote LDAP server must be contactable from the Chorus server (e.g. via a public IP address), so you may wish to consider using AD FS instead if you do not want to do this for security or policy reasons.
Step-by-step:
1. Click Admin at the top of your desk and sign in to elevate.
2. Choose Settings > Site from the Admin menu. The Site Admin modal will open.
3. Go to LDAP settings.
4. Use the Enable LDAP switch to enable single sign-on and to open Active Directory (AD) configuration options.
5. Enter your LDAP Server address. This is the address of your domain controller, Eg. ‘192.168.0.1’ or a server hostname such as ‘windows2012.thirdlight.local’.
6. Enable the Global Catalog switch if you need to authenticate users in several domains within a forest.
7. Enable the Follow referrals to other servers switch to access users or objects in domains elsewhere in the forest.
8. Enable the Connect to the LDAP server over SSL switch to use SSL encryption when connecting Chorus to the LDAP server.
9. Enter the username of the Service Account User. This is a user account on Active Directory, normally read-only, with which Chorus can connect to do certain simple look ups about users.
10. Enter the password for the Chorus LDAP account.
11. Enter the Forest Root. This should be the root domain of the Active Directory forest. Eg. ‘dc=thirdlight,dc=local’.
12. Enter a Search DN. This is the DN of the tree containing users to authenticate. Chorus will search for user accounts below this base in the LDAP schema. Eg. ‘cn=users,dc=thirdlight,dc=local’.
13. Enter an optional Group Search DN. This is the base below which Chorus will search for AD groups. Eg. ‘dc=thirdlight,dc=local’.
14. Select an LDAP Server Port. This is the port to connect to on the LDAP server. If you choose default, then the default will be: normal = 389 and with SSL = 636. For the global catalog, the defaults are normal = 3268 and with SSL = 3269.
15. Click Save.
Optional Usage: Combine SAML2 and LDAP
If you have configured SAML2 authentication, then your Chorus server can use this to discover groups and memberships, and use SAML2 for single sign-on.
On the SAML2 configuration page, check the box "Combine SAML2 and LDAP". Chorus will then use AD/LDAP to find users, groups and memberships (including nested group memberships), and direct users to your AD FS/SAML2 SSO to log in. When enabled, new user accounts will not be provisioned on demand for all SSO users. Instead, only those that relate to imported LDAP users can log in.
This mode combines the advantages of LDAP and SAML external authentication systems: using LDAP your users and groups can be located, pre-populated, and configured at set up time. Using SAML, your users' passwords are only ever handled by your existing central SSO system, can be signed in transparently, and use existing multi-factor policies. This mode can be enabled on top of an existing LDAP configuration without reconfiguring individual users (unlike transitioning from pure-LDAP to pure SAML2).
This feature requires that your SAML2 IdP be configured to provide either Object GUID (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/objectguid) or Primary SID (http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid) claims for users, matching the equivalent LDAP attribute. The equivalent LDAP attribute for Primary SID is objectSid. The equivalent LDAP attribute for Object GUID is objectGuid.
More on external authentication:
You are here:
