As part of your MangoApps Enterprise subscription, your users can be authenticated through LDAP and Active Directory. This article will step you through the process by answering:

Where can I find the LDAP configuration settings in the Admin Portal?

  1. Using the Web Client, Go to Admin Portal, then click on Integration & Enable the check box “Active Directory/LDAP Integration”
     LDAP_AD

What do all the fields mean in Connection Settings of the LDAP/AD configuration Page?

To go through each choice and setting one-by-one:LDAP_AD_Connection Settings

  • Server Type & Account Suffix:  You have a choice between “Active Directory” and “OpenLDAP” servers. Choosing “Active Directory” enables the additional “User Setting” section where you define the account suffix (UPN Suffix) that is configured for your AD.
  • Host Name & Port:  Enter the name of the server where your AD/LDAP is hosted, example: ldap.example.com. Also,  enter the port on which your directory server is listening, examples: 389 (non-SSL LDAP), 636 (SSL LDAP).
  • Base DN:  The root distinguished name (DN) to use when running queries against the directory server. Example: ou=people, dc=example, dc=com
  • Groups Base DN: is the base distinguished name of your AD used for the base search.
  • UPN Suffix: Account suffix or UPN suffix will be appended to all usernames in the Active Directory authentication process. (e.g @company.local). Don’t forget to put the @
  • Administrator DN & Password:  User authentication for a user that has search capability and is able to perform all read-only directory operations. Enter a distinguished username & password of a user that will allow MangoApps to connect to the directory server. Connecting to the directory server requires that MangoApps log in to the server with the username and password configured here.

For Step 2 of Configuration, what do I put in each of the fields?

Please refer to the iTips next to each field for help.

Ldap_AD_User Mapping
Note: All user profile fields will be synced when the user logs in or a manual sync is performed.

  • User name:  The field name on which user name lookups will be performed on. If this value is not set the default value is uid. Active directory users should try the default value of sAMAccountName.
  • Full Name:  Users’ full names.
  • Email:  Users’ emails.
  • Title:  Users’ position titles.
  • Department:  The mapping for users’ departments.
  • Work Landline:  The mapping for users’ work landline telephone numbers.
  • Mobile:  The mapping for users’ mobile telephone numbers.
  • Home Landline:  The mapping for users’ home landline telephone numbers.
  • Fax Number:  The mapping for fax information.
  • Manager:  The value in the ‘Manager’ field above helps you automatically build the organization hierarchy configured in LDAP/AD into a visually appealing organization chart in MangoApps. However if you do not wish to build your organizational LDAP/AD hierarchy into MangoApps you can do so by just making this text box empty. Making the above text box empty will also ensure that MangoApps does not store any data about your organizational hierarchy.
  • User Object Filter:  Is used to restrict the numbers of users that are permitted to access MangoApps. In essence the filter limits what part of the LDAP tree MangoApps syncs from. The most common usage of a search filter is to limit the entries that are users based on objectClass. For example, a reasonable search filter for a default Active Directory installation is:

    (objectClass=organizationalPerson)

    When combined with the default filter, the actual search executed would be:

    (&(sAMAccountName={0})(objectClass=organizationalPerson))

    A filter should be written for user membership. This ensures that you are not flooding your MangoApps domain with users that do not need access to your content. When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to MangoApps. For example, if my users are distinguished by having two objectClass attributes (one equal to ‘person’ and another to ‘user’), this is how I would match for it:

    (&(objectClass=person)(objectClass=user))

    Notice the ampersand symbol ‘&’ symbol at the start. Translated this means: search for objectClass=person AND object=user

    Alternatively, (|(objectClass=person)(objectClass=user))

    Translated this means: search for objectClass=person OR object=user.

    The pipe symbol ‘|’ denotes ‘OR’. As this is not a special XML character, it should not need escaping.

    If you know that only some of the users in your LDAP database should be known to the application, one way to get that subset is to create an LDAP department (such as ‘managementteam’), then filter off that department attribute for users. Here’s an example:

    (&(objectClass=uidObject)(department=managementteam))

    This way you don’t have to create any new OUs or move records around. You can simply modify department membership attributes on the user, something the LDAP administrator can do.

Where can I find references on LDAP filter syntax?

Although there are innumerable sites on the internet that cover some aspect of LDAP filter syntax, two examples are:

Customer user filters range from very simple to very complex. Here are two examples. Notice that one customer differentiates by “postalCode” and another uses various “useraccountcontrol” values.

  • (&(&(|(useraccountcontrol=512)(useraccountcontrol=544)(useraccountcontrol=66048))(mail=*.*)(postalCode=FS)))
  • (&(|(useraccountcontrol=512)(useraccountcontrol=544)(useraccountcontrol=66048)(useraccountcontrol=4194816)(useraccountcontrol=4260352))(mail=*.*))

What tools can I use to troubleshoot the LDAP filter for too few or too many users?

We use the commandline tool ldapsearch. There are other command line and graphical utilities out there. Please let us know if you have a specific questions about setting up your LDAP filter.

How often should I manually synchronize my LDAP configuration?

Since the changes to your LDAP users are applied every day, there’s not need to manually synchronize unless you’ve made changes to your users that you want to see in MangoApps right away.

Can I “Suspend” or “Change Users’ Passwords” in MangoApps when Authenticating through LDAP?

When LDAP is enabled, it controls all users in your domain. Suspending or changing users’ passwords will not affect LDAP users, only those guest users or network users that are not part of your LDAP.

How does LDAP control and effect Departments?

Departments can be mapped in MangoApps to your LDAP field that names them. Set the mapping for LDAP departments in the Admin Portal -> “Single Sign-On” -> “LDAP / AD” -> “Step 2: User Mapping” -> “Department” field.

If you know that only some of the users in your LDAP database should be known to the application, one way to get that subset is to create an LDAP department (such as ‘managementteam’), then filter off that department attribute for users. Here’s an example:

(&(objectClass=uidObject)(department=managementteam))

This way you don’t have to create any new OUs or move records around. You can simply modify department membership attributes on the user, something the LDAP administrator can do.

An LDAP sync action will:

  1. Start a comparison of departments by name from the mapped LDAP department field and the departments that already exist in MangoApps.
  2. If a department exists in LDAP that does not exist in MangoApps, a new department is created in MangoApps.
  3. If a department already exists in MangoApps and is mapped from LDAP, no change to the content occurs in MangoApps. In other words, departments that are already created in MangoApps will not be changed on an LDAP sync.

Do LDAP settings overwrite mapped values that user may have changed in MangoApps on Sync?

LDAP, for the most part, is treated like the master record of user data when synchronizing with MangoApps. Mapped user data that users may have changed in MangoApps will be overwritten with their LDAP mapped field when an LDAP sync occurs. So fields like “User Name”, “Email”, “Title” and “Work Landline” that are MangoApps fields will be overwritten by their LDAP mappings.

How do I log in once LDAP is configured?

Users login to MangoApps using their unique identifier (UID) and LDAP password once LDAP is configured in MangoApps. Passwords are controlled through LDAP so users and admins cannot change passwords from MangoApps but rather passwords must be changed in LDAP.

When and how frequently is AD synchronized with MangoApps?

MangoApps can be set to sync automatically with AD up to once per day or every hour. The sync happens at approximately 1:00 AM Pacific Time. To set autosync for AD:

  1. Go to the “Admin Portal” -> “Single Sign-On” -> “LDAP / AD” page.
  2. If your configuration has already been saved, at the very bottom of the page, place a check in “Auto sync MangoApps with enterprise AD/LDAP” choose between once every or every hour and click “Save”.


LDAP_AD_Sync

Please take note that the hourly sync will include the following
1. User gets activated/deactivated(if setting enabled).
2. New users gets created
3. New groups gets created
4.Email change/samaccount change also happens

Once every 24 hours, a full sync will be performed that will include everything.

How can I connect MangoApps to multiple AD servers?

You can connect upto 3 LDAP or Active Directory servers by clicking on “Add New Server”  as shown in the image below.

LDAP_AD_Add Server