Active Directory/LDAP

External identity stores (such as Windows Active Directory) are common deployments today in enterprise environments for user management, authentication, and provisioning.

AD and LDAP integration capabilities enable quick user importation. MangoApps database constantly synchronizes with the directory, and automatically updates users whenever they are added or removed in AD.

1. Server Type & Account Suffix: You can choose between “Active Directory” and “OpenLDAP” servers. “Active Directory” provides the additional “User Setting” section where you define the account suffix (UPN Suffix) that is configured for your AD.

2. Host Name & Port: Enter the FQDN of the server which is public facing and is open for traffic on either 389 (LDAP) or 636 (LDAPS) example: ldap.example.com.

3. Base DN: The root distinguished name (DN) to use when running queries against the directory server. Example: ou=people, dc=example, dc=com

4. Groups Base DN: Is the base distinguished name of your AD used for the base search.

5. UPN Suffix: Account suffix or UPN suffix will be appended to all usernames in the Active Directory authentication process.

6. Override UPN suffix: Check this setting to override the UPN suffix. i.e. domain name after ‘@’.

7. Administrator DN: A service account to perform all read-only directory operations. Enter a distinguished name of a user that will allow MangoApps to connect to the directory server.

8. Password: Enter password for the service account.

9. Add New Server: Allows you to add a server from another Domain or Forest.

User Mapping:

User mapping allows you to create MangoApps users and sync their details from your Active Directory/LDAP. With the mapping configuration, you can define an object filter to fetch only desired set of users.

1. User Profile Attributes: MangoApps user attributes can be synced from AD/LDAP.

• The pre-populated fields can be modified to display corresponding values from AD/LDAP. For ex - In case of Emp ID the corresponding filed could be edited to be employeeID rather than using the default value - employeeNumber.

• Furthermore, the prepopulated fields can be blanked to avoid syncing of a field. For ex – Say DOB field could be blanked to avoid it from showing in MangoApps.

2. User Object Filter: This filter is used to define/restrict the users that are permitted to access MangoApps. The most common usage of a search filter is to limit the entries that are users based on objectClass. For example, a reasonable search filter for a default Active Directory installation is:

(objectClass=organizationalPerson)

When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to MangoApps. For example, if my users are distinguished by having two objectClass attributes (one equal to ‘person’ and another to ‘user’), this is how I would match for it:

(&(objectClass=person)(objectClass=user))

LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e. the criteria). The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.

AND Operation: (& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))

OR Operation:

(| (...K1...) (...K2...)) or with more than two criteria: (| (...K1...) (...K2...) (...K3...) (...K4...))

Nested Operation:

Every AND/OR operation can also be understood as a single criterion:

(|(& (...K1...) (...K2...))(& (...K3...) (...K4...))) Note: Wildcards are no allowed in the case of memberOf and distinguishedName you must specify the full DN of the objects. This is not a MangoApps limitation but a general LDAP limitation/rule.

More detailed information about the LDAP filters can be found on this external site - https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

3. Custom fields: Custom user attributes can be configured under Modules > People. These too can be mapped with the relevant fields from AD/LDAP.

4. Sync Profile on Login: This setting synchronizes all the above mapped User profile fields when the users log into MangoApps.

5. Sync Profile Photo: Checking this setting synchronizes the users Photos on AD/LDAP on every login (if above option is checked) or based on the periodic sync cycle.

6. Sync Organizations: This will add organizations from AD/LDAP into MangoApps. Additionally, users would be automatically made members of the organizations in MangoApps.

7. Sync Departments: Same as organizations, the Departments from AD/LDAP would be created in MangoApps and users will be automatically mapped with them.

8. Manager: The value in the 'Manager' field helps in building the Org chart in MangoApps.

Group Mapping:

Group Mapping enables the Network admin to automate the task of Group creation and user assignment in MangoApps.

1. Enable Groups sync: This setting allows Network Admins to import AD/LDAP Groups and their attributes with MangoApps.

2. Group Admin/Creator: Specify the name of the user who’ll be the default ‘Group Admin’ of the Groups synced from AD/LDAP.

3. Group Attributes: Like User attributes, we can pull in Group attributes to mimic their name, description, member association & child group association within MangoApps.

• Group Name: The group identifier on which group name lookups will be performed on.

• Group Description: The identifier on your AD for group description if any.

• Group Member Association: The attribute that is used to indicate group memberships, i.e. the attribute used by LDAP groups to refer to their users.

• Child Group Association: The attribute that is used to indicate child groups, i.e. the attribute used by LDAP groups to refer to their child groups.

4. Group Object Filter: The rationale of an object filter is to create selected AD/LDAP groups in MangoApps. The most common usage of an object filter is to limit the entries that are groups based on objectClass. For example, a reasonable search filter for a default Active Directory installation is "(objectClass=group)". Furthermore, you can add a clause using ‘&’ ‘|’ operators to create a filter like below.

(&(objectClass=group)(|(cn=*tech*)(cn=*net*)))

5. Membership Rule: Configuring the rule of matching the group membership allows Admins to govern offboarding policy for disgruntled employees. The latter setting helps in user provisioning while retaining the users who have been removed from AD/LDAP.

Saving the settings will present a button to ‘Preview & Synchronize’. This action would provide Admin list of users & groups that satisfy the configured user & group object filters.