Connecting through LDAP connecting-through-ldap
Configuring Campaign and LDAP configuring-campaign-and-ldap
-
The LDAP configuration is only possible for on-premise or hybrid installations.
-
Make sure that your system and your openssl versions are compatible with Campaign in the Compatibility matrix. Outdated versions can impact your LDAP authentication.
The LDAP configuration is carried out in the deployment wizard. The LDAP integration option must be selected during the first configuration step. Refer to deployment wizard.
The window lets you configure the identification of ÃÛ¶¹ÊÓƵ Campaign users via the specified LDAP directory.
-
Specify the address of the LDAP server in the LDAP server field. You can add the port number. By default, the port used is 389.
-
In the drop-down list, select the authentication method for users:
-
Encrypted password (md5) - Default mode.
-
Plain text password + SSL (TLS) - The entire authentication procedure (password included) is encrypted. The secure port 636 must not be used in this mode: ÃÛ¶¹ÊÓƵ Campaign automatically switches to secure mode.
When you use this authentication mode, in Linux, the certificate is verified by an openLDAP client library. We recommend using a valid SSL certificate so that the authentication procedure is encrypted. Otherwise, information will be in plain text.
The certificate is also verified in Windows.
-
Windows NT LAN Manager (NTLM) - Proprietary Windows authentication. The Unique identifier is used for the domain name only.
-
Distributed Password Authentication (DPA) - Proprietary Windows authentication. The Unique identifier is used for the domain name only (domain.com).
-
Plain text password - No encryption (for use in test phases only).
-
-
Select the user authentication mode: Automatically compute the unique user identifier (see step Distinguished Name calculation) or Search the unique user identifier in the directory (see step Searching for identifiers).
Compatibility compatibility
The systems that are compatible depend on the selected authentication mechanism. The following is a compatibility matrix of operating systems and LDAP servers.
Distinguished Name calculation distinguished-name-calculation
If you wish to compute the Distinguished Name (DN) identifiers, the next step of the deployment wizard lets you configure the calculation mode.
-
Specify the unique identifier of the user in the directory (Distinguished Name - DN) in the Distinguished Name field.
(login) will be replaced with the identifier of the ÃÛ¶¹ÊÓƵ Campaign operator.
note caution CAUTION The dc setting must be in lowercase. -
Select the option Enable synchronization of user rights from authorizations and groups in the directory in order to synchronize the group and user associations in the LDAP directory and the group and user associations in ÃÛ¶¹ÊÓƵ Campaign.
When you select this option, the Application level DN used for the search and Password of the application login are enabled.
If you populate these two fields, ÃÛ¶¹ÊÓƵ Campaign will connect to the LDAP server with its own login and password. If they are empty, ÃÛ¶¹ÊÓƵ Campaign will connect to the server anonymously.
Searching for identifiers searching-for-identifiers
If you choose to search for an identifier, the deployment wizard lets you configure the search.
-
In the Application level DN used for the search and Password of the application login fields, provide the identifier and password with which ÃÛ¶¹ÊÓƵ Campaign will connect to search for the identifier. If they are empty, ÃÛ¶¹ÊÓƵ Campaign will connect to the server anonymously.
-
Specify the Base identifier and Search scope fields in order to determine a subset of the LDAP directory to start the search from.
Select the required mode in the drop-down list:
-
Recursive (default mode).
The LDAP directory is searched in full, starting from a given level.
-
Limited to the base.
All attributes are included in the search.
-
Limited to the first sub-level of the base.
The search is performed on all attributes of the directory and starting from the first level of the attribute.
-
-
The Filter field enables you to specify an element to refine the scope of the search.
Configuring LDAP authorizations configuring-ldap-authorizations
This window is displayed when you select the Enable synchronization of user rights from authorizations and groups in the directory option.
You must specify several parameters in order to find the group or groups to which the user belongs and their corresponding rights, i.e.:
-
the Database identifier field,
-
the Search scope field,
note note NOTE If you have chosen to search for the DN, you can select Reuse the DN search parameters in order to carry over the selected values for the DN and search scope from the previous screen. -
the Rights search filter field, based on the login and the user’s distinguished name,
-
the Attribute containing the group or authorization name field concerning the user,
-
the Association mask field enabling the extraction of the group name in ÃÛ¶¹ÊÓƵ Campaign and its associated rights. You can use regular expressions to search for the name.
-
Select Enable the connection of users declared in the LDAP directory if the operator is not declared in ÃÛ¶¹ÊÓƵ Campaign so that the user is automatically granted access rights on connection.
Click Save to finish configuring the instance.
Managing operators managing-operators
Once you have confirmed the configuration, you must define which ÃÛ¶¹ÊÓƵ Campaign operators are managed via the LDAP directory.
To use the LDAP directory to authenticate an operator, edit the corresponding profile and click the Edit the access parameters link. Select the Use LDAP for authentication option: The Password field is grayed out for this operator.
Use cases use-cases
This section provides a few simple use cases to help you achieve the most appropriate configurations based on your needs.
-
A user has been created in the LDAP directory but not in ÃÛ¶¹ÊÓƵ Campaign.
ÃÛ¶¹ÊÓƵ Campaign can be configured so that the user accesses the platform via their LDAP authentication. ÃÛ¶¹ÊÓƵ Campaign needs to be able to control the validity of the ID/password combination in the LDAP directory, so that the operator can be created on-the-fly in ÃÛ¶¹ÊÓƵ Campaign. To do this, check the Enable the connection of users declared in the LDAP directory if the operator is not declared in ÃÛ¶¹ÊÓƵ Campaign option. In this case, group synchronization also needs to be configured: the Enable synchronization of user rights from authorizations and groups in the directory option needs to be selected.
-
The user has been created in ÃÛ¶¹ÊÓƵ Campaign but not in the LDAP directory.
They won’t be able to log on to ÃÛ¶¹ÊÓƵ Campaign.
-
There is a group in the LDAP directory which does not exist in ÃÛ¶¹ÊÓƵ Campaign.
This group will not be created in ÃÛ¶¹ÊÓƵ Campaign. You need to create the group and synchronize the groups to enable a match-up via the Enable synchronization of user rights from authorizations and groups in the directory option.
-
Groups exist in ÃÛ¶¹ÊÓƵ Campaign and the LDAP directory is activated after the event: user groups in ÃÛ¶¹ÊÓƵ Campaign aren’t automatically replaced with the content of LDAP groups. Likewise, if a group only exists in ÃÛ¶¹ÊÓƵ Campaign, no LDAP users may be added to it until the group has been created and synchronized in LDAP.
Groups are never created on the fly, whether by ÃÛ¶¹ÊÓƵ Campaign or by LDAP. They need to be created individually, both in ÃÛ¶¹ÊÓƵ Campaign and in the LDAP directory.
The names of groups in the LDAP directory need to coincide with the names of ÃÛ¶¹ÊÓƵ Campaign groups. Their association mask is defined in the last configuration stage of the deployment wizard: ÃÛ¶¹ÊÓƵ Campaign_(.*), for instance.