Test settings tab

The Test Settings tab enables you to test the connection to the LDAP server. Please note that the settings have to be saved before the test can start. If the settings are correct, the test will return first 5 users, cost centers and roles matching entered settings and filters.

There is a summary table in the top if more than one LDAP connection (domain) is set. You can see if domain settings are correct (all icons are green) or something is setup wrongly (red icons). If test returned less then 5 results, icon is orange. This does not necessary means that setting is wrong (there could be only three object of that type in the LDAP) but warning is raised so administrator can check if for example filter settings is correct.

You can list returned items for each domain by clicking on domain name in the summary table.

Log tab

On the last tab called Log, you can see information that were logged by the running LDAP replicator. This is a good place for troubleshooting if there is any issue with the replication process.

Replicator tab

LDAP service port - The port on which LDAP listens to Dispatcher Paragon Management Service.

Number of objects in search request - Maximum number of objects requested in one response page during search. Set to -1 for unlimited response.

List of binary attributes - List of attributes that contain binary (non-string) values. Attributes are separated by commas. No spaces are allowed.

Maximum number of reconnection attempts - Maximum number of reconnection attempts when connection with LDAP fails during critical operations.

Delete imported objects in case of an error - Parameter affects only the Full replication (not the Differential replication). Dispatcher Paragon Management Service launches the procedure for deletion of outdated objects at the end of every full LDAP replication. For example when some user is deleted on the Active Directory side, this user is deleted on Dispatcher Paragon Management Service side at the end of LDAP replication by the procedure for deletion of outdated objects.

• If this parameter is set to "disable" and there is any error during the replication (connection error, unexpected values...), procedure for deletion of outdated objects is not launched - this way it is prevented the deletion of valid objects. It is strongly recommended to leave it with default value "disable".

• If this parameter is set to "enable" and any error during replication occurs, procedure for deletion of outdated objects is launched - this may cause that even valid objects will be deleted during replication and users will be unable to authenticate. "Enable" shall be selected only in special cases (for example as a temporary workaround for issues where LDAP contains incorrect values).

Terminate replication if an error occurs - Enable this feature to terminate replication if any error occurs during synchronizing user roles or cost centers (these objects are synchronized before any user account).

Schema tab

The Schema tab enables you to specify your own attributes that contain important user data like attribute containing aliases, login, cards numbers and other data.

Import users - If disabled, only cost centers and groups are imported – not users.

Attribute containing username - Do not include domain in username - Determines how domain will be separated from login:

• Option none - domain will not be separated from the login and string will be used as it is

• Option at sign or backslash (@, \) - domain will be separated by (@, \)

• Option dot (.) - domain will be separated by (.)

Check username uniqueness - it is restricted to have two or more users with identical login within single tenant. If both this option and the option Overwrite user if already exists in database from Filters tab in Expert mode are enabled then the original user created in Dispatcher Paragon Management interface is deleted and the user from the Active Directory is created. Otherwise, user data received from remote LDAP server are merged with existing user created in Dispatcher Paragon Management interface.

Attributes containing aliases - Attributes containing user aliases. Use commas to separate multiple attributes.

Attribute containing user first name

Attribute containing user surname

Attribute containing user email

Attribute containing user role (membership) - Attribute containing user role (membership). This multi-valued attribute is a collection of the Distinguished Names of all groups the user is a direct member of.

Attributes containing cards/PINs - Attributes containing cards and PINs. Use commas to separate multiple attributes. Multiple values can be replicated from this attribute.

Card number conversions - Used for conversion of card numbers replicated from Directory services (AD, NDS, OpenLDAP). You can use Card Conversion Tool to find a suitable conversion rule automatically or create the conversion rule manually. For more information on how to create a conversion rule, see Card Number Conversion article.

Card separator - If multiple card numbers are stored in a single-value attribute in LDAP, the card numbers are separated by the defined separator.

• Note: The separator must not contain apostrophe character (ASCII code 039).

• Note: If LDAP replicator is used in On-demand (semi-online) mode, this feature is not supported – only one card number may be stored in each single-value attribute.

Delete all the user’s cards when a user’s account is deactivated - When user's account is deactivated in LDAP, all user's cards will be deleted in database.

• Note: If this option is enabled, the user’s cards that were added via the Dispatcher Paragon Management Interface or card self-assignment will also be deleted from the database. Because this operation cannot be undone, the recommended value is disabled.

• Note: Do not enable this option if multiple LDAP accounts are merged into one Dispatcher Paragon user account (that is, if multiple LDAP accounts have the same employeeID attribute). Deleting or disabling one of the accounts on the LDAP server causes all cards from the merged user account to be deleted from the Dispatcher Paragon database.

Attribute containing PIN code - Attribute containing PIN, which can be converted in case PIN code conversion value is defined. Only single value is replicated from this attribute.

PIN code conversion - Used for conversion of PIN codes replicated from Directory services (AD, NDS, OpenLDAP) to database. Default system configuration of Dispatcher Paragon requires that PIN codes in database are stored in following format: PIN + MD5 hash of the PIN itself (PIN in LDAP is 1234, database value is PIN81dc9bdb52d04dc20036dbd8313ed055 which requires "Const(PIN) + MD5" conversion rule). For more information on how to create a conversion rule, see Card Number Conversion article. The conversion must reflect setting of conversionPin attribute in System configuration.

Create money account when creating user account

• If this option is enabled, Dispatcher Paragon will automatically create Dispatcher Paragon Payment System account for new users.

• If user's account is deactivated in LDAP, Dispatcher Paragon Payment System account will be disabled for such user.

• If user's account is moved to LDAP source where this option is disabled, Dispatcher Paragon Payment System account will be disabled for such user.

• If user's account is moved to LDAP source where this option is enabled, Dispatcher Paragon Payment System account will be created or enabled for such user.

• Note: If Dispatcher Paragon Payment System is unavailable, the money account will not be created.

• Note: There is no way to import initial account balance from LDAP.

Connection tab

The Connection tab has new option called Mode of LDAP server certificate check which defines how the LDAP server certificate is validated (applies to LDAPS protocol only).

Possible values are:

• hash - Hash of the certificate is stored in conf\ldap-keystore during first connection. If the certificate of LDAP server is changed, the connection is refused. Delete conf\ldap-keystore file in you changed certificate. This is default behavior.

• secure - Certificate of LDAP server is verified by Certificate Authority public key. To use this feature you have to import your CA`s public key into Dispatcher Paragon Management Service truststore.

Here is example how to import CA certificate to Dispatcher Paragon Management Service (to obtain keystore password, please contact customer support services):

java\bin\keytool.exe -server -import -alias YourCompanyCA -file YourCertificate.cer -keystore conf\ssl-truststore

Timeout - Number of milliseconds after which connection to the LDAP server times out if there was no response. If several reconnection attempts are configured in Replicator tab, LDAP replication will retry the connection after delay specified by ldapReconnectionDelay System settings configuration property.

The On demand mode has two expert options that are available in the System > Configuration page:

• Number of threads (property ldap-replicator-online-mode-threads) - Number of concurrently running threads. Number of threads should not exceed number of LDAP connections. Database should have sufficient number of open connections.

• Maximum response time (property ldap-replicator-online-mode-timeout) - Maximum response time in seconds. Requests that take longer than given time are prematurely canceled.

Mapping tab

The Mapping tab allows you to configure options and conversion for user unique mapping, option for extracting external ID and several options for user´s organizational unit mapping.

Options for unique mapping of users - Options for user unique mapping:

• ID-GUID - for mapping user to GUID

• ID-[attribute-name] - for mapping user to attribute

• [name-of-numeric-attribute] - for ID equivalency mapping

Conversion for unique mapping of users - Turn on conversion of user unique mapping Options for user unique mapping, e.g. for ”GUID” (=value ”ID-GUID”) is converted to ”objectGUID” (used for Active Directory).

Usually for existing installations value true should be set for backward configuration compatibility.

For new installations it is recommended that you use ”false” and specified item Options for user unique mapping properly, e.g ” Options for user unique mapping = ID-objectGUID” for Active Directory. Typically, false is used for non-AD servers.

Option for extracting external ID - Option for extracting ext-id from attribute Options for user unique mapping. Matching parts are used for output. Unmatching input is not processed. For example: regex (d+)-adm-(d+)|adm-(d+) for inputs 12345-adm-6789, 123-adm-456789, adm-123456789, 123456789 will have same output 12345678.

Options for user cost center mapping

• DN:[attribute-name] Cost centers are searched by query in LDAP, cost center is assigned according to LDAP setting (by DN prefix). [attribute-name] determines user ext-id. Example: DN:GUID

• NUMBER:[attribute-name] Cost center creation during user replication. Number is stored in user’s [attribute-name]. Name is created as ”OU-”[attribute-name], example: NUMBER:department

• NAME:[attribute-name] Cost center creation during user replication. Name is stored in user’s [attribute-name]. Number is identical to the ID (initialized by sequence). Example: NAME:department

• NN1:[attribute-name-with-number]:[attribute-name-with-name] Cost center creation during user replication. [attribute-name-with-number] contains cost center number and [attribute-name-with-name] contains its name. Example: NN1: department:company

• NN2:[attribute-name]:[groups-order]:[pattern] Cost center creation during user replication. The user’s [attribute-name] must include content that matches reg-ex [pattern]. Value must contain at least two reg-ex groups: the first for OU name, the second for OU number. [groups-order] is string ”name,number”, or ”number,name” depending on the mapping order of regex-groups to OU number and OU name in [pattern]. Example: NN2: department:number,name:([^:]*):(.*)

Conversion of user cost center mapping - Turn on conversion of user’s cost center unit mapping (Options for user’s cost center mapping). For example, ”GUID” (=value ”DN:GUID”) is converted to ”objectGUID” (used for Active Directory).

Usually for existing installations, set this value to ”enable” (true) for backward configuration compatibility.

For new installations it is recommended that you use ”disable” (false) and the specified item Options for user’s cost center mapping, for example, ”Options for user’s cost center mapping = DN:objectGUID” for Active Directory. Typically, false is used for non-AD servers.

Map cost center only when value exists - When enabled, user’s cost center information is updated only if cost center exists. If disabled, user is saved without cost center information.

Attribute containing unique identifier for groups - Name of LDAP attribute containing unique identifier for groups.

Bind user to ancestor groups - Option that specifies to map user not just to its superior roles but also to roles superior to these roles.

Filters tab

In the Filters tab you can specify additional filters for users, groups or cost centers searching and some other filters according to your needs.

Additional filter for user searches - You can use this filter if the standard built-in filter includes unwanted objects in the search result. For example, filter for users that have not been disabled (&(objectCategory=Person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Additional filter for group searches - Use this filter if the standard built-in filter includes unwanted objects in the search result.

Additional filter for cost center searches - You can use this filter if the standard built-in filter includes unwanted objects in the search result. This setting is in effect only when Mapping -> Options for user’s cost center mapping is set to DN:keyword (for example DN:GUID). With other options (like NAME, NUMBER,...) this option is not used.

Ignore distinguished name when searching for users - Domain name branches to ignore during searches of users. Separate multiple values with a pipe.

Ignore distinguished name when searching for groups - Domain name branches to ignore during searches of users. Separate multiple values with a pipe.

Ignore distinguished name when searching for cost centers - Domain name branches to ignore during searches of users. Separate multiple values with a pipe.

Overwrite user if already exists in database - Enable this option if you have created internal users prior synchronization from LDAP. If both this option and the option Check username uniqueness from Users schema tab in Advanced mode are enabled then the original user created in Dispatcher Paragon Management interface is deleted and the user from the Active Directory is created. Otherwise, user data received from remote LDAP server are merged with existing user created in Dispatcher Paragon Management interface.

Merge automatically generated accounts in Dispatcher Paragon database - If multiple user accounts are automatically generated in the Dispatcher Paragon database, they can be automatically merged once accounts are created in LDAP with aliases that are the same as the generated accounts. This should be enabled only when using the anonymous print feature.

Manual synchronization of LDAP configuration

On the System > LDAP integration > Settings page, there is a button LOAD FROM DISPATCHER PHOENIX available which loads the LDAP configuration from Dispatcher Phoenix and fills those values into the LDAP settings form. An administrator should check the loaded values and he must save the changes in order for them to be applied.

Automatic synchronization of LDAP configuration

To minimize the need for manual configuration, the LDAP configuration is automatically loaded from Dispatcher Phoenix only if it has not been filled in Dispatcher Paragon yet (i.e. URL of LDAP server is blank). An attempt to load the configuration from Dispatcher Phoenix is being run in regular intervals till the configuration is successfully loaded. The CRON rule 'konicaMinoltaDispatcherPhoenixLdapSettingSynchronizationJobRule' system configuration property determines such interval.