1 of 1

Importing accounts via LDAP

Alternatively to creating the accounts in the ProcMan, accounts can also be imported from an LDAP server. For such accounts the user name and password are verified by the LDAP server instead of by ProcMan at login.

ProcMan supports also importing accounts from more than one LDAP servers. In this case for each account are the user name and password verified by the LDAP server from which the account has been imported.

LDAP import form

Accounts can be imported from LDAP servers by clicking the LDAP button in the accounts list form. After that a LDAP Import form appears (see picture below).

Beware that the object structure on the LDAP server strongly depends on the type of the server (RACF, Active Directory, OpenLDAP etc.) and on the organization structure of the company mirrored in the object structure on the LDAP server. Therefore the proper filling of this form must be done hand-in-hand with the administrator of the LDAP server, which should know the proper distinguished name (shortly dn) and the object class of the account objects in LDAP as well as the names of the from the LDAP server returned attributes.

After filling the fields in this form and clicking the OK button the dialog lists all users found on the LDAP server matching the specified criteria in the LDAP import – User selection form. By clicking the Cancel button the dialog returns to the accounts list.

If the accounts shall be imported from a LDAP server from which an successful import already has been done before, by clicking the Use known LDAP button and selecting the LDAP server from the list on the following form, the LDAP import form will be filled with the values used before without a need to type them again.

The field LDAP host has to be filled with the IP address or the DNS name of the LDAP server. Alternatively the LDAP server can be specified in the URL format ldap[s]://<host>[:<port>] here (e.g. ldaps://ldap.my_company.com:390). For encrypted secure LDAP connection the LDAP server can be specified only in the URL format with ldaps as service.

The field LDAP port has to be filled with the port number of the LDAP service on the LDAP server. In the case that the LDAP server have been specified in the URL format in the field LDAP host, the port number specified here is ignored.

The field Bind password has to be filled with the password of the user specified in the Bind dn field. Beware that this password is used only for one LDAP import. It is nowhere stored in ProcMan. So it has to be typed for every new import again and again, even if the form has been filled using a known LDAP.

The field Search dn has to be filled with the distinguished name identifying where to search for the user objects in the object structure on the LDAP server.

The field User dn identifier has to be filled with the name of the attribute in which the LDAP server returns the user distinguished names after applying Search dn and Filter.

The field User identifier has to be filled with the name of the attribute in which the LDAP server returns the user name after applying search for a particular user distinguished name.

The check-box User names are case sensitive specifies whether the imported user names shall be handled as case sensitive or insensitive. If it is checked the names will always to be typed exactly like they have been imported from the LDAP server at login. Otherwise any alphabetic letter in the user names can be typed as a capital or a small letter at login.

The field Show only users matching filter has to be filled with a pattern string specifying, that the user name of the users returned by the LDAP server must match this pattern to be shown in the users list in the following LDAP import – User selection form. The pattern string can contain wildcards: asterisk (*) and question mark (?). Asterisk means any string even an empty. Question mark means any character. If asterisk or question mark are not meant as wildcards but characters appearing in the user names, they must be escaped with a backslash (\ ) like this: \* ,\? Also if backslash is meant as a character appearing in the user names it must be escaped like this: \\.

In the field Description identifier the name of the attribute in which the LDAP server returns the user description can be filled. This field can be left empty but no user description will be imported in this case.

In the field Company identifier the name of the attribute in which the LDAP server returns the name of the company can be filled. This field can be left empty but no company will be imported in this case.

In the field Telephone identifier the name of the attribute in which the LDAP server returns the phone number of the user can be filled. This field can be left empty but no phone number will be imported in this case.

In the field Mobile identifier the name of the attribute in which the LDAP server returns the mobile-phone number of the user can be filled. This field can be left empty but no mobile-phone number will be imported in this case.

In the field E-mail identifier the name of the attribute in which the LDAP server returns the E-mail address of the user can be filled. This field can be left empty but no E-mail address will be imported in this case.

The check-box Users are allowed to change their passwords specifies whether the users authenticated by the LDAP server can change their passwords or not.

In the selection-box LDAP server/backend type the type of the LDAP server/backend has to be selected. It is displayed only if the check-box Users are allowed to change their passwords is checked. Currently only RACF or other can be selected here. To select a proper type here is important because changing of a password via LDAP works different for RACF and for other LDAP servers/backends.

In the field Password identifier the name of the password attribute in the LDAP structure for a user has to be specified. It is displayed only if the check-box Users are allowed to change their passwords is checked and if the type other is selected in the selection-box LDAP server/backend type. In this case a non-empty attribute name has to be specified here.

LDAP import – User selection form

After filling the fields in the LDAP import form and clicking the OK button the dialog lists all users found on the LDAP server matching the specified criteria in the LDAP import – User selection form (see picture below).

By clicking the Cancel button the dialog returns to the accounts list without importing any new accounts.

In the field Client select the client in which the accounts shall be imported.

The users which have been found on the LDAP server are listed in a table. Users which shall be imported can be selected by checking the check-box in the first column of the table rows. Users which are not selected are ignored by the import. At the opening of this form only users which are unknown in ProcMan (they have no accounts yet) are selected. However the initial selection of the users can be freely changed. If a user which is already known in ProcMan is selected, the import will actualize the account from LDAP (replace the description, company, e-mail etc. with the current one).

By clicking the OK button the import is started and for the selected users the ProcMan accounts are being created or actualized in the specified client. After the import has been finished the dialog returns to the accounts list.

Known LDAPs form

After clicking the Use known LDAP button in the LDAP import form the dialog opens the Known LDAPs form (see picture below).

By clicking the Cancel button the dialog returns to the LDAP import form.

When a LDAP system is selected by checking the check-box in the first column of the row of the LDAP system and clicking the OK button the dialog returns to the LDAP import form and fills it with the values stored for the selected LDAP system. Alternatively to click on the IP address / DNS name of the host in the table of known LDAPs has the same effect.

This form also allows to delete LDAP systems from the table of known LDAPs by selecting on or more LDAP systems and clicking the Delete button. Only LDAP systems which are currently not in use by any account in ProcMan can be deleted.

Importing accounts via LDAP

LDAP import form

Accounts can be imported from LDAP servers by clicking the LDAP button in the accounts list form. After that a LDAP Import form appears (see picture below).

The field Bind dn has to be filled with the distinguished name of a user which is on the LDAP server authorized to read the users list (as described in the documentation in the chapter Prerequisites).

The field Search dn has to be filled with the distinguished name identifying where to search for the user objects in the object structure on the LDAP server.

The field Filter has to be filled with the filter used to limit the set of user objects returned by applying the Search dn. If no filtering is required it has to be filled with the value objectclass=*. For more information about the filter syntax please refer to the LDAP protocol standard proposal RFC4511 on .

The field User dn identifier has to be filled with the name of the attribute in which the LDAP server returns the user distinguished names after applying Search dn and Filter.

The field User identifier has to be filled with the name of the attribute in which the LDAP server returns the user name after applying search for a particular user distinguished name.

The check-box Users are allowed to change their passwords specifies whether the users authenticated by the LDAP server can change their passwords or not.

LDAP import – User selection form

By clicking the Cancel button the dialog returns to the accounts list without importing any new accounts.

In the field Client select the client in which the accounts shall be imported.

Known LDAPs form

After clicking the Use known LDAP button in the LDAP import form the dialog opens the Known LDAPs form (see picture below).

By clicking the Cancel button the dialog returns to the LDAP import form.