First, you have to create a new record containing information about the corporate AD/LDAP server (server record) which database will be used to map user groups.
Note: starting from the AD/LDAP connector module version 23.100.0, the AD admin password is no longer displayed at the server edit page.
Each server record regulates access to one root in the catalog tree. If the corporate network user groups are stored on multiple servers or in several databases on a single server, you should create an individual server record for each storage point.
To create a server record, go to the page Active Directory/LDAP servers (Settings > AD/LDAP) and click Add, located at the context toolbar. It opens a new record adding form.
The Server tab indicates corporate server
Details for completing fields must be requested from the system administrator.
and database access parameters for server-located user groups. Below is the description for specific fields to be completed.
NTLM authorization domain - defines a required AD/LDAP server upon authentication domain\login (specified in Latin characters), as well as upon automatic NTLM authorization (must match to organization domain, including register).
Such type indicates a specific record to search user account at the corporate server.
When several available LDAP servers, you must use this field, because several servers may have users with the identical name. In such case mnemonic name will determine the record, specifying the server and catalog tree root to search the account used for its authentication in Bitrix Framework.
If several server settings indicate an identical domain, starting from version 15.0 the system queries not the first suitable, but cycles through all suitable servers.
Server:port - address and port for corporate server with user group database (389 port is standard for querying a LDAP server).
Current User Login For NTLM Authorization (domain/login) - indicate login for admin entry to server in the format login@domain or domain\login.
The Check connection button verifies details inputted above and establishes a trial connection with server. When the check is successful, the server returns list of available tree roots. In case of an error during the check, top of the page shows caption, highlighted in red color with indicated reason for error.
Tree root - indicates catalog tree root to search authorized users accounts.
Maximum number of results returned in one search - indicates
maximum of available records,
Field is available only for PHP version 5.4 and higher.
retrieved in a single query.
The Field mapping tab indicates the parameter values for user account details, stored on server.
Standard parameter values
If standard values for these parameters were updated at the corporate server, corresponding changes must be implemented for parameter values in the form.
for both server's LDAP, and AD are substituted to form fields automatically. Selection of server type is performed by clicking
the link with corresponding name
in section title.
You may need to add fields to the group
Map user fields to LDAP attributes
, use the link [add…]. The LDAP server settings must indicate minimally necessary fields, such as Activity, First name, Last name, E-Mail, i. e. fields that must be constantly transferred (synchronized from AD). The rest of fields may be configured when importing in the
user import form
Execute the following when importing users from Active Directory / LDAP...
Each of fields, added to this group will be checked for updates upon synchronization and, on any inconsistencies, updated at Bitrix24. It means, when a user had updated any field in this profile, upon next synchronization the field will have a former value returned.
That's why, it is recommended to add a maximum possible number of fields on initial user import. After import is complete, if periodic sync is used, delete the field that do not require a periodic verification.
Company Departments and Structure
This section is displayed only when editing an already created connection and with the Intranet module installed. It allows configuring parameters for company structure import in Bitrix Framework.
Specify Import Company Structure From AD. Indicating a fixed location for import is very important, if a company has several subsidiaries, each with its own server. Then, you can manually create a department for each subsidiary and select it inside each server settings.
Selecting No imports to department tree root.
During import, department names in AD will match with names, existing in the system - then, existing departments are used.
Use the option Assign Users To Default Department If Undefined In Active Directory for users without specified department in Active Directory, that are also imported to Bitrix Framework. They will be imported to the department, specified in the field Default Department.
The Groups tab loads user groups in corporate network and Bitrix Framework to the List of user groups on the AD/LDAP server with group mapping.
To add user group names to the table, click the Refresh group list button:
After updating the list of user groups, this section shows the standard mapping table.
Group on the remote server field sets mapping between corporate network user groups and Bitrix Framework user groups - in Local group field. This way, single table entry contains match between such groups.
To delete mapped strings from the table, check
Flags are available when editing previously saved fields. The provided screenshot demonstrates fields that haven't been saved yet and that's why flags aren't available.
Delete and click Apply.
Inside the Exclude the following groups from import field, indicate the groups that must not be imported, even if selected as source in the Group on the remote server fields.
In case you need to specify users from the same group at the sever into two different Bitrix Framework local groups, select such group in Group on the remote server several times and assign your groups for each string in Local group.
If one of available groups is specified in two strings as Local group, and Group on the remote server - has two different groups - system adds to local group only the users available in both groups.
Periodic database synchronization is configured at the Synchronization tab:
To activate the fields of
New users can be added only starting from version 15.0 with enabled automatic synchronization. The more earlier versions update only profiles of existing users. New employees in these versions are added via import manually or after their independent authentication in Bitrix Framework.
set the flag in the field Perform full synchronization
The value in field Period, each depends on the frequency, from which the employee profiles are updated in your company.
Select the LDAP "Modified On" Attribute for maintaining history log (or leave it by default).
It's convenient to use Agents for full synchronization. It's a technology that allows to launch necessary features during standard system performance without using any external software.
After saving, the record will be added to the list at page Active Directory/LDAP servers.
To update or delete records, select a corresponding item in the selected record action menu.