Last Modified: 18.08.2021
You will create an AD/LDAP server record in the administrative area (Control Panel) by specifying the required server data and user group mapping.
Each record regulates access to a folder tree root. If the corporate network user groups are stored on several servers or in several databases on a single server, you should create a separate record for each storage point.
- Open Active Directory / LDAP server settings (Settings > AD/LDAP).
- Click Add to open the new record creation form.
- The Server tab is used to specify information about the corporate server as well as the database connection settings. You have to ask your system administrator for the server data.
- Active: if this box is checked, this record is included in the user profile lookup when a user attempts to authorise.
- Name: the name of the record to be created as it will be shown in lists.
- Description: type here the server description.
- NTLM Authorization Domain: specifies the AD/LDAP server on which a user is authenticated. This field is also used for unattended NTLM authentication. The server is specified as domain\login.
- Server:port: the IP address and the port of a corporate server hosting the user group database. The port 389 is the technology standard to access an LDAP server.
- Administrative login: login for administrative access to the server.
- Administrative password: password for administrative access to the server.
- Test connection: click this button after you have specified all required information, to verify the connection.
This will try to establish a trial connection to the server. If the check succeeds, the server should return a list of available tree roots. If the check fails, the page will display the error description in red.
- Tree root (base DN): this field is used to select the catalogue tree root to be used for the user profile lookup when authorising.
- The Field Mapping group defines parameters of the user profiles stored on the server.
The controls of this group are initialised with the standard values for LDAP or AD servers.
- You can select the server type by clicking on the corresponding link in the section title.
- If the corporate server overrides standard settings, the values in this group should be altered to reflect the server settings.
To create more user field to attribute mapping entries, click the [add…] link. For an LDAP server, fill in at least the required fields (first and last names, e-mail address etc.) that will be continuously synchronized to AD. Other fields can be imported by employing the user import option on the Field Mapping tab.
When synchronizing, each of the mapped fields will be checked for changes and changed on the website end (that is, in Bitrix Site Manager). In practice it means that if a user has changed one or more of the mapped fields, they will be restored to the original values.
It is recommended that you create as many field mapping entries as possible when importing users for the first time, and delete redundant mappings once the import procedure is complete.
Company Departments and Structure
This group includes company structure import configuration options.
The User Group Mapping section is used to load the corporate user groups and the site user groups in the Assignment Table and specify group mapping.
- Check the Import Company Structure From AD box if the company structure needs to be updated from AD each time the website user data is synchronized to intranet network records.
- Use the Import Structure From AD Server to This Portal Department option if your company includes multiple offices each running a private intranet network server. Create a department for each office and select it in the server settings.
Otherwise, the company structure will be imported to the root of the department tree.
If a department on an AD record already exists in the tree on the website end, the latter will be used instead of those on AD.
- The Assign Users To Default Department If Undefined In Active Directory option, if checked, specifies to add orphan users to the website structure. Otherwise, such users are skipped.
- Specify the Default Department to which the orphan users will be added. The default department name is only used if the previous option is enabled.
Click Refresh Group List to add more user groups to the table. This will also verify parameters specifies in other sections.
After the list is refreshed, this section will display the Assignment Table:
The Synchronization tab includes options allowing an administrator to schedule unattended user database update.
- Group on the remote server. In the Group on the remote server column, select a corporate network user group.
- Local group. In the Local group, select a site user group that would match the selected corporate network user group. Thus, a single table row contains the corporate network user group and the matching site user group.
- Delete. To delete a row from the table, check the Delete box and click Apply.
- More. You can add more rows to the table by clicking More.
- If you need to skip one or more user groups, specify their names in the Exclude the following groups from import field. These groups will not be imported even if they are selected in Group on the remote server column.
To add users of a particular user group to multiple website user groups, select this group in Group on the remote server column as many times as required and map them to the destination local user groups.
If the same local user group is selected for multiple different remote user groups, only the users existing in all remote groups will be added to the local user group.
Click Save to save changes and go back to the list of servers.
Saving a record adds it to the list of servers on the page Active Directory/LDAP server settings.
- Check the Perform full synchronization box to enable the synchronization options.
- Enter the required synchronization period.
- If required, enter a custom LDAP attribute name. It will be used to log updates.