In addition to the internal user administration, it is possible to compile user information (master data + authentication) via LDAP (MS Active Directory). This option is activated in "User authentication" of the client settings and is available only when using an appropriate license. Furthermore, the server to be connected must return LDAP objects of type "user" with at least the attribute "UserPrincipalName". Unlike internal users, the master data and password of LDAP users can not be changed. This is still done using the corresponding standard application.

Anmeldeeinstellungen für Benutzer innerhalb der Mandanteinstellungen mit Meldung über erfolgreiche Verbindungsprüfung.

Configuring the LDAP server on the client

In the section User authentication within the client settings it is necessary to change the user management to only LDAP or LDAP and System mixed in order to manage users from an LDAP system. Consequently, the connection to the LDAP server is configured:

  • SSL encryption: Indicates whether the transport with the LDAP server can/should be carried out using SSL.
  • LDAP-Server: Name or IP adress of the LDAP server
  • Port: Communication port of the LDAP server
  • User for the user search: This account must have the right to send search queries (user object) to the LDAP server. See also create user.
  • Password: User password for logging in to the LDAP server.
  • BaseDN for user search: BaseDN to search for users who are to be authenticated. Example: ou="internal", dc="company", dc="com"
  • Filter query: Optional LDAP filters to apply further restrictions within the set of user objects (tutorial)
  • Entries per page (paging): Indicates how many LDAP server entries are expected per page. A value of 0 disables this and the server will expect all values
  • Max. referral hops: Specifies the maximum number of times reference-jumps (Referral hops) are permitted on the LDAP server. A value of 0 disables the tracking of references

Installing certificates in the Java TrustStore

The Java used to run the Application Container which in term runs Xima® Formcycle must trust the LDAP server's certificate.

For this purpose, it may be necessary to import the root certificate used to issue the LDAP server's certificate into the Java TrustStore. Instructions on how to do this can be found on the page Importing certificates into keystores

Testing the Connection

It is already possible to test the entered data before saving. The "Check connection" button tests whether a connection to the LDAP server can be set up successfully and a message indicates the number of user objects found.