LDAP

To authorize users with a Directory Service Server (Active Directory, OpenLDAP, etc.) it is required to add and configure the section LDAP in the server configuration file.

LDAP users' accounts

With the first login of a user, authenticated via LDAP, their account is automatically created in the system. There is the field Source with the value LDAP on the tab General for these users. The users are marked with the icon image in the list of users.

If the login of a user who is authenticated via LDAP, is matched with another user’s login, who has been already registered in the system, then the LDAP user will not be able to log in the system.

By default LDAP-users have the same permissions as any newly created user.

The tab Password change is not available for LDAP users - their passwords are stored on the AD-server.

For users from LDAP, who do not have account in SAYMON, access to the system can be restricted by preparing groups for required users. In order to create a SAYMON account only for users, whose name of a group on the LDAP server matches with the name of an existing group (previously created) in SAYMON, it is necessary to specify the following parameter in the server configuration file:

{
  ...
  "ldap": {
     ...
     "create_user_for_existing_group_only": true,
     ...
     }
}

LDAP user groups

With using the LDAP protocol, during user authorization the groups with names, equal to the names of groups from LDAP, which do not exist in SAYMON, can be automatically created in the system. An authorized user is automatically added to the imported groups. For this it is necessary to specify the following parameter in the server configuration file:

{
  ...
  "ldap": {
     ...
     "import_non_existing_groups": true,
     ...
     }
}
LDAP groups (groups which are created with authorization LDAP users), are marked with the icon image in the list. These groups cannot be renamed, LDAP is set as the source.

Groups, created in SAYMON, names of which are matched with the names of the user groups in LDAP, can be converted to LDAP groups. For this it is necessary to specify the following parameter in the server configuration file:

{
  ...
  "ldap": {
     ...
     "update_existing_groups": true,
     ...
     }
}
If an LDAP user has been removed from their group, which is analog of their group in LDAP, the user is returned to this group with the next log in.

Removing LDAP users

After removing account of an LDAP user, the user still can login to the system with their credentials. The account will be created again with default permissions, permissions got from groups will remain.

The create_user_for_existing_group_only parameter does not effect on existed users. If the option is activated and there is no group in SAYMON with the same name as any of user’s groups in LDAP, the user will not be able to recreate their account.

In order to block login of an LDAP-user to the system it is sufficient to switch their status to Blocked.