Sync LDAP User Directory Manager

The Sync LDAP User Directory Manager is a hybrid solution that allows you to use the user objects from your organization's LDAP server and maintain the organization structure (organization/department/group) locally inside Joget.

This plugin allows you to import user objects from the LDAP server on demand into Joget's built-in user directory manager to reduce its dependency on the LDAP server for improved performance.

The primary benefit for using Sync LDAP is better performance for user-data-related processing

Joget only talks to LDAP for AD user authentication, everything else refers to the local record

The built-in user directory manager is still the primary handler when this plugin is activated. Once you have synchronized the users to the local directory manager, you can assign the users to your organization/department/group/grade which was created locally.

With the use of this plugin, we will be able to reduce the conventional load and dependency on the LDAP server and to only use it for authentication purposes.

A feature in Joget DX is the Auto schedule sync property. The Joget admin can also click the Sync Users button to manually perform an LDAP sync.

Joget identifies users on Sync LDAP if the password column in the database is (NULL), which causes the following to take place:

Users cannot edit their profiles.
Admin cannot use Admin Bar > Users > Setup User to edit user information.
Only records with a password equal NULL will sync to your LDAP directory.

If the user wants to change his password, recommended is to change it in LDAP/AD.

If there's a new user in LDAP, it will be created in the Joget user database. If a user from LDAP does not exist anymore in LDAP but exists in Joget, then the user will get disabled/inactive in Joget, and it will never be deleted.
- If LDAP user is deleted from AD, it will not delete the record in dir_user
- Upon sync, related local user record will be set to inactive
- If local user record is deleted instead but still exist in AD, it will just be re-imported again upon next sync

Configuring Sync LDAP

To configure the Sync LDAP User Directory Manager, select Settings > Directory Manager Settings, and in the Select Plugin field, choose Sync LDAP User Directory Manager.

Fields to configure:

URL: ldap://IP_ADDRESS:389
Admin Username (Principal): cn=admin,dc=joget,dc=org
Admin Password (Credential): Input the admin password for your LDAP/AD.
Root DN: Set the root DB, for example eg. DC=Joget,DC=org.
Sync Organization:
Perform synchronization not just to user objects, but to the whole organizational structure including Group, Department, Grade as well.

By enabling this feature, you will need to configure the following as well.
- Organization ID:
  Declare an organization ID to bind all the users synced from LDAP.
  
  If the organization declared does not exist in Joget, a new one will be created.
- Organization Name:
  Declare an organization name to bind all the users synced from LDAP.
  
  If the one declared here is not the same as the existing one in Joget, it will be updated with the value set here.

See the documentation for setting up Group, Department, and Grade in LDAP Directory Manager.

User Management
If there's a new user in LDAP, it will be created in Joget user database.
If a user from LDAP does not exist anymore in LDAP but exists in Joget, then the user will get disabled in Joget, and it will never be deleted. See LDAP User Management.

Auto schedule sync?:
Clicking this checkbox to automatically sync your LDAP on a schedule, will display additional options as follows:
- Sync Interval (Hour)
- Sync Initial Start Time (HH:mm)

User

Fields to configure:

User Base DN: Set the user base DN property.

Tips
If you set the User Base DN to your LDAP Root DN, it means that the search will start from the Root DN until it finds all the results that match the search filter.
So, setting the User Base DN precisely is very important as it will decide where the search is starting from. It will save all the unnecessary searches between the Root DN and your User Base DN.

Root DN

DC=joget,DC=org
Under the Root DN, you have the following DN:

DC=HR,DC=joget,DC=orgDC=Product Department,DC=joget,DC=orgDC=Operation,DC=joget,DC=orgDC=Users,DC=joget,DC=org
If your users are all under DC=Users, DC=joget,DC=org, you should set this to User Base DN.
By doing this, it will not go through all the other entries and their child entries before reaching DC=Users, DC=joget,DC=org.
User Import Search Filter: (objectClass=person)

Tips
Value

(&(objectClass=person)(|(cn=admin)(cn=cat)(cn=jack)(cn=john)(cn=jackie)))
This means all the LDAP entries which have objectClass attribute equals to person and cn attribute equals to either admin, cat, jack, john or jackie are Joget users.
So, when a login is performed by admin, the search filter will add additional filter and become (&(&(objectClass=person)(|(cn=admin)(cn=cat)(cn=jack)(cn=john)(cn=jackie)))(cn=admin)).
You will notice that an extra (cn=admin) is added to the search filter to ensure that it returns only the admin user.

User License

User license determines how many eventual users (sorted alphabetically) from your LDAP/AD can log in to the system. You can use this attribute to control the number of users returned from your LDAP.

For the trial license, there is a 3-user limitation: if you would like to perform tests on several test users, you will need to remove all the other users until your test user can be in the top 3 spots in the user list. See LDAP User Management.
Attribute Mapping - Username: cn
Attribute Mapping - First Name: givenName
Attribute Mapping - Last Name: sn
Attribute Mapping - Email: mail
Attribute Mapping - Status: status
Attribute Mapping - Time Zone: 8
Attribute Mapping - Locale: en_US

Employment

Fields to configure:

Attribute Mapping - Employee Code: employeeCode
Attribute Mapping - Job Title: jobTitle
Attribute Mapping - Report To: Use this if an LDAP user that a user reports to is kept in LDAP user entry. eg. manager
Map To "Report To" Entry Attribute: Used together with "Attribute Mapping - Report To". eg. distinguishedName
Attribute Mapping - Metas: Additional attributes to retrieve using #user.USERNAME.meta.KEY# or #currentUser.meta.KEY#

Admin role

Fields to configure:

Admin Role Base DN: Set the Admin Role Base DN.
Admin Role Import Search Filter: eg. (objectClass=group)
Attribute Mapping - Users: Use this if the admin role of user(s) is kept in LDAP entry. eg. member.
Map To LDAP User Entry Primary Attribute: Map To LDAP User Entry Primary Attribute.

Advance

Fields to configure:

Result Size Per Paged Search: 100
Debug Mode: Checked

Tips
The Debug Mode is highly recommended to be turned on when configuring the LDAP plugin for the first time.
When debug mode is on, you can find all the search queries performed by the directory manager. They will all be logged into the log file. From there, you can observe the search filter string and improve the accuracy and performance of the lookup.

Configuring Sync LDAP

User

Employment

Admin role

Advance

Related documentation