OpenLM Directory Synchronization (LDAP): Comprehensive Guide - OpenLM Software License Management
USA +1 866 806 2068 | JAPAN +81 3 45208991 担当:萩原 info@openlm.com

OpenLM Directory Synchronization (LDAP): Comprehensive Guide

1. Introduction

This document is a comprehensive guide for synchronizing the OpenLM Database with an organizational Directory Server. For more concise documentation, please refer to:

Directory service (e.g. Active Directory – LDAP) Synchronization: Basic Guide.

You may also find helpful the following video with general presentation of OpenLM Directory Synchronization (LDAP – Lightweight Directory Access Protocol).

OpenLM Server is capable of synchronizing users and groups with an organization’s Directory Service (e.g. Active Directory, Novell eDirectory, ApacheDS) to combine license management with other company information. For the purpose of simplification, we will relate to this process as LDAP Synchronization throughout this document.

2. Benefits of LDAP Synchronization

There are many benefits in synchronizing OpenLM Database with data resident in the organizational Directory Service for all decision makers in the organization.

From a managerial standpoint, it can be used for:

  • enforcing license usage permissions;
  • implementing usage chargeback (usage billing);
  • analysis of usage trends, etc.

Administrators benefit by:

  • automating management of license restriction (e.g. through OpenLM License Allocation Manager);
  • streamlining license usage reporting, according to the updated Users’ and Groups’ data.

Advantages for end-users:

  • user information can be displayed to facilitate location of other users that are holding required license;
  • Secured access to the OpenLM User Interface (web application) has the option of being automatically authenticated (SSO) via Windows authentication. To read more about this option see the following link: User Interface Windows Authentication.

Functionality of Groups synchronization is part of Users and Groups extension and requires additional licensing.

3. LDAP Synchronization Steps / Active Directory Synchronization

This section describes detailed procedure required for synchronization of LDAP.

3.1 Interfacing the LDAP Server

LDAP option is the OpenLM Server’s interface for LDAP synchronization. First it is necessary to connect to the LDAP domain:

OpenLM Directory Synchronization (LDAP)

Select LDAP from the menu (1) and click Add button (2). In the Domain Definition section (3) complete empty fields with required information:

  • Domain Name (4) or IP address of the server which hosts the organization’s domain controller;
  • User Name (5) (e.g. administrator); Note that read access is required as well as service account – if you use a normal account, the password will expire and the sync will stop working;
  • Password (6);
  • LDAP Server Type (7): (e.g. “ActiveDirectory”).
  • In order to use LDAP secured connection check Connect LDAP Server over SSL checkbox (8) (requires IIS) and add a colon with a port number in the Domain Name textbox (e.g. Domain_Name:636);
  • Check the connection to LDAP server by clicking Check Domain (9);
  • Save the configuration to a temporary buffer by clicking Apply changes (10);
  • To undo changes and revert to the latest saved configuration click Cancel changes (11);
  • Click Apply (12) to save changes in the OpenLM database.

Organizations may have multiple domains (for example, in case of global organization with multiple locations). In order to add a second domain, click Add (2) again and repeat the described steps above.

3.2 Common Global Catalogs

A global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. When Common Global Catalogs are applied, a single search query using port 3268 is sent to a global catalog server. This configuration is preferable to a multiple domain control configuration for both simplicity and speed considerations. Please refer to this article for more information.

3.3 Configuring LDAP Synchronization Parameters

After having configured the OpenLM Server to interface the LDAP server, it’s necessary to configure actual synchronization parameters. Select the newly created domain (1) and click Add (2). In the opened Options window insert the required parameters:

OpenLM Directory Synchronization (LDAP)

  • Synchronization Name (3)

Name the synchronization scheme in the Synchronization Name text box.

  • Synchronization start node (4)

Clicking Select… button assigned to this field will open a tree diagram of the LDAP structure. Select synchronization start node, confirm selection by clicking green check icon. This node will be the upper-most object of the configured synchronization.

OpenLM Directory Synchronization (LDAP)

  • Sync Time Interval (hours) (5)

The value in this example states that user details would be updated every 12 hour. Keep in mind that the synchronization process may demand considerable server and network resources when applied to large LDAP databases.

  • LDAP objects to Sync (6) – Synchronizing Users and Computers

Synchronization of Users and Computers is basic operation of the LDAP synchronization process. It is important to note that synchronizing users with LDAP might have some specifics – you may end up having taken in more users than you intended. And deleting users from the database is difficult. It is highly recommended to experiment on a separate OpenLM test environment, NOT on the production OpenLM environment.

It is possible to synchronize either Users or Computers. Use the LDAP objects to sync (6) radio buttons to choose between those.

3.4 Rules for users synchronization (1)

OpenLM Directory Synchronization (LDAP)

a) Sync Username attribute (2)

  • cn should be used for any LDAP configuration other than “Active Directory”, i.e. “Novell Directory” or “Apache DS”.
  • sAMAccountName (for example “jdoe”) is for Windows server pre-2000 Active Directory versions.
  • userPrincipalName (for example john.doe@company.com) is for Windows server post-2000 Active directory versions.

b) User’s Membership Filter (1)

OpenLM Directory Synchronization (LDAP)

Click the lookup button and select from drop-down menu whether to synchronize: all users, only users within OUs or only users within LDAP security groups.

c) Search Depth field (1)

OpenLM Directory Synchronization (LDAP)

Search depth selection number enables the administrator limit synchronization process to a certain hierarchical level:

0 (default) – full tree group hierarchy is synchronized;

1 – only start node group is synchronized;

2 – start node group and its 1st level descendants are synchronized, etc.

Search Depth configuration has no effect on synchronization of groups.

d)  Sync only active users of licenses checkbox (2)

OpenLM Directory Synchronization (LDAP)

It is highly recommended to check the Sync only active users of licenses in order to avoid adding users that do not actively use the license. New active users will be added to the list of users as they check out a license, their LDAP details get synchronized on the next Sync Time Interval.

Note: The synced users/computers will be users/computers with usage over the last 3 months.

3.5 Group Synchronization Settings

Group synchronization introduces groups to the OpenLM database according to information obtained from LDAP.

Preview option

OpenLM Directory Synchronization (LDAP)

At any stage of operation it is possible to click Preview button and get a preview of groups that are going to be synchronized into OpenLM database. (For this revision 4.3 preview is implemented only for Hierarchical types of synchronization). See the Preview window below:

Please note that for very large Active Directories, the preview window might take a few minutes to load up.

Synchronization of Users or Computers can be enabled either with or without synchronization of LDAP groups. In order to enable Groups synchronization expand the menu Group Synchronization Settings>>:

Creating groups for OpenLM synchronization

3.6 Rules for creating groups

a) Set Default Group checkbox

OpenLM Directory Synchronization (LDAP)

To set user’s default group, check Set Default Group checkbox in OpenLM server configuration tool. This setting determines the 1st group for a user that has been found a member of during synchronization, other than the OpenLM_Everyone group. It would be set as user’s default group.

Note: Historical usage is only recorded for the user’s default group.

b) Search Depth

OpenLM Directory Synchronization (LDAP)

Configure the depth of search for synchronized groups:

‘0’ (default): full tree group hierarchy is synchronized;

‘1’: only start node group is synchronized;

‘2’: start node group and its 1st level descendants are synchronized, etc.

Search Depth configuration has no effect on Users and Computers synchronization.

c) Rules for creating groups

OpenLM Directory Synchronization (LDAP)

There are several different types of group synchronization schemes:

No Groups

The default selection for groups synchronization is – No groups. This option negates any configuration made in the group synchronization frame.

Flat – All users will become members of the same group, named:

With this option administrator can associate a particular group name with all synchronized users. Fixed name typed in textbox is the group name of users that would consequently be synchronized in this way.

Hierarchical – Create groups of users according to…

OpenLM can create groups of users and computers according to hierarchical LDAP node tree. Synchronized group entities include OUs (Organizational Units), Security groups and Distribution groups. User can set synchronization scheme to include any combination of these entity types.

Hierarchical – OUs (organizational units): this option is used by organizations that have an organizational hierarchy represented in LDAP; for example, departments nested inside divisions. By selecting OU synchronization method, users will be introduced into groups in the OpenLM database. These groups are going to be named after the LDAP OUs under which the users have been created.

Hierarchical – Security Groups: this option goes through list of users that populate Security groups’ nodes beneath the selected node. OpenLM groups are named according to these LDAP Security groups.

Hierarchical – Distribution Groups: this option goes through list of users that populate Distribution groups’ nodes beneath the selected node. OpenLM groups are named according to these LDAP Distribution groups.

Hierarchical – Include Schema Customization objects: customized object of a user, meaning that if he has an entity that is not OU/ Security/ Distribution application supports it.

Hierarchical – Include Start Node: when activated this setting includes start node in hierarchical synchronization scheme.

User Attribute – Group users with same attribute:

OpenLM groups are created according to specific attributes their members have. In order to do that, check the User Attribute –  Group user with same attribute radio button (1). Click the lookup button assigned to this field and select from the drop-down menu appropriate attribute. Examples of attributes are: “Division”, “Employee ID”, “Initials”, “Cost center”, etc. Type in a Regex expression that would articulate the required attribute. Note that User Attribute drop-down menu doesn’t take values from client’s directory, it is a preset list of values. Custom attributes can be entered if they are not part of the list. 

3.7 Applying configured synchronization

To apply configured synchronization run OpenLM User Interface web portal: Windows Start → OpenLM → OpenLM User Interface:

OpenLM User Interface

In the opened window go to Start and click on Administration menu:

OpenLM User Interface

Then choose Sync Definitions menu:

OpenLM Synchronization definitions

LDAP synchronization window will open. Click Sync Now (2) to apply the synchronization.

Results will appear when Synchronization is completed.

4. Users and Groups

Users and user Groups which exist in the OpenLM Database are displayed in the OpenLM User Interface web application: Users and Groups menus.

OpenLM Users and Groups

To open these windows click OpenLM User Interface Start button → Users & Groups (1) → and choose either Users (2) or Groups (3):

4.1 OpenLM Users

If you choose Users in Users & Groups menu, the following window appears. For more information check Show disabled checkbox (1) and double-click name of a user:

OpenLM Users and Groups

For more information check Show disabled checkbox (1) and double-click name of a user. In the screen below GuestUser and GeneralUser are by default disabled users:

More information can be shown by selecting a user and then clicking Edit user button:

Editing users in OpenLM User Interface

4.2 Groups

If you choose Groups, the following window appears. OpenLM_Everyone is by default disabled group:

Adding groups in OpenLM User Interface

4.3 Default Groups

Default group is a property of the user and defines the group that will accumulate usage time for that user. “OpenLM_Everyone” groups include all users that do not have a set default group, their license usage is accumulated in that group.

LDAP synchronization may be implemented so that users would become related to specific user default groups, other than OpenLM_Everyone group. The default group name is marked by a check, highlighted in blue color and can be found in specific user’s windows, under the Groups tab.

List of groups in OpenLM User Interface

For example, U1 is member of the OpenLM_Everyone, G1, Roi_Test1, Users and MyFlatGroup.

4.4 Entities

There are several entity types that OpenLM relates to: Users, User groups, Host, Host groups and IDs.

There are 2 options of viewing Entities. From Administration window click Entities:

OpenLM User Interface administration

or go to Sync Definitions and click Entity link in the LDAP Synchronization window:

Synchronizing Entities in OpenLM Directory Synchronization

In the Administration – LDAP Entities window, after running the synchronization, you can review entities as they were read from LDAP. Use filter pane on the left side of LDAP Entities window to select specific synchronization schemes, entities, entity types and Synchronization dates:

List of LDAP entities

You can also mark certain entities as ignore (1) and remove ignored entities from display by clicking Save button (2):

setting LDAP entities

5. Relations

To open Relations menu, click Relations icon (1) in the Administration window:  

OpenLM User Interface administration, relations

LDAP Relations window will open:

entity name in OpenLM Synchronization

This screen shows Relations display for user U_A1. Note that here are displayed groups to which U_A1 user belongs to as well as Synchronization name and date of synchronization.

6. Case study

In order to demonstrate different methods of group synchronization we have created the following Organizational Unit structure and enabled all users.

In this diagram:

organizational units (OU) are marked by blue triangles;

groups are marked by yellow circles;

users are marked by small rectangles;

bubbles mark nodes where users have been defined;

3 computers were defined in operational units OU_AB, OU_A and OU_B. They are marked by green stars and are named Comp-AB, Comp-A  and Comp-B respectively;

OU_AA & OU_BB and their subsequent groups and users were only configured on the later case studies (see below).

CASE 1A: SYNCHRONIZE USERS, SYNCHRONIZE COMPUTERS ONLY

Procedure:

OU_AB was selected as the start node.

Two parallel synchronization schemes were configured: for users and computers.

Group synchronization was not configured.

Group synchronization in OpenLM Server

Outcome:

All Users and Computers were synchronized. No Groups or OUs were synchronized.

Observed:

LDAP Entities window contains the LDAP users and computers:

LDAP Entities window

Active computers are displayed in Workstations window:

OpenLM User Interface Workstations window

CASE 1B: NO GROUPS

Procedure:

Similar to the previous case 1a, OU_AB was selected as the start node. The same two synchronization schemes were configured: for Users and Computers. Group synchronization was opened and No Groups radio button was selected.

Outcome:

Similar to the previous case, all Users and Computers were synchronized. No Groups or OUs were synchronized.

CASE 2: FLAT SYNCHRONIZATION

Procedure:

OU_AB was selected as the start node.

Users synchronization was configured to include all users under that start node.

Groups’ synchronization was configured Flat – All users will become members of the same group, named… (1) and type in the name of the new group:

flat type OpenLM synchronization

Outcome:

All users were synchronized and collected in MyFlatGroup group:

LDAP entities synchronization

To see users in a group, MyFlatGroup for example, go to Start ->Users & Groups->Groups, choose required group, MyFlatGroup for example and press Members button:

viewing groups in OpenLM User Interface

In the opened Users in MyFlatGroup window you will see list of users in a particular group:

users in groups of OpenLM synchronization

CASE 3: HIERARCHICAL SYNCHRONIZATION: USERS, COMPUTERS, OUS AND GROUPS

Procedure:

OU_AB was selected as the start node.

Two parallel synchronization schemes were configured: for users and computers.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups.

The hierarchical group search depth was set to ‘0’: Full tree.

synchronization in OpenLM Server

Outcome:

All groups, OUs, users and computers beneath OU_AB were synchronized. The Hierarchical tree was preserved.

Observed:

OpenLM User Interface Entities and Relations’ windows displayed all LDAP entity information:

OpenLM User Interface Entities and Relations

In the Users&Groups menu, Groups submenu, OpenLM User Interface shows all groups in Tree or List view. Users are assigned as members of these groups. In the example below users U1, U2 and Guest are members of group MyFlatGroup 2:

OpenLM User Interface users and groups

CASE 4: HIERARCHICAL SYNCHRONIZATION – SEARCH DEPTH 2 (USERS) 2 (GROUPS)

Procedure:

OU_AB was selected as the start node.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups. User search depth was set to 2. Groups search depth was set to 2:

Hierarchical synchronization in OpenLM Server

Outcome:

All OUs and groups in the uppermost entity and its immediate descendants were synchronized.

All users which were declared in the uppermost entity and its immediate descendants were synchronized.

Observed:

Users were properly grouped within these limitations:

hierarchical synchronization of groups in OpenLM User Interface

CASE 5: HIERARCHICAL SYNCHRONIZATION – SEARCH DEPTH 2 (USERS) 1 (GROUPS)

Procedure:

OU_AB was selected as the start node.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups.

User search depth was set to 2.

Groups search depth was set to 1.

Outcome:

Only the uppermost entity OU_AB was synchronized.

All users which were declared in the uppermost entity and its immediate descendants were synchronized.

Observed:

Group OU_A contains all the synchronized users that were set beneath it:

hierarchical synchronization of groups in OpenLM User Interface

 

CASE 6: SYNCHRONIZE ONLY ACTIVE USERS

Procedure:

OU_AB was selected as the start node.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups.

Depth of hierarchical group search was set to ‘0’: Full tree.

Sync only active users of licenses” box was checked and user U_A1 logged into OpenLM in order to establish its status as an active user.

Sync only active users of licenses in OpenLM Server

Outcome:

All LDAP groups were introduced in the OpenLM database.

Only user U_A1 appears in Users window. U_A1 was synchronized to the LDAP, hence its attributes (First name, Last name, Department) are also displayed:

Synchronization of groups in OpenLM User Interface

CASE 7: SYNCHRONIZE ONLY USERS WITHIN SECURITY GROUPS

Reminder:

User U_B1 was grouped under G_B1 but was created in Organizational unit OU_AB.

Procedure:

OU_B was selected as the start node.

Users’ synchronization was configured to include only users within Security groups.

Group synchronization was not configured.

Synchronize only users within security groups in OpenLM Server

Outcome:

All users under OU_B node grouped under security groups were synchronized:

users in groups of OpenLM User Interface

CASE 8: SYNCHRONIZE ONLY USERS WITHIN OUs

Procedure:

OU_B was selected as the start node.

Users’ synchronization was configured to include only users within OUs.

Group synchronization was not configured.

Reminder:

User U_B1, U_AB2 and U_BB1 are members of groups under OU_B Organizational unit. However only U_BB1 was included in OU_BB1 which resides under start node OU_B.

Outcome:

Only user U_BB1 was synchronized.

CASE 9: ATTRIBUTES

Reminder:

Users U_A1 & U_B1 have been defined having “department” attributes with “olm_drink” value.

Users U_AA1 & U_BB1 have been defined having “department” attributes with “olm_food” value (See LDAP diagram).

Procedure:

OU_AB was selected as start node. “Attribute” group synchronization method was selected. ‘Department’ attribute with regular expression (‘Regex’) value olm_(.*) was configured in the LDAP configuration form. This regular expression will create a group for each department attribute that starts with olm_, i.e. food & drink.

User attributes synchronization in OpenLM Server

Outcome:

All Users in OU_AB were synchronized.

Users U_A1 & U_B1 are members of drink group.

Users U_AA1 & U_BB1 are members of food group.

synchronization output in OpenLM User Interface

CASE 10: USER CLEANUP

Procedure:

OU_B was selected as start node.

All users under this node were synchronized.

Cleanup was applied.

OU_AB was selected as start node and a 2nd phase of synchronization was applied.

user cleanup in OpenLM Server

Outcome:

Only users which were not included in the OU_B node remained.

Observed:

After Synchronizing OU_B, all users under that start node were present:

synchronization results in OpenLM User Interface

Then cleanup was applied to users:

Cleanup Manager settings in OpenLM User Interface

And all the users were eliminated:

list of users in LDAP entities

After that – synchronization of OU_AB was applied. All entities from both synchronization processes appear in LDAP Entities window but only OU_AB users that were not part of OU_B were synchronized and are displayed in Users window.

In particular U_AB2 which was a member of the first synchronization hierarchy will be omitted from users’ list during cleanup process, and will not be reinstated there after the 2nd synchronization.

users in LDAP entities

 

in FAQ – KB

Related Articles