USA +1 866 806 2068 | UK +44 203 1292 513 | JAPAN +81 3 45208991 担当:萩原 info@openlm.com

Directory service (e.g. Active Directory – LDAP) Synchronization: Basic Guide – AN3029a

About this document

This document is a quick reference guide for synchronizing the OpenLM Database with an organizational Directory Server. It does not elaborate all LDAP synchronization options. For more detailed documentation, please refer to:

Directory service (e.g. Active Directory – LDAP) Synchronization: Comprehensive Guide

You may also find the video in this link helpful.

The OpenLM Server is capable of synchronizing users and groups with an organization’s Directory service (e.g. Active Directory, Novell eDirectory, ApacheDS) to combine license management with other company information. For the sake of simplification, we will relate to this process as “LDAP Synchronization” throughout this document.

Benefits of LDAP Synchronization

There are many benefits in synchronizing the OpenLM Database with data resident in the organizational Directory Service for all decision makers in the organization:

From a managerial standpoint, it can be applied for

  • Enforcing license usage permissions,
  • Implementing usage chargeback (usage billing),
  • Analysis of usage trends, etc.

Administrators may gain in:

  • Automating the management of license restriction (e.g. through FLEXlm Options file management)
  • Streamlining license usage reporting, according to updated Users’ and Groups’ data

From the end-user point of view:

  • User information may be presented to easily locate other users that are holding a required license.
  • Users may choose to authenticate their usernames on the OpenLM EasyAdmin web application via Windows authentication. Please read more about this here:  EasyAdmin Windows Authentication – AN4031b

The Groups synchronization functionality is part of the Users and Groups extension, and requires additional licensing.

LDAP Synchronization steps

Here is a summary of the steps required for LDAP synchronization:

1. Set Domain Definition

2. Define the synchronization parameters, by clicking Add a Synchronization Definition to this Domain

3. Set Rules for Users using the drop-down menu to complete the Rules for users synchronization

4. Configure Groups synchronization parameters

5. Click Apply

6. To apply the configured synchronization, open the OpenLM EasyAdmin web portal via

Windows Start→ OpenLM → OpenLM EasyAdmin2.

7. From the EasyAdmin web application, click thru Start→ Administration→Sync Definitions.

The LDAP synchronization window opens. Click Refresh 77  to apply the synchronization.

8.  To view the results of the synchronization, check Users and Groups presentation and the EasyAdmin Synchronization interface sections of the Comprehensive Guide.

 

The Active Directory tab

Interfacing the LDAP Server

The LDAP tab is the OpenLM Server’s interface to LDAP synchronization. The first thing to do is to connect to the LDAP Database. In order to do so:

1. Click the LDAP tab and then Add. The Domain Definitions’ dialogue box opens.

2. Submit the LDAP server details

3. Check the connection to the LDAP server by clicking Check Domain..

4. Save the configuration to a temporary buffer by clicking Apply changes..

5. To undo changes, and revert to the latest saved configuration, click Cancel changes.

6.  Click Apply to save changes to the OpenLM database.

11

7. Organizations may have multiple domain controllers (for example, different departments or subsidiary companies have their own servers for user authentication). In order to add a second domain, click Add and repeat steps 2 through 4 listed above.

CONFIGURING LDAP SYNCHRONIZATION PARAMETERS

After having configured the OpenLM Server to interface the LDAP server, one must now configure the actual synchronization parameters. In order to do so, mark the newly created domain, and click Add. The synchronization window opens:

22

Synchronization Name

Name the synchronization scheme in the Synchronization Name text box.

Synchronization start node

Click the Select… button. A tree diagram of the LDAP structure opens. Select the synchronization start node. This node will be the upper-most object of the configured synchronization.

Sync time interval

The value in this example states that user details would be updated every 1 hour. Keep in mind that the synchronization process may demand considerable computer assets when applying on a large LDAP databases.

SYNCHRONIZING USERS AND COMPUTERS

Synchronization of Users and Computers is the basic operation of the LDAP synchronization process. It is important to note that synchronizing users to the LDAP is a tricky business; you may end up having taken in more users than you intended, and deleting users from the database is difficult. It is highly recommended to experiment on a separate database, NOT on the production database.

LDAP objects to Sync

It is possible to synchronize either Users or Computers. Use the  LDAP objects to sync radio buttons to choose between those.

a)  Sync username attribute

b)  Users membership filter

c)  Search depth selection

d)  Sync only active users of licenses

Details on this section can be found in the Comprehensive Guide

33

Groups Synchronization settings

Users’ or Computers’ synchronization can be done either with or without synchronization of LDAP groups. In order to enable Groups synchronization, expand the Groups synchronization settings.

GROUP SYNCHRONIZATION

Group synchronization introduces groups in the OpenLM database according to information read from the LDAP. Details on Group Synchronization can be found in the Comprehensive Guide.

Preview

At any stage you can click the magnifying glass icon, to get a preview of the groups as they would be synchronized into the OpenLM database (At the time of writing this revision – 0.1, preview is only implemented for Hierarchical types of synchronization).  The image below shows the preview window:

44

a) Set Default group

Setting a user’s default group is done by checking the Set Default group in the OpenLM server configuration tool.

b) Search depth

Configure the depth of search for the synchronized groups

There are several different types of group synchronization schemes:

No Groups:

The default choice for groups synchronization is – No groups. This choice negates any configuration done in the group synchronization frame.

Flat:

This option enables the administrator to associate a particular group name to all synchronized users.

Hierarchical:

OpenLM can create users’ and computers’ groups according to the hierarchical LDAP node tree.

Attribute:

OpenLM groups are created according to specific attributes their members have. In order to do that, select the  Attribute radio button, and pick up a suitable attribute from the adjacent drop-down list of attributes.

55

EasyAdmin Synchronization interface

OpenLM EasyAdmin shows users, computers and group entities as they have been introduced by the LDAP synchronization. In order to run the LDAP synchronization process (without having to wait for the synchronization period to elapse):

  • Click the EasyAdmin ‘Start’ button.

  • Select Administration and Sync Definitions. The LDAP synchronization window opens.

  • 66
  • Click the Sync Now link in the appropriate row to start synchronization.

 

To review LDAP Entities or LDAP Relations, please refer to the Comprehensive Guide.

User cleanup

Sometimes users get introduced into the OpenLM database by mistake. This may culminate to an annoying amount of users which makes browsing EasyAdmin cumbersome. OpenLM enables administrators to permanently delete the user pool, so that these users would not be synchronized again.

In order to activate this cleanup utility, click the EasyAdmin ‘Start’ button, select  Administration and Cleanup initializer.

For more information on the cleanup process, see the Cleanup case study in the Comprehensive Guide.