OpenLM Directory Synchronization (LDAP): Comprehensive Guide - OpenLM Software License Management
Israel +972 4 6308447         USA +1 619 831 0029              JAPAN +81 505 893 6263 担当:萩原

OpenLM Directory Synchronization (LDAP): Comprehensive Guide

You are here:
< All Topics

1. Introduction

This document is a comprehensive guide on how to synchronize the OpenLM Database with an organization’s directory service. Throughout this document, this process is referred to as LDAP Synchronization.

For a quick video walkthrough on setting up LDAP synchronization, see HT854.

 

Tables of Contents

1. Introduction

2. Benefits of LDAP Synchronization

3. LDAP / Active Directory Synchronization Steps

3.1 Interfacing the LDAP Server

3.2 Common Global Catalogs

3.3 Configuring LDAP Synchronization Parameters

3.4 Rules for user synchronization (1)

3.5 Group Synchronization Settings

Preview option

3.6 Rules for creating groups

3.7 Triggering a configured synchronization

4. Users and Groups

4.1 OpenLM Users

4.2 Groups

4.3 Default Groups

4.4 Entities

5. Relations

5.1 Resetting entity relationships

6. Case studies

CASE 1A: SYNCHRONIZE USERS, SYNCHRONIZE COMPUTERS ONLY

CASE 1B: NO GROUPS

CASE 2: FLAT SYNCHRONIZATION

CASE 3: HIERARCHICAL SYNCHRONIZATION: USERS, COMPUTERS, OUS AND GROUPS

CASE 4: HIERARCHICAL SYNCHRONIZATION – SEARCH DEPTH 2 (USERS) 2 (GROUPS)

CASE 5: HIERARCHICAL SYNCHRONIZATION – SEARCH DEPTH 2 (USERS) 1 (GROUPS)

CASE 6: SYNCHRONIZE ONLY ACTIVE USERS

CASE 7: SYNCHRONIZE ONLY USERS WITHIN SECURITY GROUPS

CASE 8: SYNCHRONIZE ONLY USERS WITHIN OUs

CASE 9: ATTRIBUTES

CASE 10: USER CLEANUP

 

2. Benefits of LDAP Synchronization

There are many benefits for synchronizing the OpenLM database with an organizational directory service. These can be grouped by the type of decision-maker in an organization.

Benefits for management:

  • Enforcing license usage permissions
  • Implementing usage chargeback (usage billing)
  • Analysis of usage trends

Benefits for administrators:

  • Automating license rules and restrictions (through the OpenLM License Allocation Manager)
  • Streamlining license usage reporting, according to LDAP User and Group data.

Benefits for end-users:

  • Viewing specific user information via OpenLM Agent to help locate users that are holding a required license
  • Authenticating to OpenLM’s EasyAdmin via Windows Authentication. To read more about this option see the following link: User Interface Windows Authentication.

To take advantage of LDAP synchronization, your OpenLM license must include support for the Directory Synchronization extension.

 

3. LDAP / Active Directory Synchronization Steps

This section describes how to configure the LDAP synchronization process.

3.1 Interfacing the LDAP Server

The LDAP tab holds OpenLM’s interface for LDAP synchronization. First it is necessary to connect to a LDAP domain:

Click on the LDAP tab (1) then click the Add button (2). In the Domain Definition section complete the fields as follows:

  • Domain Name (3) with the domain name or the IP address of the server which hosts the organization’s domain controller.
  • User Name (4) – the username of an administrator account. Note that read access is required. A service account is recommended. If a normal account is used, the password might expire at which point the sync would stop working.
  • Password (5) – the password associated with the above account.
  • The LDAP Server Type (6): (e.g. “ActiveDirectory”).
  • In order to use a secure LDAP connection, check the Connect LDAP Server over SSL box (7) and add a colon with a port number in the Domain Name textbox (e.g. Domain_Name:636);
  • Check the connection to the LDAP server by clicking Check Domain (8);
  • Save the configuration by clicking Apply changes (9);
  • To undo changes and revert to the latest saved configuration, click Cancel changes (10);
  • Click Apply (11) to commit the changes to the OpenLM database.

Organizations may have multiple domains (e.g. a worldwide organization with multiple locations). In order to add an additional domain, click Add (2) and repeat the described steps above.

 

3.2 Common Global Catalogs

A global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. When Common Global Catalogs are applied, a single search query using port 3268 is sent to a global catalog server. This configuration is preferable to a multiple domain control configuration for both simplicity and speed considerations. Please refer to this Microsoft article for more information.

 

3.3 Configuring LDAP Synchronization Parameters

After having configured the OpenLM Server to interface with the LDAP server, it is necessary to configure the actual synchronization parameters. Select the newly created domain (1) and click Add (2). In the opened Options window insert the required parameters:

  • Synchronization Name (3)

Name the synchronization scheme in the Synchronization Name text box.

  • Synchronization start node (4)

Clicking Select… will open a tree diagram of the LDAP structure. Select the synchronization start node then confirm the selection by clicking the green check icon. This node will be set as the upper-most object of the configured synchronization.

OpenLM Directory Synchronization (LDAP)

  • LDAP Sync Method (5)

Choose the synchronization method: either by interval or by time.

By Interval – selecting this option means that the first synchronization cycle will begin at the specified “Start from” time and will be triggered again after the amount of hours set (e.g. 24 hours). This interval value can be set to be anywhere from 1 to 720 hours. In case the server is restarted, the next synchronization cycle will begin at the specified “Start from” time.

By Time – selecting this option allows you to configure on which days the synchronization will start and at which hour.

Keep in mind that when dealing with large LDAP databases, the synchronization process can put considerable strain on server and network resources so it’s best to select a time when the general server load is expected to be minimal (e.g. at night).

  • LDAP objects to Sync (6) – Synchronizing Users and Computers

Synchronization of Users and Computers is a basic operation of the LDAP synchronization process. It is possible to synchronize either Users or Computers. Use the LDAP objects to sync (6) radio buttons to choose.

Note: synchronizing users with LDAP can present some challenges – you may end up with more synchronized users from the directory than required. For this reason, it is recommended to experiment the results of synchronization on a separate, OpenLM test environment, before moving on to the production OpenLM environment.

 

3.4 Rules for user synchronization (1)

a) Sync Username attribute (2)

  • sAMAccountName (for example “jdoe”) is used by Windows Server pre-2000 Active Directory versions.
  • cn is the standard “Common Name” attribute used by all LDAP configurations.
  • userPrincipalName (for example john.doe@company.com) is used by Windows Server post-2000 Active Directory versions.

b) User’s Membership Filter (1)

Select from the drop-down menu whether to synchronize: all users, only users belonging to OUs or only users belonging to LDAP Security Groups.

c) Search Depth field (1)

Search depth – this number allows the administrator to limit the synchronization process to a certain hierarchical level:

0 (default) – the full tree group hierarchy will be synchronized

1 – only the start node group will be synchronized

2 – the start node group and its 1st level descendants will be synchronized

3 – the start node and its 2nd level descendants will be synchronized

And so on.

Search Depth configuration has no effect on the synchronization of groups.

d) Sync only active users of licenses checkbox (2)

It is highly recommended to check the Sync only active users of licenses in order to avoid adding users that have no license activity. New active users will be added to the list of users as they check out a license. Their LDAP details will get synchronized on the next scheduled synchronization.

Note: The synced users/computers will be users with any kind of license usage recorded in the OpenLM database over the past 3 months. Additionally, a user’s AD status (enabled/disabled) is not currently checked and synchronized so a user may be imported into OpenLM’s database even if his status in Active Directory is set as disabled.

 

3.5 Group Synchronization Settings

Group synchronization settings specify how LDAP groups are to be handled and added to the OpenLM database.

Preview option

At any stage of the operation, it is possible to click the Preview button to get a preview of the groups that are going to be synchronized with the OpenLM database. Note that this option only works for the Hierarchical type of synchronization as the other types are simple enough to not warrant such a display (either no groups or one single all-inclusive group).

The Preview window looks as follows:

Please note that for very large Active Directories, the preview window might take several minutes to load.

To configure Group synchronization rules, click on Group Synchronization Settings>>:

 

3.6 Rules for creating groups

a) Set Default Group checkbox

For reporting purposes, the default group is considered the group towards which a user’s license usage time is counted. By default, all users created manually or synchronized into OpenLM are assigned to the system default OpenLM_Everyone group. Checking the Set Default Group box allows you to override this behavior:

  • For the Flat and User Attribute synchronization rules, the default group will be the one you input or select from the menu
  • For the Hierarchical synchronization rule, the default group will be the first one that is found during the scan (e.g. if JohnDoe belongs to groups A, B and C – the default group is A)

This setting will overwrite the default group each time the synchronization is run.

b) Search Depth

Configure the search depth for the synchronized groups:

0 (default) – the full tree group hierarchy will be synchronized

1 – only the start node group will be synchronized

2 – the start node group and its 1st level descendants will be synchronized

3 – the start node and its 2nd level descendants will be synchronized

And so on.

c) Rules for creating groups

There are different types of group synchronization schemes:

No Groups

This is the default selection for group synchronization. This option negates any configuration made in the group synchronization frame. All users will be assigned to the default OpenLM_Everyone group.

 

Flat – All users will become members of the same group, named:

With this option, administrators can assign all users found in the specified sync tree to one single group with a name of their choosing. This is a “flat hierarchy” – ignoring any other hierarchy that user might belong to.

 

Hierarchical – Create groups of users according to…

OpenLM can create groups of users and computers according to hierarchical LDAP node trees. Synchronization group entities include OUs (Organizational Units), Security Groups and Distribution Groups. Users can set the synchronization scheme to include any combination of these entity types.

Hierarchical – OUs (organizational units): this option is used by organizations that have an organizational hierarchy represented in LDAP. For example, departments nested inside divisions. By selecting the OU synchronization method, users will be introduced into groups in the OpenLM database. These groups are going to be named after the LDAP OUs under which the users have been created.

Hierarchical – Security Groups: this option goes through the list of users that populate Security Group nodes in the directory tree, beginning with the start node. OpenLM groups will have the same name as these LDAP Security Groups.

Hierarchical – Distribution Groups: this option goes through the list of users that populate Distribution Group nodes in the directory tree, beginning with the start node. OpenLM groups will have the same name as these LDAP Distribution Groups.

Hierarchical – Include Schema Customization objects: Includes users/computers that belong to entities different than the standard OU/Security/Distribution group types in the synchronization.

Hierarchical – Include Start Node: when checked, this setting includes the start node in the synchronization.

 

User Attribute – Group users with same attribute:

The OpenLM groups are created according to a specific attribute their members have. In order to do so, check the User Attribute – Group user with the same attribute radio button. Open the drop-down menu and select the attribute you would like to synchronize by (e.g. “Division”, “Employee ID”, “Initials”, “Department”, etc.). For each unique attribute, a new OpenLM group is created. If a user/computer has the same attribute, it is added to the respective group.

The Pattern (Optional) field allows synchronizing by a custom attribute that matches the Regex expression. Note that the User Attribute drop-down menu only shows a preset list of values. It’s also possible to enter a custom attribute manually.

 

3.7 Triggering a configured synchronization

If you have changed the settings for a synchronization definition or you want to trigger a newly created synchronization definition before its scheduled time, you have to:

1. Open EasyAdmin (Windows Start → OpenLM → OpenLM EasyAdmin User Interface)

2. In the opened browser window, go to EasyAdmin Start Administration:

3. Click on Sync Definitions:

4. The LDAP synchronization window will open. Click on Sync Now to trigger the synchronization for the definition you require.

The OpenLM database will now be populated with the LDAP users and groups according to the synchronization definition.

 

4. Users and Groups

Users and Groups which exist in the OpenLM Database are displayed in EasyAdmin under the Users & Groups.

OpenLM Users and Groups

To open these windows, click EasyAdmin Start button → Users & Groups (1) → and choose either Users (2) or Groups (3):

 

4.1 OpenLM Users

If you choose Users from the Users & Groups menu, the following window will appear. Double-click on a user row or select the row then click Edit User to view more information for a specific user.

OpenLM Users and Groups

 

To see disabled users, check the Show disabled checkbox (1). Note that this only shows users with their state set to disabled within OpenLM, not disabled LDAP users. E.g. in the screen below, GuestUser and GeneralUser are disabled users present on every OpenLM system:

As with regular users, double-click on a user row or select the row then click Edit User to view more information:

Editing users in OpenLM User Interface

4.2 Groups

If you choose Groups, the following window appears. OpenLM_Everyone is the default system group:

Adding groups in OpenLM User Interface

4.3 Default Groups

OpenLM_Everyone is a default system group that includes all users that do not have a set default group. All license usage by users belonging to this group will be counted toward the respective group and will be available when filtering by Groups in the EasyAdmin reports. This default group can be changed by setting the relevant “Set Default Group” checkbox as described in section 3.6 of this document.

The default group for a user can be identified by a checkmark which is present next to the group name, as can be seen here under the Groups tab.

List of groups in OpenLM User Interface

In this example, while U1 is a member of both OpenLM_Everyone, G1, Roi_Test1, Users and MyFlatGroup, any license usage activity by U1 will be only counted towards the OpenLM_Everyone group.

 

4.4 Entities

There are several entity types that OpenLM relates to: Users, User Groups, Host, Host Groups and IDs.

There are 2 options for viewing Entities. In the Administration window, click Entities:

OpenLM User Interface administration

or go to Sync Definitions and click the Entity link in the LDAP Synchronization window:

Synchronizing Entities in OpenLM Directory Synchronization

In the Administration – LDAP Entities window, after running the synchronization, you can review entities as they were read from LDAP. Use the filter panel on the left side of the LDAP Entities window to select specific synchronization schemes, entities, entity types and Synchronization dates:

List of LDAP entities

You can also mark certain entities to be ignored (1) from the synchronization process by checking the appropriate checkbox and clicking Save (2):

setting LDAP entities

 

5. Relations

To open the Relations menu, click the Relations icon (1) in the Administration window:

OpenLM User Interface administration, relations

The LDAP Relations window will open:

entity name in OpenLM Synchronization

This screen shows the Relations display for user U_A1. You can see the groups to which the U_A1 user belongs as well as the associated Synchronization name and the date of the last synchronization.

 

5.1 Resetting entity relationships

If you have configured certain entities to be ignored or you want to clear the entire synchronization buffer that holds the entity relationship data:

1. Go to EasyAdmin Start → Administration → Sync Definitions

2. Click Reset for the synchronization definition whose buffer you want to clear. Note: this will clear all relationship data that was generated by a synchronization, including any ignore flags you might have previously set. It does not affect actual user data.

 

6. Case studies

In order to demonstrate different methods of group synchronization, we have created the following Organizational Unit structure and enabled all users within it.

In this diagram:

  • Organizational Units (OU) are marked by blue triangles;
  • Groups are marked by yellow circles;
  • Users are marked by small rectangles;
  • Bubbles mark nodes where users have been defined;

3 computers were defined in operational units OU_AB, OU_A and OU_B. They are marked by green stars and are named Comp-AB, Comp-A and Comp-B respectively.

OU_AA & OU_BB and their subsequent groups and users were only configured in the later case studies (see below).

CASE 1A: SYNCHRONIZE USERS, SYNCHRONIZE COMPUTERS ONLY

Procedure:

OU_AB was selected as the start node.

Two parallel synchronization schemes were configured: for users and computers.

Group synchronization was not configured.

Group synchronization in OpenLM Server

Outcome:

All Users and Computers were synchronized. No Groups or OUs were synchronized.

Observed:

LDAP Entities window contains the LDAP users and computers:

LDAP Entities window

Active computers are displayed in Workstations window:

OpenLM User Interface Workstations window

 

CASE 1B: NO GROUPS

Procedure:

Similar to the previous case 1a, OU_AB was selected as the start node. The same two synchronization schemes were configured: for Users and Computers. Group synchronization was opened and No Groups radio button was selected.

Outcome:

Similar to the previous case, all Users and Computers were synchronized. No Groups or OUs were synchronized.

 

CASE 2: FLAT SYNCHRONIZATION

Procedure:

OU_AB was selected as the start node.

Users synchronization was configured to include all users under that start node.

Groups’ synchronization was configured Flat – All users will become members of the same group, named… (1) and type in the name of the new group:

flat type OpenLM synchronization

Outcome:

All users were synchronized and collected in MyFlatGroup group:

LDAP entities synchronization

To see users in a group, MyFlatGroup for example, go to Start ->Users & Groups->Groups, choose required group, MyFlatGroup for example and press Members button:

viewing groups in OpenLM User Interface

In the opened Users in MyFlatGroup window you will see list of users in a particular group:

users in groups of OpenLM synchronization

 

CASE 3: HIERARCHICAL SYNCHRONIZATION: USERS, COMPUTERS, OUs AND GROUPS

Procedure:

OU_AB was selected as the start node.

Two parallel synchronization schemes were configured: for users and computers.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups.

The hierarchical group search depth was set to ‘0’: Full tree.

synchronization in OpenLM Server

Outcome:

All groups, OUs, users and computers beneath OU_AB were synchronized. The Hierarchical tree was preserved.

Observed:

OpenLM User Interface Entities and Relations’ windows displayed all LDAP entity information:

OpenLM User Interface Entities and Relations

In the Users & Groups menu, Groups submenu, OpenLM User Interface shows all groups in Tree or List view. Users are assigned as members of these groups. In the example below users U1, U2 and Guest are members of group MyFlatGroup 2:

OpenLM User Interface users and groups

 

CASE 4: HIERARCHICAL SYNCHRONIZATION – SEARCH DEPTH 2 (USERS) 2 (GROUPS)

Procedure:

OU_AB was selected as the start node.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups. User search depth was set to 2. Groups search depth was set to 2:

Hierarchical synchronization in OpenLM Server

Outcome:

All OUs and groups in the uppermost entity and its immediate descendants were synchronized.

All users which were declared in the uppermost entity and its immediate descendants were synchronized.

Observed:

Users were properly grouped within these limitations:

hierarchical synchronization of groups in OpenLM User Interface

 

CASE 5: HIERARCHICAL SYNCHRONIZATION – SEARCH DEPTH 2 (USERS) 1 (GROUPS)

Procedure:

OU_AB was selected as the start node.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups.

User search depth was set to 2.

Groups search depth was set to 1.

Outcome:

Only the uppermost entity OU_AB was synchronized.

All users which were declared in the uppermost entity and its immediate descendants were synchronized.

Observed:

Group OU_A contains all the synchronized users that were set beneath it:

hierarchical synchronization of groups in OpenLM User Interface

 

CASE 6: SYNCHRONIZE ONLY ACTIVE USERS

Procedure:

OU_AB was selected as the start node.

Hierarchical group synchronization was configured to include all: OUs, Security Groups and Distribution groups.

Depth of hierarchical group search was set to ‘0’: Full tree.

Sync only active users of licenses” box was checked and user U_A1 logged into OpenLM in order to establish its status as an active user.

Sync only active users of licenses in OpenLM Server

Outcome:

All LDAP groups were introduced in the OpenLM database.

Only user U_A1 appears in the Users window. U_A1 was synchronized to the LDAP, hence its attributes (First name, Last name, Department) are also displayed:

Synchronization of groups in OpenLM User Interface

 

CASE 7: SYNCHRONIZE ONLY USERS WITHIN SECURITY GROUPS

Reminder:

User U_B1 was grouped under G_B1 but was created in the Organizational Unit OU_AB.

Procedure:

OU_B was selected as the start node.

Users’ synchronization was configured to include only users within Security groups.

Group synchronization was not configured.

Synchronize only users within security groups in OpenLM Server

Outcome:

All users under OU_B node grouped under security groups were synchronized:

users in groups of OpenLM User Interface

 

CASE 8: SYNCHRONIZE ONLY USERS WITHIN OUs

Procedure:

OU_B was selected as the start node.

Users’ synchronization was configured to include only users within OUs.

Group synchronization was not configured.

Reminder:

User U_B1, U_AB2 and U_BB1 are members of groups under OU_B Organizational unit. However only U_BB1 was included in OU_BB1 which resides under start node OU_B.

Outcome:

Only user U_BB1 was synchronized.

 

CASE 9: ATTRIBUTES

Reminder:

Users U_A1 & U_B1 have been defined having “department” attributes with “olm_drink” value.

Users U_AA1 & U_BB1 have been defined having “department” attributes with “olm_food” value (See LDAP diagram).

Procedure:

OU_AB was selected as start node. “Attribute” group synchronization method was selected. ‘Department’ attribute with regular expression (‘Regex’) value olm_(.*) was configured in the LDAP configuration form. This regular expression will create a group for each department attribute that starts with olm_, i.e. food & drink.

User attributes synchronization in OpenLM Server

Outcome:

All Users in OU_AB were synchronized.

Users U_A1 & U_B1 are members of drink group.

Users U_AA1 & U_BB1 are members of food group.

synchronization output in OpenLM User Interface

 

CASE 10: USER CLEANUP

Procedure:

OU_B was selected as the start node.

All users under this node were synchronized.

Cleanup was applied.

OU_AB was selected as the start node and a 2nd phase of synchronization was applied.

user cleanup in OpenLM Server

Outcome:

Only users which were not included in the OU_B node remained.

Observed:

After Synchronizing OU_B, all users under that start node were present:

synchronization results in OpenLM User Interface

Then cleanup was applied to users:

Cleanup Manager settings in OpenLM User Interface

And all the users were eliminated:

list of users in LDAP entities

After that – synchronization of OU_AB was applied. All entities from both synchronization processes appear in the LDAP Entities window but only OU_AB users that were not part of OU_B were synchronized and are displayed in the Users window.

In particular U_AB2 which was a member of the first synchronization hierarchy will be omitted from users’ list during the cleanup process, and will not be reinstated there after the 2nd synchronization.

users in LDAP entities

Previous DSS, DSA 21.5 – new security release – insights
Table of Contents