Active Directory / LDAP in the IGEL UMS
It can make sense to link the UMS Server to an existing Active Directory for two reasons:
You would like to import users from the AD as UMS administrator accounts.
You would like to use user profiles via IGEL Shared Workplace.
For both purposes, you first need to link the relevant Active Directories in the UMS Administration area under Global Configuration > Active Directory / LDAP. See also the how-to Configuring an AD Connection.
Menu path: UMS Administration > Global Configuration > Active Directory / LDAP
If you have user and group dependencies between different configured domains/subdomains, you might want to activate Include all configured AD domains for search and import of AD users / groups. This option activates the group search for a user within all configured domains. On activation, a confirmation dialog is shown.
If this option is activated, a user may gain additional permissions. This will be the case if
the user is in a group that has been discovered due to this option,
this group has been imported under System > Administrator accounts,
and permissions have been assigned to this group i.e. permissions the user would not have otherwise.
Please note that, due to the additional lookups, this option might have an impact on the performance in the following areas:
UMS login
Permission dialogs
Shared Workplace (SWP)
Add a new entry to the list of linked Active Directories by selecting Add (+).
Specify the Domain Name.
Enter the Domain Controller(s).
If the option Use LDAPS connection (see below) is activated, a fully qualified name of the domain controller must be entered, e.g. dc01.your.domain
To separate several domain controllers, a semicolon must be used.
Specify the Page Size.
The page size limits the number of hits (i.e. objects) in the Active Directory on the server side. The default value is "1000".Activate Use LDAPS connection to secure the connection with the provided certificate.
The Port changes automatically to the default value "636".Click Import SSL Certificate to configure the certificate and to verify the Certificate DN.
The Domain Controller name and the certificate must correspond, otherwise the connection to the LDAP server will fail. See https://igel-jira.atlassian.net/wiki/spaces/ENLITEUMSP/pages/74456192/Troubleshooting%3A+Problems+When+Configuring+an+Active+Directory+with+LDAP+over+SSL .
If more than one domain controller is used, the root certificate of the domain must be configured.
The supported certificate formats are .cer
, .pem
and .der
Enter valid user data under User name and Password.
For the user, the read permission is sufficient since no changes will be made to the AD data.
Specify aliases under UPN Suffix if they have been configured (semicolon separated list). Example:
domain.local;test.local
Click Test connection to check the connection.
Several Active Directories can be linked. Therefore, you should ensure that you provide the correct domain when logging in (e.g. to the UMS Console).
In this document, the terms "Active Directory" and "LDAP" are, to an extent, used interchangeably:
Administrative users / UMS administrators can be imported both from an AD and from LDAP.
Shared Workplace users can only authenticate against an Active Directory. An LDAP service cannot be used for this purpose.
Click Ok to save the changes.