Skip to main content
Help Center

Connecting LDAP login

Connect teamspace/projectfacts to an LDAP/Active Directory server: determine the DNs, adjust the web.xml, understand the LDAP parameters and assign users.

Prerequisites

  • A running teamspace installation
  • Access to the LDAP/Active Directory server
  • For LDAP over SSL: the LDAP certificate in the Java truststore (see Additional server configurations)

You can handle the login to teamspace/projectfacts through an LDAP server (e.g. Active Directory). This guide shows how to determine the necessary DNs, adjust the web.xml and set the parameters.

LDAP over SSL: If you use an encrypted LDAP connection, the LDAP certificate must first be imported into the Java truststore. This is described in the section “Importing an SSL certificate into the Java truststore” in Additional server configurations.

Determining the DNs and host names

Connect to the LDAP server and determine the values through the CMD:

  • User Base DN: dsquery user -name <username used>
  • Group Base DN: dsquery group -name <group name>
  • LDAP host name: set L

Adjust web.xml

In the web.xml, the LDAP connection is commented out. Uncomment the block and adjust the marked areas. If the block is not present, add it.

LDAP block in the web.xml with the parameters to be adjusted, such as ldap.host, ldap.userBaseDN and ldap.groupDN
The LDAP block in the web.xml – adjust the highlighted areas

Parameter reference for LDAP

NameDescription
app.authMethodCan be set to “basic” if you want to use Basic Authentication instead of a form for the login.
app.authBackendFor the LDAP connection, “ldap” must be entered here.
app.defaultMandantThe ID of the tenant.
ldap.hostThe full URL to the LDAP server (e.g. ldap://127.0.0.1:389).
ldap.authMethod”none”, “simple” or a sasl_mech list (see the Oracle JNDI documentation).
ldap.allowOfflineLoginHow long you may still log in after the last successful LDAP login if the LDAP is unreachable (value in hours).
ldap.userBaseDNThe DN in which users are searched for.
ldap.groupDNThe DN of the group a user must belong to in order to be allowed to log in.
ldap.principalPatternDetermines whether and how the “raw” login name is reformatted into a principal (e.g. {0}@5p).
ldap.userUIDThe attribute that uniquely identifies the user (the login name). With AD, usually sAMAccountName.
ldap.userGUIDThe attribute that globally and uniquely identifies the user and stays the same even when renaming/moving. With AD, the objectGUID.
ldap.userSearchThe search filter used to find a user. The placeholder for the username is {0}.
ldap.searchUserDNThe DN of a user who is allowed to search for users in the LDAP.
ldap.searchUserPwThe password for the search user.

Assigning LDAP users

In the teamspace tenant, map the LDAP users to the teamspace users:

Dialog for assigning LDAP users to teamspace users
Assign LDAP users to the teamspace users

Common questions & needs

You want to …How to
Replace the form login with Basic AuthSet app.authMethod to “basic”.
Login should still work briefly if LDAP failsSet ldap.allowOfflineLogin (in hours).
Allow only members of a specific groupDefine the group through ldap.groupDN.
Connect LDAP over SSLImport the certificate into the Java truststore first (see Additional server configurations).