Adding Users From LDAP

EPX can import users from an LDAP service, and subsequently provide authentication against this service. Once the users are imported from the LDAP service, the user data maintained in the EPX relational database schema is automatically kept in sync with the LDAP user population. If an organization already has centralized user management through LDAP, EPX should be able to utilize this already existing user information.

EPX runs in one of two modes: 1) normal mode, where all information is administered via the EPX administrator application, or 2) LDAP mode, where all user information is maintained using an LDAP server. EPX also supports the ability to query LDAP for specific user records, as well as to selectively import user data from LDAP.

When EPX is in LDAP mode, any change to the LDAP data will not require a separate change to the data by the administrator. No explicit action will be needed for the new information to become available to EPX servers that are running with that LDAP source. Also, any changes to the LDAP repository will go into effect just as they would when changing the EPX repository while running in normal mode.

Note: When EPX is running in LDAP mode, a system administrator cannot directly modify user information in the data repository.

To add users from LDAP:

  1. In the Navigator pane, right-click the name of the server that the users will be added to, and then click Open in the shortcut menu.
  2. In the Server editor, click the LDAP tab.
  3. Select the Enabled checkbox to enable LDAP, and then type the necessary server, port and search base information.
  4. Click OK to close the Server editor and save the changes.
  5. In the Navigator pane, right-click the Users folder, and then click New... in the shortcut menu.
  6. In the LDAP Search dialog, type in a search parameter if needed by clicking on the Search button, then click on Enter to return a list of users. See the “Attributes Supported by LDAP Implementation” table in the following section, this table contains a list of attributes for search parameters.
  7. To create EPX user accounts for any or all of the LDAP users returned, highlight those users’ LDAP names, and then click Create. The new user names are entered into the Users folder.

Note: Other than the system account, any EPX user accounts defined prior to enabling LDAP will not be accessible.

Attributes Supported by LDAP Implementation

Attributes

LDAP implementation

UserID

EPX gets it from the UID attribute

First Name

EPX gets it from the GIVENNAME attribute

Last Name

EPX gets it from the SN attribute

Description

EPX gets it from the DESCRIPTION attribute

Title

EPX gets it from the TITLE attribute

Department

EPX gets it from the OU attribute

E-mail

EPX gets it from the EMAIL attribute

Phone

EPX gets it from the TELEPHONENUMBER attribute

Fax

EPX gets it from the FACSIMILETELEPHONENUMBER attribute

UserID, First Name, and Last Name are included in the General tab. The Advanced tab contains the Description, Title, Department, E-mail, Phone and Fax fields. Two attributes, Description and Fax, are not included as attributes in your LDAP search criteria. You can add them using the Custom tab which will be discussed in the following section. If you have other attributes that you want to be included in your LDAP search criteria, you must add them in the Custom tab.

Custom Attributes

The Custom tab allows you to input additional search attributes, which you can edit or delete after. To add a custom attribute, right click on the Custom tab table, and select Add. Type in the attribute name and criteria, and then click OK. The attribute name you typed in must have an equivalent attribute inside your LDAP.

Click Search, and all matches will be displayed.

Synchronizing with LDAP

EPX can automatically or periodically synchronize its information with the LDAP server when LDAP is initially enabled. EPX also updates the repository with users defined in LDAP, replacing existing records with the LDAP versions.

To synchronize the LDAP database, click on the Sync Now button. The Sync Now button will initiate a sync process. It will be enabled only when LDAP is enabled and configured. The sync process can be initiated irrespective of the synchronization setup: automatic, periodic or none and the process will update all user properties whether they have changed or not.

The Last Scheduled Synchronization field will display the date and time the last full synchronization was performed. It will display Never if no full synchronization was performed. A full synchronization date and time is registered in the server when a manual or periodic synchronization is performed.

The Next Scheduled Synchronization field will display the date and time of the next scheduled full synchronization. This field will display a date and time only if the Periodic Synchronization option is selected. It will display Never if synchronization is disabled or the Automatic Synchronization option is selected.

Clicking the Reset button clears the last scheduled datetime field and will display Never.

After clicking on the Sync Now button, a dialog box will prompt the user when the sync process is complete.

If the synchronization process detects users who are in EPX but not in the LDAP server, the dialog will list these users who must be created in the LDAP server for them to login to EPX. You have the option to print the list out, the print-out will include the login ID, first name, and last name of the users, and the date and time the synchronization occurred.