Retrieve Users from LDAP Directory to Axon
Axon can connect to the LDAP directory in your organization, retrieve users, assign them user profiles, and display them in the Axon interface. You do not need to manually create users. Axon automatically creates the users after it connects to the LDAP server.
You can configure Axon to retrieve users from a specific domain in the LDAP directory. You can also search for users that match certain criteria within the domain that you specify, and assign them specific user profiles. After the users from the LDAP directory are created, users can log in to Axon using their email addresses and passwords that are configured in the LDAP directory.
Example
You want to retrieve users from the LDAP directory and assign them user profiles according to the following search critera:
- •You want to assign the WebUser profile to all users that match the following search criteria:
(&(ou=allUserGroup)(sAMAccountName=*)(objectclass=user))
To assign the WebUser profile to LDAP users, enter the search criteria in the WebUser Search Filter field in the LDAP Server configuration page of the Admin Panel.
- •You want to assign the Admin profile to all users that match the following search criteria:
(&(ou=adminUserGroup)(sAMAccountName=*)(objectclass=user))
To assign the Admin profile to LDAP users, enter the search criteria in the Admin Search Filter field in the LDAP Server configuration page of the Admin Panel.
- •You want to assign the SuperAdmin profile to all users that match the following search criteria:
(&(ou=superAdminUserGroup)(sAMAccountName=*)(objectclass=user))
To assign the SuperAdmin profile to LDAP users, enter the search criteria in the SuperAdmin Search Filter field in the LDAP Server configuration page of the Admin Panel.
To specify the search criteria for LDAP users, refer to
Configure Access to the LDAP Server.
LDAP Users and Axon Objects
Axon creates new users or modifies the existing users when it retrieves users from the LDAP directory.
Axon creates or modifies users based on the following criteria:
- •If new users are retrieved from the LDAP directory, Axon creates People objects and assigns to them the user profile that you configure in the Admin Panel.
- •If users belong to organizational units in the LDAP directory, Axon assigns them to the matching Org Unit objects.
- •If users are deleted from the LDAP directory, the Axon Status field of the users are marked as Deleted in the Axon interface.
- •If the Axon Status value of a user is Deleted, and the user is retrieved from the LDAP directory, the Axon Status value of the user changes from Deleted to Active in the Axon interface.
- •To retrieve users and create People objects in Axon, the users in the LDAP directory must have valid entries for the following fields:
- - First Name
- - Last Name
- - Distinguished Name
- - Email
If the entry for any of these fields is invalid or blank, Axon does not create the users.
- • If users in the LDAP directory are modified, these users are updated in Axon. Axon updates the following fields:
- - User First Name
- - User Last Name
- - Function Name
- - Function Description
- - Org Unit Name
- - Office Location
- - Internal Mail Code
- - Office Telephone
- - Mobile Phone
- •The following fields in Axon are read-only for users retrieved from the LDAP directory:
- - Email
- - Password
- - LAN ID
- •If the search retrieves LDAP users that require multiple user profiles, the profile with the greater privileges apply to the user. For example, if the search in the LDAP directory retrieves a user that must be assigned the WebUser and Admin profiles, Axon assigns the Admin profile to the user.
Configure the Linux System to Connect to an SSL-Enabled LDAP Server
If the LDAP server in your organization requires SSL authentication, you must create a truststore in your Linux system and import the SSL certificate to the truststore before you configure the LDAP server. Axon uses the SSL certificate from the keystore to access the LDAP server.
1. Run the following command to create a keystore in the Linux system:
<INSTALLATION_DIR>/axonhome/java/jre/bin/keytool -keystore clientkeystore -genkey -alias ldapClient
2. Enter the password to access the keystore. Enter the password again to confirm.
3. Enter the following details about your user profile to create the keystore:
- - First and last name
- - Organizational unit
- - Organization name
- - City or locality
- - State or province
- - 2-letter country code
When the console prompts you to confirm your user profile details, type Yes.
4. Enter the password to access the LDAP client. Type the password that you entered in Step 2.
5. Run the following command to import the SSL certificate of the LDAP server to the keystore:
<INSTALLATION_DIR>/axonhome/java/jre/bin/keytool -importkeystore -srckeystore /<full_path_to_SSL_certificate_file> -srcstoretype pkcs12 -destkeystore /<location_of_SSL_certificate>/clientkeystore -deststoretype JKS
Note: The SSL certificate file must be in the PFX format.
6. Enter the password of the destination keystore. This is the keystore that you created in Step 1. Type the password that you entered in Step 2.
7. Enter the password of the source keystore. This is the password of the SSL certificate.
The page displays the status of the SSL file import.
Configure Access to the LDAP Server
Configure Axon to connect to the LDAP server in your organization and retrieve users based on the criteria that you specify.
You must have the SuperAdmin profile to perform the task. You must enter the following types of parameters:
- •Details of the LDAP server.
- •Fields in the LDAP directory that represent fields in Axon for the People objects.
1. From the Axon toolbar, click the Admin Panel menu item under your user name.
2. In the menu on the left, under the Customize & Configure category, click System Settings.
3. In the Group list, select LDAP Server.
4. Click Edit, and configure the following properties:
Property | Description |
|---|
Host | Required. LDAP host name or IP address. If LDAP is configured with SSL authentication, enter the LDAP host name. |
Port | Required. Port number of the LDAP server. |
Principal Username | Required. Distinguished Name of the LDAP administrator. For example, enter the Distinguished Name (dn) value as cn=Administrator, cn=users. |
Password | Required. Password to log in to the LDAP server. |
SSL Enabled | Optional. Select this option if the LDAP server requires SSL authentication. |
Search Base | Required. Point in the hierarchy of root objects from where Axon starts the user search. For example, enter the search base as cn=users, dc=PAADS, dc=com. |
User Search Filter | Optional. Search criteria to retrieve users. Axon retrieves the users and assigns that profile that you specify in the Profile field. For example, enter the search filter (&(sAMAccountName=*)(objectclass=user)) to search for all entries that match the object class user. |
User First Name | Required. Attribute of an LDAP user that represents the first name of the Axon user. |
User Last Name | Required. Attribute of an LDAP user that represents the last name of the Axon user. |
Distinguished Name (dn) | Required. Attribute that represents the Distinguished Name (dn) of an LDAP user. |
User Email | Required. Attribute of an LDAP user that represents the email address of the Axon user. |
Function Name | Optional. Attribute of an LDAP user that represents the function of the Axon user. |
Function Description | Optional. Attribute of an LDAP user that represents the function description of the Axon user. |
Office Location | Optional. Attribute of an LDAP user that represents the office location of the Axon user. |
Internal Mail Code | Optional. Attribute of an LDAP user that represents the internal mail code of the Axon user. |
Office Telephone | Optional. Attribute of an LDAP user that represents the office telephone number of the Axon user. |
Mobile Phone | Optional. Attribute of an LDAP user that represents the mobile phone number of the Axon user. |
Org Unit Name | Optional. Attribute of an LDAP user that represents the organizational unit name of the Axon user. |
Default Org Unit Ref | Optional. Reference number of the default organization unit that Axon assigns to all users. |
Org Unit Status | Required. Default status that Axon assigns to all the organization units retrieved from the LDAP directory. |
Profile | Optional. Default user profile that Axon assigns to all the users retrieved from the search criteria that you specify in the User Search Filter field. |
Employment Type | Required. Default employment type that Axon assigns to all the users retrieved from the LDAP directory. |
Lifecycle | Required. Default lifecycle that Axon assigns to all the users retrieved from the LDAP directory. |
Axon Super Admin Email | Required. Email address of the Axon SuperAdmin that administers the users retrieved from the LDAP directory. Note: You must change the default admin@informatica.com value and enter a relevant SuperAdmin email address. |
LDAP SSL Certificate File | Path to the SSL certificate in Linux that authenticates the LDAP server. Enter this value if the LDAP server requires SSL authentication. Note: The SSL certificate file must be in the PEM format. |
Trust Store for LDAP Synchronization | Path to the truststore in Linux that contains the SSL certificate. Enter this value if the LDAP server requires SSL authentication. |
Trust Store Password for LDAP Synchronization | Password of the truststore in Linux that contains the SSL certificate. Enter this value if the LDAP server requires SSL authentication. |
WebUser Search Filter | Search criteria to retrieve users that need to have the WebUser profile in Axon. For example, enter the search filter (&(sAMAccountName=*)(objectclass=user)) to search for all entries that match the object class user. |
Admin Search Filter | Optional. Search criteria to retrieve users that need to have the Admin profile in Axon. |
SuperAdmin Search Filter | Optional. Search criteria to retrieve users that need to have the SuperAdmin profile in Axon. |
Update Axon User Profiles with LDAP | Optional. Select this option if you want to automatically update the existing user profiles in Axon to match the user privileges in the LDAP directory. The update happens when you manually run a synchronization job from the Admin Panel to retrieve users or when Axon uses a scheduled job to synchronize the users. |
5. Click Save.
6. In the Linux environment, run the following command to clear the Axon cache and restart the necessary services:
sh <INSTALLATION_DIR>/axonhome/third-party-app/scripts/paramsync
When you run the paramsync script, Axon restarts the HTTPD, Memcached, and email notification services.
Note: When you clear the cache and restart the Axon services, the Axon web interface might be disrupted for some users that are logged into Axon. Informatica recommends that you update the cache after you save your changes in all the System Settings pages. Additionally, perform this action during a maintenance period when very few users are using Axon.
Retrieve Users from the LDAP Directory
After you configure Axon to connect to the LDAP server, you must initiate the process to retrieve the users from the LDAP directory and create People objects in Axon.
You can manually retrieve the users from the LDAP directory, or you can create a job that automatically retrieves the users based on the schedule that you specify.
Manually retrieve users from the LDAP directory
You can run a synchronization job from the Admin Panel to retrieve users from the LDAP directory.
- 1. From the Axon toolbar, click the Admin Panel menu item under your user name.
- 2. In the menu on the left of the page, under the Operational Management category, click Administrator's Panel.
- 3. Select Synchronize With LDAP Server on the left panel, and then click the Run button.
The page displays the status of the synchronization job.
Schedule a job to retrieve users from the LDAP directory
You can create a time-based job scheduler to retrieve users from the LDAP directory. To retrieve users according to schedule, Axon uses the following files:
- •The script file sync_ldap.sh in the <INSTALLATION_DIR>/axonhome/axon_ldap_synchronizer/scripts directory executes the job to retrieve users according to the schedule you define.
- •The axon.jobs file in the <INSTALLATION_DIR>/axonhome/axon_scheduler directory specifies the schedule to run the sync_ldap.sh script file.
At the time scheduled in the axon.jobs file, Axon runs the sync_ldap.sh script and retrieves the users from the LDAP directory.
Perform the following tasks to define the job schedule:
- 1. Go to the <INSTALLATION_DIR>/axonhome/axon_scheduler directory and open the axon.jobs file.
- 2. Configure the following properties to schedule the job:
Property | Description |
|---|
name | Job name |
cmd | Enter the following path to the script file: <INSTALLATION_DIR>/axonhome/axon_ldap_synchronizer/scripts/sync_ldap.sh |
time | Specify the daily, weekly, or monthly email schedule. The six asterisks * * * * * * represent <second> <minute> <hour> <date> <month> <day_of_the_week>. For example, to run the job at 2.00 p.m. everyday, enter the following value: 0 0 14 * * * |
onError | Enter Stop. |
- 3. Save your changes.
- 4. If you make changes to the axon.jobs file, you must reload the Jobber schedule settings. Run the following command to reload the settings:
<INSTALLATION_DIR>/axonhome/third-party-app/scripts/jobber reload
Note: You must have the write permission in the <INSTALLATION_DIR> directory for the Jobber utility to run the script file.
Check Status of Users Retrieved
Axon uses the bulk upload service to create or update the user profiles that it retrieves from the LDAP directory.
To see the status of the users that Axon creates or modifies, click the My Account menu item under your user name, and select My Jobs. If you are the Super Admin recorded in the Axon Super Admin Email field of the Admin Panel, you can view the status in the My Jobs section.