This page describes the administration of the LDAP Connector.
When using the LDAP Connector, users are usually automatically synchronized with OpenCms when they log in. So you do not usually need to manually synchronize them, unless you want to set up permissions for these users or groups in advance.
The LDAP Connector extends the account management app in the launchpad with new functionality, which is recognizable by the letters "EE" (enterprise extensions) overlaid over its icon:
When you click on it, you will see the account management app:
Note that the users and groups synchronized from LDAP are always shown separately from the "normal" OpenCms users and groups; they are never mixed together. For each organizational unit, the tree on the left has the additional entries "Groups (LDAP)" and "Users (LDAP)", which allows you to show the groups or users for that organizational unit.
Synchronized LDAP users and groups can be managed like other users and groups, but with some restrictions. For example, LDAP users' attributes are not editable, unless they are specifically configured as editable in the ocee-ldap.xml configuration. Also, LDAP users' membership in LDAP groups can not be changed through the OpenCms workplace, since the group membership is supposed to be automatically updated each time the user is synchronized. LDAP users may be manually assigned to non-LDAP ("standard" OpenCms) groups.
The LDAP Connector adds an artificial group of which all synchronized LDAP users are members. This group is called "LDAP Group" by default.
In some cases, you may want to manually synchronize users or groups from LDAP. To do this, use the magnifying glass button in the toolbar (make sure you have selected the correct organizational unit (OU)):
This will open the LDAP search dialog:
Choose whether you want to search users or for groups using the select box on the left, enter you search text, and then click the search button. You will be shown a list of search results (Note that the search uses the queries configured in the
group-filters/search settings in the configuration, and thus the exact way the search string is interpreted depends on the installation. If you don't get the search results you think you should be getting, double-check your configuration).
You can use the context menu in the resulting list to synchronize the user or group.
Cleaning up invalid LDAP users
Sometimes, users will be deleted from the LDAP directory. If these users have been previously synchronized using the OCEE LDAP connector, they will normally remain in the OpenCms database. To prevent this, a scheduled job exists that can be configured in the OpenCms Administration under "Scheduled Jobs”.
The class name of the scheduled job is “org.opencms.ocee.ldap.CmsLdapUserCleanup”. This job will check for each LDAP enabled user whether that user can still be found in the LDAP directory. If not, the user is deleted from the database.
This job logs status information to the INFO channel of the logger “org.opencms.ocee.ldap”. If the job parameter “checkOnly” is set to "true" on the job, the users not found in the LDAP will not really be deleted, but all the log messages will still be printed.