Configure LDAP sync

Perform LDAP Sync to update TeamForge with the user data available in the LDAP server. You can use an extended LDAP profile as a source for LDAP sync.

LDAP Sync, basically searches in the LDAP server for the user data configured in a login-module. Then it fetches the user data to the TeamForge and performs synchronization. You have options to selectively include login-modules for the LDAP Sync. For example, you have two LDAP accounts, out of which only one needs to be considered for LDAP sync. You need to turn off the LDAP account that you do not want to include in LDAP Sync.

The extended LDAP profile needs to have Bind DN, Bind Credentials, Base Filter, and Base DN values for the synchronization. The Base DN, which is not available in other simple LDAP authentications, makes the synchronization possible in ExtendedLDAP profile.

Important: Provide the site admin user name and obfuscated site admin password explicitly in /opt/collabnet/teamforge/var/etc/soap-provider.properties and do not provide ADMIN account credentials.
  1. Log on to the TeamForge as a site administrator and go to the look project.
  2. From the project navigation bar, click AUTH MANAGER.
  3. From the Main Menu pane on the left, click Manage Existing Profiles.
  4. Select your desired profile that needs to have the LDAP Sync enabled.
  5. Click Edit.
  6. Select true from the Use As LDAP Sync Source drop-down list to consider the selected profile for the synchronization.
  7. From the Main Menu pane on the left, click LDAP Sync.
  8. Click Global Settings and enable LDAP sync by selecting true from the drop-down list.
  9. Click Group Sync Settings and do the following to synchronize groups:
    1. Select true form the Enable Group Sync drop-down list to enable the LDAP/AD group synchronization.
    2. Enter appropriate value in Group Job Cron Interval to set the time interval for running group synchronization. For example, click here.
    3. Enter the attribute in Group Search Filter Expression, to specify LDAP/AD expression for testing.
    4. Enter the search text with '*' at the end in Group Search Filter Arguments to synchronize with groups within the search results that have a particular prefix.
      Tip: To include all the groups in synchronization, just enter '*'.
      'CTF*', 'TF*' or '*'
  10. Click User and User Data Sync Settings and do the following to synchronize user status and attributes:
    1. Select true form the Enable User Data Sync drop-down list to enable synchronization of user data.
    2. Enter appropriate value in the User Data Sync Cron Interval to set the time interval for group synchronizations. For examples, click here.
    3. Enter the search text with '*' at the beginning in User Search Filter Arguments to synchronize with groups within the search results that have a particular prefix.
      Tip: To include all the groups in synchronization, just enter '*'.
      'CTF*', 'TF*' or '*'
    4. Select true from the Enable LDAP Status Sync drop-down. It enables the LDAP Sync for the user status. If the user account is disabled in LDAP/AD, it flags and then disables the user account in TeamForge.
    5. Enter the number of days in User Grace Period beyond which the user account is disabled in TeamForge, if the user is not existing in LDAP.
    6. Select false from the Enable User Disable Action drop-down list. It specifies if the user who has not logged into TeamForge for the specified period, needs to be disabled in TeamForge.
    7. Enter the number of days in User Disable Interval (Days) beyond which the user account is disabled in TeamForge, if the user has not logged into TeamForge for the specified period.
    8. Select true from the Enable User Delete Action drop-down list to enable the deletion of a disabled user account based on the delete interval.
    9. Enter the number of days in the User Delete Interval (Days) drop-down list beyond which the user account is deleted from TeamForge. It is mandatory to have Enable LDAP Status Sync or Enable User Disable Action enabled.
      • When Enable LDAP Status Sync is true, users that do not exist in Active Directory are deleted after the 'delete' and 'grace' intervals from the flagged date. However, users that are existing in Active Directory cannot be disabled or deleted.
      • When Enable User Disable Action is true, users are deleted, irrespective of their existence in Active Directory, after the 'disable' and 'delete' intervals. It is calculated from the last login date.
      • When both Enable LDAP Status Sync and Enable User Disable Action are set to true, users that are not existing in Active Directory are deleted after the 'grace' and 'delete' intervals from the flagged date. And the users that are existing in the Active Directory are deleted after the 'disable' and 'delete' intervals from the last login date.
    10. Select true from the Enable User Membership Action drop-down list to include user's LDAP/AD group membership in the synchronization. This needs to be enabled when the Enable Group Sync is set to true.
    11. Select true from the Allow User Re-enabling drop-down list to re-enable LDAP active users that have pending or disabled status in TeamForge.
    12. Enter the user names in Excluded Usernames to skip the respective users accounts during synchronization.
    13. Enter the email address in Default Email Address that needs to be associated with the TeamForge user account. It is used as the default email address when the email field is found null or empty.
    14. Enter the number of user batches in Split Users for LDAP Sync to perform the synchronization.
      Note: The user batch number entered splits the existing number of users into batches and then performs synchronization. Entering '0' or '1' considers all the existing users for the synchronization. Whereas entering '7' splits the existing users into seven batches and completes synchronization on the seventh run.
  11. Click to expand Mail and Reporting Settings and do the following:
    1. Select true in Enable User Email Reports drop-down list to enable the email notification and reporting.
    2. Enter the SMTP host to mail through. If you are using the TeamForge James mail server, enter localhost in Mail Transport Host.
    3. Enter the email address of the recipient in Mail To that is usually a TeamForge Discussion Forum or a Tracker.
    4. Enter the email address of the sender in Mail From that is usually a TeamForge Discussion Forum or Tracker. The sender should be a valid TeamForge user.
    5. Enter any optional email address in Mail CC that needs a carbon copy of the email.
    6. Enter the subject line for the email in Mail Subject.
    7. Enter the user name in Mail Username that authenticates connection to the SMTP servers, if required. Its optional to fill in this field.
    8. Enter the password in Mail Password that is required to connect to SMTP servers, if required. Its optional to fill in this field.
  12. To save and apply all the changes you made to the profile, click Save.
  13. To run the LDAP Sync once (on an ad hoc basis), click Run Once.
  14. Click Stop and Start buttons to reinitiate the synchronization service.