LDAP Account Management¶
While LiveForms has a built in account management system, we also allow integration with Active Directory through LDAP protocol for managing accounts.
Configuring an LDAP Connection¶
LDAP configurations are specific to each domain. In order to access these settings, you must also be logged in as the LiveForms root user.
To find these settings, go to the Domain management section and either create or edit a domain, then change the security dropdown to “LDAP Account Manager”. To configure the LDAP connection, click “Manage” on the domain and go into “Domain Settings”. You will be met with the following options:
This page gives a preview of the LDAP configuration, and allows for adding custom LDAP properties.
Custom LDAP Properties¶
At the bottom of the LDAP configuration page, you will see the Custom Properties table This allows you to use attributes from LDAP user objects as variables for form rules. Click Add Property to make a new variable mapping. On the left side, you may put the name you want the variable to be in the form rule. On the right side, put the name of the LDAP attribute.
All names on the left column must be unique to each other.
If there are no naming issues, the variables table will auto save. In the form rules, the full variable name will be
_user.ldap.[Your Variable Name Here].
Once saved, the LDAP variables will be added to the user session. Users currently logged in will not see changes until the next log in.
You may remove variables by clicking on the red trashcan icon on the left of the listing.
In the Domain Settings for a domain with LDAP account management, the user can click on Configure to modify the LDAP configuration. The interface pictured below shows the LDAP configuration menu.
The Active Directory layout is represented as a tree of folders and objects. Clicking the white arrow next to a file folder or double clicking on the item will expand its contents.
When you have finished making changes to the LDAP configuration, click on Save at the top right.
If this is the first time configuring LDAP or if there is no connection to the server, this window will appear. You may also access these settings by clicking on Connection Options at the top right of the LDAP management interface.
The first three fields assist in creating the LDAP connection URL. The username and password fields must be for a privileged account in the LDAP server. With the URL and account information filled in, clicking on confirm will allow LiveForms to begin connecting to the server. If no connection is established, LiveForms will show a message expalining the issue. Clicking cancel will return the Domain Settings interface. If a connection is already established, the user may click cancel to close the conneciton options interface without making any changes.
The Advanced Options can be accessed from the top toolbar of the LDAP managment interface. This is list is used for mapping LiveForms account settings to the various objects and attributes from Active Directory. A standard Active Directory connection will usually only need to configure the Designer and Admin roles. To do so, change the text values in the respective Designer Role or Admin Role field to the desired group name.
The groups used for Admin and Designer roles must be in the selected group directory.
The full list of attribute descriptions can be seen below.
LDAP Domain: This displays the currently selected Active Directory domain.
Group Directory: This show the currently selected organizational unit containing the groups. Group objects under this directory will be used as roles in LiveForms.
User Directory: This displays the currently selected organizational unit containg the users. User objects under this directory will be turned into LiveForms users.
LDAP User Filter: This filter defines what a user object is in Active Directory.
LDAP Group Filter: This filter defines what a group object is in Active Directory.
User Name Attribute: For user objects, the attribute in this field as the LiveForms username.
User ID Attribute: For user objects, the attribute in this field will be made into the user’s unique identifier.
LDAP Primary Group Attribute: Maps to the primary group LDAP attribute, this group may not be included in the
LDAP MemberOf Attribute: This attribute in the LDAP object lists all the groups the user is a member of. For LiveForms, both this and the Primary Group Attribute are used to assign users to roles.
First Name Atribute: This attribute will be used to auto fill the user’s first name.
Last Name Atribute: This attribute will be used to auto fill the user’s last name.
Email Attribute: This attribute will be used to get a user’s email address.
Designer Role: The group name listed here will have its members get the designer priveleges in LiveForms.
Admin Role: The group name listed here will have its members get the admin priveleges in LiveForms.
Selecting the Domain Directory¶
The domain directory is the top level of the Active Directory tree where the user and group information is stored. Top level domains will be listed under the root folder in the LDAP Management tree. The currently selected domain will be highlighted as yellow and its full name will be listed in the bottom right table. To select a domain, click on an item in a table and then click Select as Domain.
Selecting a Group Directory¶
The Group Directory is the folder of all groups you would like LiveForms to recognize. Below is an example groups folder in Active Directory.
Groups that are found will be displayed in the Manage Roles page for the domain.
LiveForms cannot create or modify groups via LDAP, this must be done in the Active Directory server.
While the designer and admin groups may have special permissions, the other group objects in the directory can be used for form and flow permissions. This is similar to putting users in roles when using the DBS account manager. All avilable groups will be listed in the Role Management section under Domain Managment. The currently selected group directory will be highlighted green and its full name will appear in the bottom right table. To select a group directory, click on an item in a table and then click Select as Group Directory.
The green icons seen below signify a group object.
Selecting a User Directory¶
The final selectable directory is the user directory. Only users under that path and in subdirectories will be recognized as users for the LiveForms domain. The list of users that LiveForms finds will be shown in the User Management section under Domain Management. Below is the Users directory we specified in the Domain Settings.
The users found in the directory will be shown in the domain’s Manage User page
LiveForms is not able to edit AD properties, so changing any user information, such as first name, last name, email, and password, must be changed through AD.
The currently selected User directory will be highlighted blue and its full name can be seen in the table at the bottom right. To select a user directory, choose an item in the LDAP Management tree then click on Select as User Directory.
The blue icons below represent user objects in Active Directory.
The tree also allows you to view what attributes an Active Directory object has, as well as the data stored in that attribute. To do this, select an object in the tree, then click Show selected object’s attributes. The interface below will appear, showing a table of the object’s data.
Some data may be binary, which may not be readable as text.
This table is useful for finding attributes to use for custom rule variables.