LDAP Server Job setting

Add a new Server Job setting by clicking Configuration> Settings> Account management> LDAP Connections> Edit in list>

LDAP Server Job

Fields and buttons in the form are:

   Search Filter: Select search value to filter users of the Active Directory. Based on the value selected in this field, the users are filtered and synced with NSP. Two values are provided in the list: User and Organizational Unit. If User is selected then only users from the active directory are synced whereas if Organizational Unit is selected then all the OUs are fetched and synced with NSP.

   Ou-Filtering: Filters Organization unit. You can add organization units you want to fetch data from separated with semicolon. Example: ou = Sales; ou = Marketing. Read more here.

   Sync data selection: Select which data you want to fetch, new one, existing one, or both. If New is selected the synchronization will collect only new users of the Active Directory, in other words, those which are not in the NSP. If Existing is selected the synchronization will collect only users which already exist in NSP. If both options are selected, the synchronization will collect all users. All users will be collected also when nothing is selected.

   Auto delete jobs history: you can set how many ldap logs you want to keep. Choose in dropdown menu between: Keep All, Last one sync, last three syncs, last week, last month, last three months, last six months, last one year. By default, selected option is Keep all.

   Auto approved sync: If not selected a record made by this job has to be later approved in Sync log page.

   Overwrite user groups: If this is checked, the sync will update NSP group membership to current data set in Active Directory. Example: If a user has been removed from a group in AD, then the user will be removed from the corresponding mapped group in NSP too, after the sync. If this is not checked you only update existing data. P.S. A user must be a member of a group (valid when synchronizing from AD / LDAP). This means, when you start the sync, it starts to delete all group members in NSP. All groups in NSP (not connected with an AD group), all members in these groups will be deleted and not added again.

Note: If person is added as Agent first (via AD or manually) and then you update in AD same person to be an End User, then User Type will NOT be updated in NSP. It is possible to change User Type from End User to Agent, but not the opposite. Group belonging will be updated, but not User Type. If you need to change an Agent to End User this can only be done manually.

   Enable Google Maps location service: If enabled, system is using Google Map for locations. Longitude and Latitude is fetched from AD and converted to address by Google Maps service. This service could be switched off because the function uses Google Maps queries. Google Map services is free of charge for 2500 queries per day. Read more about Google Maps API Key.

View of user location with and without Google Maps location service:

    

 

   Skip sync from AD if empty value: Only overwrite user profile value from AD if it is not empty.

   Import departments into CMDB if not exist: If user data in AD contains a new department, create this department in CMDB.

   Organization: Select name of the organization to which the users will belong after synced with NSP.

   NSP fields that not shall be overwritten by AD attributes in sync: Select NSP attributes that shall never shall be overwritten (existing values in NSP shall be kept when sync from AD). Click in field to open a dropdown containing available attributes. Several attributes can be selected. Remove by clicking x.

   Customer Account AD Attribute: By entering a value in this field, mapping of users with customer account objects in NSP will be enabled. within the Customer account object there is an Ad-Identity field in which it is necessary to enter the value of this attribute on AD. If the synchronized user has an attribute value within AD, the system will try to find a Customer account with the same value, if at least one record is found, the system will automatically assign the user as a member of that customer account. If there is no default customer account, it will become the default for the user.

   Organisation AD atribut - You can now create an organization from the LDAP. In the LDAP settings job, we use the AD attribute for the organization name. If the organization exists, it will be assigned to the user; if not, it will be created and then assigned to the user.

   Group Mappings: This button will appear only when you Edit a LDAP Server Job. When you create a new Job you have to Save it once first and then Edit to be able to map groups. Click here to open a popup, where you map groups in Active Directory to corresponding groups in NSP. You have to map at least one group.

Note: If you specify a NSP group, but no corresponding AD group, all users in AD will be imported to the NSP group.

For more info on Group mapping, see example.

   Attribute mapping: The system comes with a standard mapping set up. If you want to make other mappings than default or to map AD properties that not are mapped by default, click here.

   Select default language for new created users: When a new user is created in NSP (from AD synchronization), the default language for the user will be set to this language.

Web Services Federation identity settings:

   Enable automatic mapping with external login: With this setting enabled NSP will make an automatic mapping from logged in user to NSP user. Mapping is done by subject defined in Identity mapping subject dropdown. If setting is not enabled users have to do the mapping to NSP user manually.

   Web Services Federation external login: Here you select which external login method shall use the automatic mapping. In dropdown you can select all defined login methods of type WsFederationIdentityProvider. Read more about external login methods here.

   Identity mapping subject: Select here which Active Directory subject shall be used to do the automatic mapping. Default is UserPricipalName. It is recommended to change from default only for special reasons and administrator has full control of the effects.

SAML identity settings:

   Enable automatic mapping with SAML identity provider: With this setting enabled NSP will make an automatic mapping from logged in user to NSP user. Mapping is done by subject defined in SAML Identity mapping subject dropdown. If setting is not enabled users have to do the mapping to NSP user manually.

   SAML external identity login provider: Here you select which external login method shall use the automatic mapping. In dropdown you can select all defined login methods of type SAML2. Read more about external login methods here.

   SAML Identity mapping subject: Select here which Active Directory subject shall be used to do the automatic mapping. Default is UserPricipalName. It is recommended to change from default only for special reasons and administrator has full control of the effects.

 

Note: If you use SSL connection on AD you must have digital certificate installed on IIS server for specific AD domain.