ELO Docs
 Configuration and administration

# LDAP import

With LDAP import, you can import users and groups from an Active Directory (AD) into the ELO system.

Overview of the 'LDAP import' area of the ELO Administration Console

  • Select server: The ELO Administration Console attempts to find possible LDAP servers automatically. If this field is blank, no server will be found in the domain. This may be the case with a VPN connection, for instance.

  • Server: Enter the server for the LDAP connection here. You can also enter the IP address, port, or protocol here.

    BNF: server ::=[ldap|ldaps]://[servername|IP address]:port

Please note

Use an encrypted connection, in this case LDAP via SSL (LDAPS).

  • Domain user and password: The authentication data consists of a name and password.

  • Ignore certificate validation: The certificate validation can be ignored if needed.

  • Base DN and LDAP organizational unit: These entries are used to select the correct branch of the LDAP directory.

  • Filter templates and filter text: Some LDAP filter expressions are already provided in the list and applied to the filter text so that they can be edited.

  • Mapping script: This setting allows you to edit the data as JavaScript code.

    For more information, see the next section The mapping script.

  • Reset mapping: Deletes the text from the mapping script field.

  • Update existing users or groups: If the name can be resolved to an existing entry, this entry is only processed again if this setting is enabled.

    Please note

    LDAP groups are only read and used when users log on.

  • Create groups in ELO that exist in LDAP: Creates groups that do not yet exist in ELO.

  • Start search: Performs a search and shows the results.

  • Results list: Shows the list of the entries that will be imported. All valid entries are also selected. If invalid data is detected during the check, they will not be selected, and a note about the problem is shown in a tooltip.

# The mapping script

Default LDAP attributes are automatically mapped to ELO attributes. To allow more flexible customization, JavaScript code can be entered in the input field. It is embedded in a code frame and is executed for every data set in the LDAP search.

The ELO Indexserver has a data structure for the users and groups: the UserInfo object. This is described in detail in the ELO Indexserver technical documentation. It can be accessed in the mapping script using the variable name elo.

# Default mapping

  • elo.type
    • Based on the LDAP ObjectClass=person
    • If the class exists, a user is created; otherwise a group is created.
  • elo.name
    • Based on the LDAP attributes displayName, cn, sAMAccountName, and distinguishedName.
    • The first LDAP attribute found is used as the name.
  • elo.userProps[UserInfoC.PROP_NAME_OS]
    • The value of the sAMAccountName LDAP attribute is applied.
  • elo.userProps[UserInfoC.PROP_NAME_EMAIL]
    • The value of the LDAP attribute mail is applied.
  • elo.superiorId
    • The LDAP attribute manager is evaluated.
  • If the manager attribute refers to an existing ELO user, the ID of this user is applied as the supervisor.
  • elo.id
    • If the name refers to a valid ELO user, this ID is applied as the user ID. Otherwise -1 creates a new user.

# JavaScript code frame

At the debug log level, the generated script is output to the log file.

// rhino compatible modus on java 8 (nashorn)
load('nashorn:mozilla_compat.js')
// editable basic javascript mapping function Version 1.0
importPackage(Packages.de.elo.ix.client)
importClass(Packages.de.elo.ldap.LdapImportException)
function extractDN(v){
try{
var vv=v.substring(3,v.indexOf('=', 3))
return vv.substring(0,vv.lastIndexOf(','))
}
catch(e){}
}
function map(ixc, elo, ldap, userNames){
%% The text from the interface for the mapping script field is output here. %%
}

If the ELO Administration Console is started using Java 8, the Rhino compatibility mode is included.

public interface LdapImportMapping {
  public void map( de.elo.ix.client.IXConnection ixc, de.elo.ix.client.UserInfo userInfo, javax.naming.directory.Attributes attributes, Map<String, de.elo.ix.client.UserName> userNames );
}

The JavaScript frame is accessed via the LdapImportMapping Java interface. In the map, the ELO name in lowercase is used as the key to the UserName object.

# Examples

  • A data set can be excluded by setting elo.id=0.
if (elo.name.startsWith("_")) {
  elo.id = 0
}
  • Since JavaScript code can be used, it is also possible to view outputs for testing using the error reporting mechanism.
throw ldap.get("mail").getClass()

or also

throw userNames["administrator"].id
  • A short example shows how to exclude items while checking the mail attribute and set the display name for the remaining users.
var emailRegex = /^[\w._-]+[+]?[\w._-]+@[\w.-]+\.[a-zA-Z]{2,6}$/
var lMail = ldap.get('mail')
if (lMail){
    lMail = lMail.get()
    if(emailRegex.test(lMail)){
        elo.name += ' ('+lMail.split('@').pop()+')'
        // valid e-mail -> customize the display name.
  }
} else {
  elo.id = 0
  // invalid e-mail -> exclude
}
Edit this page (opens new window)
Last updated: March 6, 2024 at 3:14 PM

Enable LDAP authentication →