Administration
LDAP settings

Adding a server

14min

Passwork supports LDAP and AD integration, allowing users to log in to Passwork using their corporate credentials. With LDAP you will be able to:

  • Import users directly from your database and automatically create them in Passwork
  • Configure login restrictions for specific user groups
  • Associate AD groups with Passwork roles and their access rights
  • Set up automatic synchronization of users with Passwork

Start LDAP integration by adding a server:

Document image


1. Server name and host 2. Server code 3. Service account 4. Authorization 5. User attribute mapping



Server name and host

First, type in the Server name. It will be displayed in Passwork.

Then specify your LDAP server's IP or hostname in the Primary host field. It should include the protocol and port. For example:

ldap://192.168.1.1:389

You can also add a reserve LDAP server. Passwork will use it if the primary server fails.

If you are using a LDAPS protocol, specify the CN (common name) of the Active Directory certificate instead of the IP address. For example:

ldaps://dc01.passwork.local:636

You can read more about setting up and using LDAPS on the LDAPS setup page.



Server code

Server code is a unique alphanumeric code that is added to a user's login. Passwork reads this code and performs authorization through the LDAP server whose code was specified.

You can leave this field blank if you only have one LDAP server and users without a code will use this server for authorization. If you want to user several LDAP servers, you need to specify a server code for each of them.

For example, if the server code is dc1, then the user's login in Passwork will be user@dc1. If the user specfies the user@dc1 login during authorization, Passwork will detect the dc1 server code, find it in the database and connect to this LDAP server.

If the user specifies a login without a server code, then Passwork will look for an LDAP server that doesn't have one and will try to connect to it.



Service account

Specify the login and password of the Service account that has access to users in Active Directory.

Choose the Attribute name for LDAP login from the list:

  • If your LDAP server uses Windows, choose samaccountname
  • If your LDAP server runs on a Linux-based OS, choose uid

If user logins are not stored in the default attribute on your LDAP server, specify the name of the required attribute manually. Passwork stores this data in an encrypted format: the saved password can be changed, but cannot be viewed.

To check if the entered data is correct, use the Test button



Authorization

In Passwork you can authorize users through a service account or by mask.

Authorization through the service account

First, authorization goes through the service account, then Passwork performs a user search by login and attempts to authorize using the login and password.

This type of authorization can be divided into following stages:

  1. On the authorization page, the user enters their username and password.
  2. The Passwork server uses a service account to find a user with matching login in LDAP and gets his DN.
  3. The Passwork server sends a bind request to the LDAP server with the DN (distinguished name) of the user and their password.
  4. The LDAP server checks if the entered credentials match the data stored in its database.
  5. If everything is correct, then the LDAP server confirms authentication to the Passwork server.
  6. The Passwork server receives the confirmation from the LDAP server and allows the user to access the system.

Service account is the most reliable and preferred authorization tool

Authorization through the mask

The mask turns a Passwork's user login into a DN string, which is used for authorization in LDAP and AD. DN strings look like this:

  • login user + mask @my-domain.local → DN [email protected]
  • login user + mask <login>→ DN user
  • login user + mask MyDomain\<login> → DN MyDomain\user
  • login user + mask uid=<login>,ou=Users,dc=example,dc=com → DN uid=user,ou=Users,dc=example,dc=com

Types of DN masks depend on the operating system and server settings.

For example, for Active Directory on Windows, one of these masks usually applies:

  • <login>
  • Your-domain-name/<login>
  • <login>@your-domain-name
  • <login>@your-domain-name.local

For LDAP on Linux:

  • uid=<login>,ou=Users,dc=example,dc=com


User attribute mapping

To use such LDAP attributes as user email and full name in Passwork, specify the names of these attributes.

Usually username is stored in one of the following attributes:

  • displayname
  • nm
  • cn
  • commonname
  • name

User's email is stored in the mail attribute by default

Updated 09 Oct 2024
Doc contributor
Doc contributor
Doc contributor
Did this page help you?
PREVIOUS
Mobile applications
NEXT
User management
Docs powered by Archbee