LDAP synchronization
Synchronization is available only with the advanced Passwork license
Synchronization allows you to match Active Directory and LDAP security groups with Passwork roles. You can use Windows-based domains (Active Directory) and Linux-based domains (OpenLDAP, FreeIPA, ALD Pro, etc.) to manage access and roles in Passwork.
The synchronization is performed in the following stages:
- An LDAP request is executed according to the data entered on the Users tab. Passwork receives a user list, which contains a memberOf data array for each user.
- An LDAP request is executed according to the data entered on the Groups tab. Passwork receives a list of groups.
- Passwork creates a list of groups that have been matched with roles, based on the received group list.
- Passwork compares the list of groups matched with roles and the array composed of each memberOf array.
- If the data matches, Passwork assigns the corresponding roles to the user.
- If the Automatically register new users from LDAP groups setting is enabled, a check is made to verify that a user, for whom matches were found, is registered in Passwork.
- If the Automatically deactivate users if they are not part of LDAP groups mapped to roles setting is enabled, a check is made to verify that a user belongs to the groups with matched roles. If a user is not a member of such groups, they will be automatically deactivated.
You can use DN filters to create nested groups or users. Nested objects will be displayed, but group restrictions and role mapping will not apply to nested groups.
To map roles to security groups, select a security group from the list and click on the plus button on the right. Then select the roles and save the result:
1. Select a group 2. Choose roles to map 3. Save the changes
For synchronization to work, you will need to set up Background tasks.
You can configure Synchronization settings to:
- Automatically deactivate users if they are not part of LDAP groups matched with roles
- Automatically register new users from LDAP groups
- Choose the type of authorization that will be assigned to users from LDAP
- Set the interval for LDAP synchronization
Passwork stores synchronization logs as part of the background task history.
To view the synchronization log, click the Go to all logs button at the bottom of the Synchronization tab, or select the LDAP synchronization filter on the History tab of the Background tasks section.
