Synchronization
Synchronization is only available in the Passwork Advanced license
Passwork supports synchronization of security groups from external directories, such as Active Directory and OpenLDAP, with groups in Passwork. This enables centralized access management through the existing directory infrastructure.
The following types of domains are supported in Passwork for access management:
- Windows domains (based on Active Directory);
- Linux domains (OpenLDAP, FreeIPA, and others).
The synchronization process consists of the following steps:
- An LDAP request is executed based on the data specified in the Users tab. Passwork retrieves a list of users, each including a memberOf array with group membership information.
- Another LDAP request is executed based on the data specified in the Groups tab. Passwork retrieves a list of LDAP groups.
- Passwork generates a list of LDAP groups that are mapped to Passwork groups.
- The mapped Passwork groups are compared against the combined memberOf arrays of all users.
- If matches are found, Passwork assigns the corresponding groups to the users.
- If the Automatically create new users from mapped LDAP groups option is enabled, Passwork checks whether each matched user is already registered. If not, the user is registered automatically.
- If the Automatically deactivate users not included into any mapped LDAP group option is enabled, Passwork verifies whether each user still belongs to the mapped LDAP groups. Users not belonging to those groups are automatically deactivated.
DN filters can be used to retrieve nested groups or users. Nested objects will be displayed; however, group restrictions and mappings do not apply to nested groups.
To map Passwork groups to security groups, select a security group from the list and click the button located on the right side. In the dialog that appears, select the desired groups and save the configuration.
For synchronization to function correctly, background tasks must be configured.
The Synchronization settings allow the following:
- Automatically deactivate users who are not members of LDAP groups mapped to groups in Passwork.
- Automatically register new users from LDAP groups.
- Define the default authentication method to be assigned to users from LDAP.
- Set the interval for LDAP synchronization.
Passwork stores synchronization logs as part of the background task execution history. To view the synchronization log, click the Go to all logs button at the bottom of the Synchronization tab, or apply the LDAP synchronization filter on the Tasks tab in the Background tasks section:
