Adding a server
In the Server Name field, enter the name under which the LDAP server will be displayed in Passwork.
In the Primary host section, enter the address of the LDAP server. It is necessary to specify the full address, including protocol and port.
Example:
If a backup LDAP server exists, its address can also be specified in Passwork settings. In case the primary LDAP server fails, Passwork will automatically switch the backup server to primary and will redirect all DN requests to it until the issues with the main LDAP server are resolved.
If a secure LDAPS protocol is used, you should specify the CN (Common Name) of the issued certificate instead of the IP address.
Example:
Learn more about setting up and using LDAPS
If you need to specify multiple LDAP servers, you must provide a server code for each of them.
Server code — is a unique alphanumeric identifier that becomes part of the user's login. Passwork reads the server code from the user's login and performs authorization using the LDAP server associated with that code.
You can leave this field empty if only one LDAP server is used — users without a code will be authenticated using this default server.
For example, if the server code is dc1, the user's login in Passwork will be user@dc1. When logging in, the user will enter user@dc1, and Passwork will extract the code dc1, find it in the database, and connect to the corresponding LDAP server.
If the user logs in without using @, for example, just user, Passwork will search for an LDAP server without a code and attempt to connect to it.
Example:
Login | Server code | Passwork login |
|---|---|---|
user | null | user |
user | passwork.local | |
user | passwork | user@passwork |
Enter the login and password of the Service Account that has permission to work with users.
Passwork stores this data in encrypted form: the saved password can be changed, but cannot be viewed.
Select the Attribute Name for login from the list:
- If the LDAP server uses Windows, select samaccountname
- If the LDAP server runs on a Linux-based OS, select uid
If the LDAP server is configured so that user logins are not stored in the default attribute, you need to manually enter the attribute name.
You can check the correctness of the entered data by clicking Test
Passwork is authenticated using a service account, then searches for the user by login and attempts to authenticate using the login and password.
First, authorization goes through the service account, then Passwork performs a user search by login and attempts to authorize using the login and password.
This type of authorization can be divided into following stages:
- On the authorization page, the user enters their username and password.
- The Passwork server uses a service account to find a user with matching login in LDAP and gets his DN.
- The Passwork server sends a bind request to the LDAP server with the DN (distinguished name) of the user and their password.
- The LDAP server checks if the entered credentials match the data stored in its database.
- If everything is correct, then the LDAP server confirms authentication to the Passwork server.
- The Passwork server receives the confirmation from the LDAP server and allows the user to access the system.
To use LDAP attributes as the user's email and full name in Passwork, specify the names of those attributes.
The default LDAP attribute is — mail
If a different attribute is used for email in LDAP (for example, userPrincipalName), it must be specified.
The full name can be stored in various attributes depending on the LDAP server configuration:
- displayname
- nm
- cn
- commonname
- name
If LDAP doesn't use displayName, another suitable attribute from the list or a custom one can be specified.
The memberOf attribute contains a list of groups the user belongs to. This is a key element for:
- Group-based access control;
- Assigning Groups during mapping;
- Restricting access to Passwork by group.
In most configurations, the memberOf attribute works by default. Changing this value is only required if the LDAP schema uses a different attribute. Before making any changes, it's recommended to ensure the attribute exists and works correctly.
