Administration
LDAP settings
Adding a server
15 min
server name and primary host in the server name field, enter the name under which the ldap server will be displayed in passwork in the primary host section, enter the address of the ldap server it is necessary to specify the full address, including protocol and port example if a backup ldap server exists, its address can also be specified in passwork settings in case the primary ldap server fails, passwork will automatically switch the backup server to primary and will redirect all dn requests to it until the issues with the main ldap server are resolved if a secure ldaps protocol is used, you should specify the cn (common name) of the issued certificate instead of the ip address example learn more ldaps setup docid\ gqjfefwy9xqnjehc2tvk4 server code if you need to specify multiple ldap servers, you must provide a server code for each of them server code — is a unique alphanumeric identifier that becomes part of the user's login passwork reads the server code from the user's login and performs authorization using the ldap server associated with that code you can leave this field empty if only one ldap server is used — users without a code will be authenticated using this default server for example, if the server code is dc1 , the user's login in passwork will be user\@dc1 when logging in, the user will enter user\@dc1 , and passwork will extract the code dc1 , find it in the database, and connect to the corresponding ldap server if the user logs in without using @ , for example, just user , passwork will search for an ldap server without a code and attempt to connect to it example login server code passwork login user null user user passwork local user\@passwork local user passwork user\@passwork service account enter the login and password of the service account that has permission to work with users passwork stores this data in encrypted form the saved password can be changed, but cannot be viewed select the attribute name for login from the list if the ldap server uses windows, select samaccountname if the ldap server runs on a linux based os, select uid if the ldap server is configured so that user logins are not stored in the default attribute, you need to manually enter the attribute name you can check the correctness of the entered data by clicking test authorization passwork is authenticated using a service account, then searches for the user by login and attempts to authenticate using the login and password authorization through the service account first, authorization goes through the service account, then passwork performs a user search by login and attempts to authorize using the login and password this type of authorization can be divided into following stages on the authorization page, the user enters their username and password the passwork server uses a service account to find a user with matching login in ldap and gets his dn the passwork server sends a bind request to the ldap server with the dn (distinguished name) of the user and their password the ldap server checks if the entered credentials match the data stored in its database if everything is correct, then the ldap server confirms authentication to the passwork server the passwork server receives the confirmation from the ldap server and allows the user to access the system user attribute mapping to use ldap attributes as the user's email and full name in passwork, specify the names of those attributes user email the default ldap attribute is — mail if a different attribute is used for email in ldap (for example, userprincipalname ), it must be specified user full name the full name can be stored in various attributes depending on the ldap server configuration displayname nm cn commonname name if ldap doesn't use displayname , another suitable attribute from the list or a custom one can be specified user groups the memberof attribute contains a list of groups the user belongs to this is a key element for group based access control; assigning groups during mapping; restricting access to passwork by group in most configurations, the memberof attribute works by default changing this value is only required if the ldap schema uses a different attribute before making any changes, it's recommended to ensure the attribute exists and works correctly