All Collections
Install and Configure
Configuration
LDAP User Automatic Provisioning
LDAP User Automatic Provisioning
This article describes how to configure Definition Center to use LDAP to automatically provision users.
Jamie Gutierrez avatar
Written by Jamie Gutierrez
Updated over a week ago

Your LDAP authentication system may be used to automatically create users in iRise Definition Center when a user logs in with a valid username and password through LDAP.
 
 To enable LDAP automatic user provisioning, use the LDAP configuration screen (Administration > LDAP Authentication) and within the Automatic user provisioning area check “Enable automatic user provisioning.”
 
 To create new user in a Definition Center, we need to retrieve Username, First name, Last name, and Password. Your LDAP Field mapping group defines which LDAP attributes contains the required information.
 
 Users can only be created with a specific role. It is possible to specify a default role that will be assigned to all newly created users. You can assign user roles based on their LDAP groups by adding role overrides in the ldap.xml file, which you can find in the x:\iRise\DefCenter\Tomcat\conf folder. If no overrides apply to a user, the default role applies.
 
 To keep user information up to date as it is changed, you can check the “Update fields every time the user logs in” checkbox. If any user information has changed when this feature is enabled, First name, Last name, Email address, and Role overrides will be reapplied at login. Username and Default Role only apply to newly created users and will not be updated for existing users.
 
 Users can exist in Definition Center in a disabled (deleted) state. Use the pull-down selector at the bottom of the Automatic user provisioning box to select what action you would like to take for a disabled user when they log in and their username and password has been authenticated through LDAP. The two options are to keep the user disabled and prevent user login or to re-enable this user and allow user login.
 
 LDAP automatic provisioning is also able to map Definition Center groups with LDAP groups. This functionality is only available by directly editing the ldap.xml file. When this feature is enabled, users will have their status reconciled upon login with rules specified in ldap.xml and may be either added or removed from Definition Center groups depending on the rules. Users will not be added or removed for groups that are not mapped in the ldap.xml file.
 
 When a new user is created, a license count for the selected role is made. Where the role count exceeds the licensed allocation, the user will be created in a disabled state and a notification email will be sent to all user managers. Disabled users are subject to the option specified by the pull-down selector to either continue to be disabled or enabled as more licenses are available.

Did this answer your question?