LDAP and X3 User creation

LDAP can be used for more than just managing the Passwords for X3 Users, it can also be used to create X3 Users, and their associated Classic Users at the Folder level.

"How can this be?", you ask.

Let's start with what information we have in the LDAP Repository - for this Blog, we have a worked example which illustrates the process.

For the purposes of this exercise, we are using ApacheDS as our Repository - other LDAP Repositories may differ...

In our example LDAP Repository, we have:

  1. User code which uniquely identifies a User - this is the field "uid"
  2. User first and last names - fields "givenName" and "displayName"
  3. User Password - field "userPassword"
  4. User email address - field "cn"
  5. User Business Role ("Administrators", "Finance" and "Distribution") - field "businessCategory"

For example, here are the details for three accounts in LDAP:

    

     

Now, we need to create a User at both Administration and Parameters levels in a folder - what information do we need?

At Administration > Users > Users level:

  1.  A User Code, first and last names, Email address
  2. What Groups a User is in
  3. What Endpoints a Use is in

At Parameter > Users > Users level:

  1. A User Code and its associated Login (Administration) User Code, a Name
  2. A User Menu profile and User function profile pair or a Trade code - this will define what Menu Items a User can access

Administration > Administration > Settings > Authentication > LDAP Servers

Well, when you configure LDAP, there is a group of fields in the "User mapping LDAP attributes" section - these determine how data held in the LDAP Repository are mapped to X3 User fields.

Of course, it's normal for the User Codes to be the same at the Administration and Parameter levels, so that part of the data is sorted.

Most of these fields are self-explanatory, but the field called "Mapping for Group membership" is a bit more cryptic. It can be used to map a field in the LDAP repository to the X3 Group. This, can then be used to map to a Professional Code which will then map to a folder-level Trade Code associate with a User Menu Profile / User Function Profile pair.

In our setup, we have a field called businessCategory in LDAP which is associated with each Account - our business rules define that this has three possible values : "Administrators"; "Finance"; "Distribution".

Roles can then be set up to reflect the Groups, Badges, Security profile, Navigation and Home Pages for a set of Business Roles:

Administration > Administration > Users > Roles

and X3 Groups can be created with associated X3 Roles and Endpoints to reflect the different Business Roles that Users may undertake.

Administration > Administration > Users > Groups

The most important piece of data in a Group as far as LDAP is concerned is the "LDAP group" - this will link the individual LDAP Accounts with X3 Users via the "Mapping for group membership" field in LDAP Servers.

So, having configured the LDAP Repository and X3 LDAP Server to bring data across to populate fields in X3, we still need to associate the LDAP Users with User menu profiles and User function profiles - this is done using the Profession Code (Trade Code in Classic Users option).

Administration > Endpoints > Endpoints

This is done via the "Roles to profession codes mapping" section in the relevant folder Endpoints in Administration > Endpoints > Endpoints:

So, now our LDAP Server is set up and looks like:

Note that X3 has now pulled-through all the "search filters" from the LDAP Groups so that the Accounts in LDAP Database can be assigned the relevant X3 Groups, which in turn define the Professional Profile for the Classic User at folder-level.

Now, to set up the User Menu Profiles so the Users can access the required menu items associated with the Business Roles undertaken by the Users.

Parameters > Users > User menu profile

After defining which Menus and Menu Items are to be included on the User menu profile, generate the User function profile by clicking on the appropriate Action button.

Administration > Administration > Settings > Authentication > LDAP Servers

The final part of the process is to synchronise the LDAP Repository with X3 - this is done in the LDAP Servers option - it can be done on an ad-hoc basis using "Update users from LDAP", or it can be scheduled to run regularly using the "Schedule users update" action.

When running the "Update users from LDAP" Action in LDAP Servers, you may hit the following problem where the log says "xxxx : Record does not exist":

You may scratch your head about this and say "I've set up the Role, Group and Menu Profile and generated/updated the User Menu Profile - what else is there to do?". Well, I did a SQL Profiler trace (you could also do an Extended Events trace) and spotted that AMETUTI was being read on "FIN". This is the Professional Profile (also known as the Trade Profile). So, I checked, and I'd not created any of the new Professional Profiles I cited in Endpoints. This is done in Parameters > Users > Professional profile option:

Parameters > Users > Professional profile

Having created the Professional Profiles, the "Update users from LDAP" worked - it recognised the FIN Professional Profile for any LDAP Accounts with "cn=Finance,ou=groups,dc=example,dc=com".

It created the X3 Users and also created the folder-level Classic Users with the appropriate User Menu and User function Profiles based on the Professional Profiles.

Just to round things off, you can see what Users have been imported from LDAP by looking at the last section of the LDAP Servers option:

I hope this has helped you to appreciate the X3 features and processes related to LDAP, and perhaps to inspire you to use them!

Anonymous