New LDAP Domain Group

Scenario: Existing IT infrastructure that includes domain groups can be used for the user administration in Desigo CC . After selecting the domain, domain groups can be assigned to Desigo CC user groups.

 

Reference: For general information on domain groups (LDAP), see the reference section and click on the User Group Administration chapter Domain Groups LDAP.

 

Workflow diagram:

 

 

Prerequisites:

  • System Manager is in Engineering mode.
  • System Browser is in Management View.

 

Steps:

1 – Configuring Domain

Scenario: The domain configuration must be set up once to get access to the domain groups. It supports one domain server only.

  1. Select Project > System Settings > Security.
  1. Select the LDAP tab and open the Server Communication expander.
  1. Enter the domain name in the Domain field, for example, xy001.company.net or click Browse to find the desired domain name.
  1. From the Port drop-down-list, select:
  • 389 for unsecured connection
  • 636 for secure connection
  1. In the Account name field, enter the account name, for example, xy001\MyName or click Browse to find the desired user name.
    Domain Account and User NOTES:
    The user must:
    - have restricted rights with read access on groups, group membership and users in the directory server.
    - have a password without an expiration date. If this is not possible, enter a user account with a password that will not expire soon. If not, the account will no longer work if the user password is expired.
    - be a Domain Account user specified as a Specific account in the System Account in SMC.
    This is to perform an active directory synchronization to import users from the active directory (LDAP) to Desigo CC. Setting a local user account or service account may cause the connection to fail as a local user account or service account may not have access to active directory (LDAP).
  1. In the Password field, enter the password. If you have a restored project this field may display password of the domain account user specified in the project on the source machine. You must make sure that the password of the domain account user must be the most recent and updated.
  1. In the Confirm password field, confirm the password.
  1. In the Query timeout field, enter the number of minutes (from 1 to 60) of timeout inactivity after which an information message will display (Default = 1 minute). In case of a timeout, click OK to continue.
  1. Click Save .
  1. Click Check connection .
    If the connection fails and as a result the data decryption fails as well, see Data Decryption fails after a project is copied from one machine to another or after restoring the project in Troubleshooting Projects in SMC Troubleshooting.
  • A message displays.
    - If the connection is successful, proceed to adding domain groups to the Group Mapping expander.
    - If the connection is unsuccessful, check the settings for the domain name, port number and account name.
  1. Click OK.

 

2 – Creating User Groups for Domain Groups
  • A connection to the domain server is established.
  1. Select Project > System Settings > Security.
  1. (Optional) Manual assignment procedure:
    a. Select the LDAP tab and open the Group Mapping expander.
    b. In the Name filter field, enter a group name. You can use an asterisk (*) as a wild card at the end of the filter name, for example, CH DEV1*. In a large system, avoid using an asterisk at the beginning of the search phrase because it can result in excessive search times.
    c. Click Find.
    The groups display in the Non-mapped Directory Server Groups list.
    d. Note down the name of the domain group that you want to assign. You will have to enter it in step 6.
  1. Select the Security tab.
  1. Click New .
  1. In the New Group dialog box:
    a. In the Group type field, select User.
    b. Enter the Group name for the domain group:
    - when the assignment is performed manually, the name must be identical with that of the domain group.
    - when the assignment is performed via drag-and-drop, you can choose any unique name.
    d. Click OK.
  1. Click Save .

 

3 – Assigning Domain Groups to User Groups
  • A user group exists and is configured.
    NOTE: For each used domain group, a Desigo CC user group must exist.
  • A connection to the domain server is established.
  1. Select Project > System Settings > Security.
  1. Select the LDAP tab and open the Group Mapping expander.
  1. Enter a group name in the Name filter field. You can use an asterisk (*) as a wild card at the end of the filter name, for example, CH DEV1*. In a large system, avoid using an asterisk at the beginning of the search phrase because it can result in excessive search times.
  1. Click Find.
  • The groups display in the Non-mapped Directory Server Groups list.
  1. Do one of the following:
  • To select via drag-and-drop, do the following:
    a. Select a group from the Non-mapped Directory Server Groups list.
    b. Drag it onto the Mapped Directory Server Groups list.
    NOTE: If a group is already assigned, you can assign a new group by replacing the existing group or cancel the assign operation.
    c. Using the drop-down menu for each, modify the Languages, Client Profile, and Flex Client Profile as needed. NOTE: Any changes made in the LDAP tab will overwrite any selections for an existing user in the Users tab. If an individual is a member of two server groups, the information for the last server group added applies to that user.
    d. Select the Synchronization check box. The Status changes to Pending.
    e. Click Save .
  • To select manually, do the following:
    a. Select the name in the Desigo CC User Groups column which matches the Mapped Directory Server Groups.
    b. Select the name in the Mapped Directory Server Groups list.
    c. Using the drop-down menu for each, modify the Languages, Client Profile, and Flex Client Profile as needed. NOTE: Any changes made in the LDAP tab will overwrite any selections for an existing user in the Users tab. If an individual is a member of two server groups, the information for the last server group added applies to that user.
    d. Select the Synchronization check box. The Status changes to Pending.
    e. Click Save .
  1. (Optional) Remove an assigned server group mapping by selecting a row and then by clicking Remove Mapping.
  1. Click Synchronize
  • The Status changes to Succeeded.
  • All users of that group are assigned to and enabled in the Group Configuration expander of the Security tab. For new users the Full name and Comment fields are populated with the those attributes from the active directory.
  1. Repeat steps 4 to 7 for the other required domain groups.

 

4 – Assigning Domain Groups to User Groups in a Distributed System
  • A global user group exists and is configured.
    NOTE: For each used domain group, a Desigo CC global user group must exist.
  • A connection to the domain server is established.
  1. In the master project, select Project > System Settings > Security.
  1. Select the LDAP tab and open the Group Mapping expander.
  1. Enter a group name in the Name filter field. You can use an asterisk (*) as a wild card at the end of the filter name, for example, CH DEV1*. In a large system, avoid using an asterisk at the beginning of the search phrase because it can result in excessive search times.
  1. Click Find.
  • The groups display in the Non-mapped Directory Server Groups list.
  1. Do one of the following:
  • To select via drag-and-drop, do the following:
    a. Select a group from the Non-mapped Directory Server Groups list.
    b. Drag it onto the Mapped Directory Server Groups list.
    NOTE: If a group is already assigned, you can assign a new group by replacing the existing group or cancelling the assign operation.
    c. Using the drop-down menu for each, modify the Languages, Client Profile, and Flex Client Profile as needed. NOTE: Any changes made in the LDAP tab will overwrite any selections for an existing user in the Users tab. If an individual is a member of two server groups, the information for the last server group added applies to that user.
    Select the Synchronization check box. The Status changes to Pending.
    d. Click Save .
  • To select manually, do the following:
    a. Select the name in the Desigo CC User Groups column which matches the Mapped Directory Server Groups.
    b. Select the name in the Mapped Directory Server Groups list.
    c. Using the drop-down menu for each, modify the Languages, Client Profile, and Flex Client Profile as needed. NOTE: Any changes made in the LDAP tab will overwrite any selections for an existing user in the Users tab. If an individual is a member of two server groups, the information for the last server group added applies to that user.
    d. Select the Synchronization check box: The Status changes to Pending.
    e. Click Save .
  1. (Optional) Remove an assigned server group mapping by selecting a row and then by clicking Remove Mapping.
  1. Click Synchronize .
  • The Status changes to Succeeded.
  • All users of that group are assigned to and enabled in the Group Configuration expander of the Security tab. For new users the Full name and Comment fields are imported with those attributes from the active directory.
  1. Repeat steps 4 to 7 for the other required domain groups.

NOTE:
If a local account is part of a global group that gets synchronized, this account needs to get promoted to global. As a result, this account’s memberships in all local groups expires, so that it can only be assigned to global groups.
When synchronizing a local group which has an existing global account as member, this membership is ignored, and the global account is not added to the local group.

 

5 – Configuring Users from Domain Groups
  • Users of a domain group are enabled by default.
  1. Select Project > System Settings > Users.
  • Click the Users tab.
  1. In the Users list, select a user.
  1. Make the desired changes to the settings for the user.
    NOTE: The domain group synchronization does not automatically enable users whose Enabled check box was cleared.
  1. Click Save .
  • The user is modified.

 

6 – Enable Synchronization of Domain Groups
  1. Select Project > System Settings > Security.
  1. In the Extended Operation tab, select the LDAP Synchonization property.
  1. Click Enable.
  1. (Optional) Click Synchronize.
    NOTE: This feature can only be carried out when the domain groups are defined.

 

7 – Automatic Synchronization of Domain Groups

Scenario: A synchronization has to be triggered whenever a user has been added to or removed from a domain group. Depending on the frequency of organizational changes, an automatic synchronization has to be triggered on a daily (weekly or monthly) basis. If a user needs to be added before the automatic synchronization takes place, you need to trigger a manual synchronization.

  • Synchronization is enabled.
  1. Select Applications > Logics > Reactions.
  • The Reaction Editor tab displays.
  1. Open the General Settings expander.
  1. In the Notes field, enter Automatic synchronization of LDAP every night at 10 PM.
  1. In the Triggers expander, select from the drop-down-list the condition AND.
  1. In the Time and Organization Mode expander, set its fields as follows:
    a. In the Time column, clear the Begin of day check box, in the Set start time field enter 10:00:00 PM.
    b. Clear the Set end time check box.
    c. In the Effective Days column, open the drop-down list and, for example, set Recurrence: Weekly, select the frequency Every: 1 week, and select an option.
  1. In the Output expander, open the Action expander.
    a. In System Browser, select Management View.
    b. Select Project > System Settings > Security.
    c. Drag Security into the empty area of the Scope/Target column in the Action expander.
    d. In the Property column, select LDAP Status.
    e. In the Command column, select Synchronize.
    f. In the remaining four fields, leave the default setting (All).
  1. (Optional) In the Triggers expander, open the Values and States expander.
    NOTE: This setting avoids an additional run if the synchronization is already running.
    a. Select Project > System Settings > Security.
    b. Drag Security into the empty area of the Target column in the Values and States expander.
    c. In the Property column, select LDAP Status.
    d. In the Value Range column, select <> and Running.
    e. Select the At least one row must be true option.
  1. Click Save As .
  1. In the Save Object As dialog box, select the main Reactions folder or any subfolder under it as the saving destination:
    a. Enter name and description, for example, Automatic Daily LDAP Synchronization.
    b. Click OK.
  • The new reaction object is available in System Browser, and is enabled by default.
  • The execution of the LDAP synchronization is logged. In case of a synchronization error, a status alarm is triggered.

 

Further information