Helix TeamHub LDAP Sync Application
Integrating the corporate LDAP directory to Helix TeamHub is straightforward. Follow the steps below to setup synchronization. On-premises installations of Helix TeamHub can also be configured to use LDAP Authentication. In such case the LDAP Sync application can still be used to keep existing Helix TeamHub accounts up to date.
Requirements
- Java runtime (1.6+)
- Read access to the source
- The source must provide at least the following user attributes: (
first_name
,last_name
,username
,email
)
Create Company Admin Bot
Login to Helix TeamHub App with a Company Admin account (On-premises users: login to your instance). Click the company name on the top navigation and select Bots from the left menu. Create a new Company Admin bot and take a note of the API keys, they'll be used later when configuring synchronization.
Setup and Configure LDAP Sync
Download Helix TeamHub LDAP Sync application from the LDAP Sync app download page and extract it. The application is configured using YAML file. Copy one of the example config files and use it as a base for configuration. Use the example_ad.yml
if the source is Active Directory or example_ldap.yml
if the source is some other OpenLDAP compliant server.
Configure General and Helix TeamHub API Settings
Uncomment and set a unique name for the source
. The source
is used to identify which users in Helix TeamHub are synchronized from this LDAP source. Make sure to use the same value for the source
that was used in Helix TeamHub Admin authentication preferences if using LDAP Authentication. For synchronization strategy, choose either to sync all the users from LDAP to Helix TeamHub, or only keep existing Helix TeamHub users in sync. In both cases deactivated or deleted LDAP users will also be deleted from Helix TeamHub. The keep_in_sync
strategy is recommended for LDAP Authentication.
Please note: Using sync_all
strategy will sync all the users found from LDAP to Helix TeamHub and new users will receive a registration/welcome email.
Set value for company_key
and account_key
previously noted. If using Helix TeamHub On-premises, set the api_url
to point to the Helix TeamHub instance API. You may enable certificate verification with Helix TeamHub API requests by setting a path to the root certificate of the certificate used in Helix TeamHub for the api_server_certificate
attribute. The path can be either relative to where hth-ldapsync.jar is executed or an absolute path.
Configure your LDAP settings
Set the LDAP host
, port
, auth_username
and auth_password
for a user with read access for the source, and choose the encryption method for LDAP connection. Then set the LDAP base
tree where to sync the users from. Users can be ignored from synchronization by adding the short_name
to the ignored_users
list.
Starting from Helix TeamHub version 2018.1 and LDAP Sync version 2.1.0, it is now possible to enable nested group support for Active Directory by enabling the request_user_groups
setting and by using member:1.2.840.113556.1.4.1941:
as a value for the ldap_groups
attribute.
Finally configure the attribute mappings between the LDAP schema and Helix TeamHub.
Configure Groups (optional)
Starting from Helix TeamHub version 2.7.1 and LDAP Sync version 1.3.0, it is now possible to synchronize groups from the base directory to Helix TeamHub. Define which groups are created by using group_base
and group_query_filters
.
Attribute mappings between the directory and Helix TeamHub can be configured using ldap_group_attributes
. The default mapping will work for most users, but revise the value of the source
attribute. The source
defines whether the LDAP groups are linked to Helix TeamHub groups by common name cn
or distinguished name (dn
).
Group synchronization can be enabled by using the group-sync
switch:
java -jar hth-ldapsync.jar --config myconfig.yml --group-sync
Test Configurations
Try out the configurations by running the LDAP Sync application and giving it the configuration file as a parameter. By default no modifications are made, shown instead are details of what the synchronization would do. For example:
java -jar hth-ldapsync.jar --config myconfig.yml
If there are already users in Helix TeamHub that need to be synchronized from the source, use the --force-sync
switch with the first run. It will map the existing Helix TeamHub users to the source and update them instead of creating new users.
Run the LDAP Sync
Once the configuration is ready, run the actual synchronization by adding the --apply
switch. This will synchronize users to Helix TeamHub.
java -jar hth-ldapsync.jar --config config.yml --apply
The LDAP Sync application can also be setup to run at intervals like once per hour, by using a scheduler.
Your search for returned result(s).