LDAP Synchronization

1. LDAP - Group and User Management

Important Notes

Azure Active Directory (Azure AD) provides two methods to access data: Azure AD Graph and Graph API. However, the Microsoft Azure AD Graph API will soon be deprecated and will no longer be usable. To continue accessing Azure AD LDAP resources, it's necessary to migrate from Azure AD Graph API to Graph API.
Please refer to Microsoft's documentation, for more information on how to migrate from Azure AD Graph API to Graph API.

Constellio supports, at the moment, both Azure AD Graph and Graph API. To distinguish between the two access methods, we use the following naming conventions:

• Azure AD Graph (which will soon be deprecated) is referred to as "Azure AD (Deprecated)" in Constellio.
• Graph API is referred to as "Azure AD (Graph API)" in Constellio.

1.1 LDAP Directory

To access the LDAP directory:

1. Click on " Administration " in the navigation menu;
2. Then click on " LDAP Directory ";
3. In the " LDAP Configuration " window, two options are available: user authentication without account synchronization or user authentication and synchronization. In both cases, the " admin " user remains accessible.

1.2 User authentication (without account synchronization)

Enabling authentication allows you to go through the LDAP directory instead of the system used by default in Constellio EIM. However, users must be created manually in the application and added to the appropriate collections. Before saving the changes, it is possible to test the configuration with the "Test Configuration" button. To do this, it is necessary to indicate in the "Synchronization" tab a username (in the "User used for synchronization" field) and a password associated with this user (in the "Password used for synchronization" field). Restarting the system is not required for authentication.

Active Directory or eDirectory

1. Choose the type of directory via the " Directory Service " drop-down menu;
2. Give the URLs of directories separated by line breaks (example URL: ldap://ad.constellio.com:389 );
3. Provide the domains separated by line breaks (example domain: test.constellio.com ) and click on " Save ".

Azure AD (both deprecated and Graph API)

1. Choose the desired Azure AD directory via the " Directory Service" drop-down menu;
   1. When the Azure AD Graph to access LDAP data, select Azure AD (Deprecated) in the drop-down menu. (Note that this API will soon be deprecated by Microsoft)
   2. When using the Graph API to access LDAP Data, select Azure AD (Graph API) in the drop-down menu.
2. Enter the customer's ID, the tenant ID, the test user, and his password;
3. Click on " Save ".

1.3 User synchronization

User synchronization allows you to import users and groups from the directory and filter them. The filters currently offered with Constellio EIM are filters based on regular expressions. Synchronization also allows you to update information periodically.

It is possible to test the configuration before the backup via the "Test Configuration" button. After the backup, however, it is no longer possible to add, update, or delete configurations for users or groups through the app if user synchronization is enabled.

1.3.1 Active Directory or eDirectory

1. Choose the type of directory via the " Directory Service " drop-down menu;
2. Specify the synchronization schedule. Three choices are possible: 
   1. Fixed times : Synchronization will be performed at each time added to the list.
   2. Duration between executions : Synchronization will take place at a specific frequency (combination of days, hours and minutes).
   3. Schedule disabled : When this option is selected, no automatic synchronization will be performed. However, it is still possible to perform manual synchronizations.
3. Select the collections for which synchronization must be done;
4. Specify the user and the user's password used for synchronization (required fields);
5. Specify the basic contexts for finding groups separated by line breaks (e.g., OU=Groups, DC=test, DC=Constellio, DC=com). This field is related to the two regular expression fields for groups. All non-empty groups in the provided contexts will be imported as well as all users in those groups. An exclusion is applied for users and groups that do not respect the filters defined by the regular expressions of groups and users;
6. Basic contexts for finding users separated by line breaks (e.g., CN=Users, DC=test, DC=Constellio, DC=com). This field is linked to the two regular expression fields for users. All users in this context will be imported along with their groups. An exclusion is applied for users and groups that do not respect the filters defined by the regular expressions of groups and users;
7. User Filtering Groups : This configuration allows you to limit the users obtained using the " User Search Master Contexts" configuration using groups to which these users belong and which are not covered by the " Group Search Master Contexts" configuration. Groups are separated by line breaks (e.g., OU=Groups, DC=test, DC=Constellio, DC=com);
8. Enable automatic derivation of users from accepted groups: If this configuration is enabled, users in accepted groups will be synchronized if they follow the regular inclusion expression. If this configuration is not accepted, only users matching the " User Search Basic Contexts " configuration will be considered;
9. Click on " Save ".

1.3.2 Azure AD (both Deprecated and Graph API)

1. Choose the type of directory via the "Directory Service " drop-down menu;
2. Specify the synchronization schedule. Three choices are possible;
   1. Fixed times : Synchronization will be performed at each time added to the list.
   2. Duration between executions : Synchronization will take place at a specific frequency (combination of days, hours and minutes).
   3. Schedule disabled : When this option is selected, no automatic synchronization will be performed. However, it is still possible to perform manual synchronizations.
3. Select the collections for which synchronization must be done;
4. Indicate the customer's identifier;
5. Indicate the key of the application;
6. Register regular expressions for users to accept and those for users to reject;
7. Register regular expressions for groups to be accepted and those for groups to be rejected;
8. A separate call to retrieve children from an LDAP subgroup (its subgroups and users). This configuration allows you to retrieve the subgroups and users of each subgroup of a retrieved LDAP group. That is, the synchronization will analyze an additional level of depth. Note that a separate call is required for each subgroup, which can increase the duration of a synchronization significantly. Use only if the tree to be retrieved has more than two hierarchical group levels;
9. Ignore regular expressions for LDAP subgroups if at least one parent group matches regular expressions. This configuration tells Constellio to accept a subgroup even if it does not respect the regular expression of inclusion if its parent group respects the regular expression of inclusion;
10. Synchronize users only if they are members of a group that matches regular expressions. If this configuration is enabled, users who respect the regular expression of inclusion will only be synchronized if they belong to a synchronized group. If this configuration is not enabled, all users matching the regular inclusion expression will be synchronized, regardless of the groups to which they belong;
11. Click on " Save ".

1.4 UPN and Azure AD email sync

During synchronization, it is possible to populate the Email metadata of the user file with the Mail metadata from Azure AD.

• If the user does not have an email (mail field) entered on Azure AD, it is the UPN field that will be synchronized. Thus, the Email metadata will be the same as the UPN
• If the user has an entry email on Azure AD, the entry will be duplicated in the email metadata of the user record. 

1.5 EXAMPLE - Regular expression for groups to accept

Regular expression for users to accept (e.g., * means that all users will be imported, except those who check the following field).

Regular expression for users to be rejected (e.g., testAuj will be rejected).

Regular expression for groups to be rejected (e.g., ALF_tous|. *_ext groups whose names end in "_ext" as well as the group "ALF_tous" will be rejected).

2. Impact on the user file

When a directory is synchronized, the possible modifications to a user's record are limited, unlike users entered manually. In this case, the desired modifications must be made in the directory and the changes will appear in Constellio following the next synchronization. 

Metadata that cannot be modified in Constellio are:

• User name
• First name
• Surname
• E-mail
• Function
• Phone number
• User job address
• Personal emails
• Status

3. Prevent the creation of local users

Preventing local users from being created in a system helps ensure that only user accounts created and managed through a centralized identity management system, such as Azure Active Directory or another identity provider, can access the system . 

3.1. LDAP Configuration Page

In the LDAP directory configuration page, a new option now allows you to disable the creation of local accounts. It's a checkbox labelled "Disable local user creation."

3.2. Security management page

In the security management page, the button to add new users will be disabled and therefore unavailable if the “Disable local user creation” option is enabled. This restriction is intended to prevent the creation of local accounts when this option is selected, ensuring that users can only be added through external identity management systems.

3.3. Configuration Management page via constellio.properties

In the constellio.properties file, it is possible to add a property to force the deactivation of the creation of local accounts. This property is named disableLocalUsersCreation and accepts two possible values: true or false. When the property is set to true, the creation of new local accounts will be systematically disabled, regardless of the settings configured in the user interface. For example, to enable this restriction, you would add the following line to the constellio.properties file:

In the LDAP directory configuration page, the check box titled “Disable creation of local users” will be inaccessible and therefore not displayed if the constellio.properties file contains the disableLocalUsersCreation property. When this property is set, its state (either true or false) will be used to determine whether or not the creation of new local accounts is allowed, overriding the settings defined in the LDAP UI. Therefore, setting this property in the constellio.properties file exclusively controls whether local account creation is enabled or disabled.