LDAP Synchronization

1. LDAP - Group and User Management

Important Notes

Azure Active Directory (Azure AD) provides two methods to access data: Azure AD Graph and Graph API. However, the Microsoft Azure AD Graph API will soon be deprecated and will no longer be usable. To continue accessing Azure AD LDAP resources, it's necessary to migrate from Azure AD Graph API to Graph API.
Please refer to Microsoft's documentation, for more information on how to migrate from Azure AD Graph API to Graph API.

Constellio supports, at the moment, both Azure AD Graph and Graph API. To distinguish between the two access methods, we use the following naming conventions:

• Azure AD Graph (which will soon be deprecated) is referred to as "Azure AD (Deprecated)" in Constellio.
• Graph API is referred to as "Azure AD (Graph API)" in Constellio.

1.1 LDAP Directory

To access the LDAP directory:

1. Click on " Administration " in the navigation menu;
2. Then click on " LDAP Directory ";
3. In the " LDAP Configuration " window, two options are available: user authentication without account synchronization or user authentication and synchronization. In both cases, the " admin " user remains accessible.

1.2 User authentication (without account synchronization)

Enabling authentication allows you to go through the LDAP directory instead of the system used by default in Constellio EIM. However, users must be created manually in the application and added to the appropriate collections. Before saving the changes, it is possible to test the configuration with the "Test Configuration" button. To do this, it is necessary to indicate in the "Synchronization" tab a username (in the "User used for synchronization" field) and a password associated with this user (in the "Password used for synchronization" field). Restarting the system is not required for authentication.

Active Directory or eDirectory

1. Choose the type of directory via the " Directory Service " drop-down menu;
2. Give the URLs of directories separated by line breaks (example URL: ldap://ad.constellio.com:389 );
3. Provide the domains separated by line breaks (example domain: test.constellio.com ) and click on " Save ".

Azure AD (both deprecated and Graph API)

1. Choose the desired Azure AD directory via the " Directory Service" drop-down menu;
   1. When the Azure AD Graph to access LDAP data, select Azure AD (Deprecated) in the drop-down menu. (Note that this API will soon be deprecated by Microsoft)
   2. When using the Graph API to access LDAP Data, select Azure AD (Graph API) in the drop-down menu.
2. Enter the customer's ID, the tenant ID, the test user, and his password;
3. Click on " Save ".

1.3 User synchronization

User synchronization allows you to import users and groups from the directory and filter them. The filters currently offered with Constellio EIM are filters based on regular expressions. Synchronization also allows you to update information periodically.

It is possible to test the configuration before the backup via the "Test Configuration" button. After the backup, however, it is no longer possible to add, update, or delete configurations for users or groups through the app if user synchronization is enabled.

Active Directory or eDirectory

1. Choose the type of directory via the " Directory Service " drop-down menu;
2. Specify the synchronization schedule. Three choices are possible: 
   1. Fixed times : Synchronization will be performed at each time added to the list.
   2. Duration between executions : Synchronization will take place at a specific frequency (combination of days, hours and minutes).
   3. Schedule disabled : When this option is selected, no automatic synchronization will be performed. However, it is still possible to perform manual synchronizations.
3. Select the collections for which synchronization must be done;
4. Specify the user and the user's password used for synchronization (required fields);
5. Specify the basic contexts for finding groups separated by line breaks (e.g., OU=Groups, DC=test, DC=Constellio, DC=com). This field is related to the two regular expression fields for groups. All non-empty groups in the provided contexts will be imported as well as all users in those groups. An exclusion is applied for users and groups that do not respect the filters defined by the regular expressions of groups and users;
6. Basic contexts for finding users separated by line breaks (e.g., CN=Users, DC=test, DC=Constellio, DC=com). This field is linked to the two regular expression fields for users. All users in this context will be imported along with their groups. An exclusion is applied for users and groups that do not respect the filters defined by the regular expressions of groups and users;
7. User Filtering Groups : This configuration allows you to limit the users obtained using the " User Search Master Contexts" configuration using groups to which these users belong and which are not covered by the " Group Search Master Contexts" configuration. Groups are separated by line breaks (e.g., OU=Groups, DC=test, DC=Constellio, DC=com);
8. Enable automatic derivation of users from accepted groups: If this configuration is enabled, users in accepted groups will be synchronized if they follow the regular inclusion expression. If this configuration is not accepted, only users matching the " User Search Basic Contexts " configuration will be considered;
9. Click on " Save ".

Azure AD (both Deprecated and Graph API)

1. Choose the type of directory via the "Directory Service " drop-down menu;
2. Specify the synchronization schedule. Three choices are possible;
   1. Fixed times : Synchronization will be performed at each time added to the list.
   2. Duration between executions : Synchronization will take place at a specific frequency (combination of days, hours and minutes).
   3. Schedule disabled : When this option is selected, no automatic synchronization will be performed. However, it is still possible to perform manual synchronizations.
3. Select the collections for which synchronization must be done;
4. Indicate the customer's identifier;
5. Indicate the key of the application;
6. Register regular expressions for users to accept and those for users to reject;
7. Register regular expressions for groups to be accepted and those for groups to be rejected;
8. A separate call to retrieve children from an LDAP subgroup (its subgroups and users). This configuration allows you to retrieve the subgroups and users of each subgroup of a retrieved LDAP group. That is, the synchronization will analyze an additional level of depth. Note that a separate call is required for each subgroup, which can increase the duration of a synchronization significantly. Use only if the tree to be retrieved has more than two hierarchical group levels;
9. Ignore regular expressions for LDAP subgroups if at least one parent group matches regular expressions. This configuration tells Constellio to accept a subgroup even if it does not respect the regular expression of inclusion if its parent group respects the regular expression of inclusion;
10. Synchronize users only if they are members of a group that matches regular expressions. If this configuration is enabled, users who respect the regular expression of inclusion will only be synchronized if they belong to a synchronized group. If this configuration is not enabled, all users matching the regular inclusion expression will be synchronized, regardless of the groups to which they belong;
11. Click on " Save ".

EXAMPLE - Regular expression for groups to accept

Regular expression for users to accept (e.g., * means that all users will be imported, except those who check the following field).

Regular expression for users to be rejected (e.g., testAuj will be rejected).

Regular expression for groups to be rejected (e.g., ALF_tous|. *_ext groups whose names end in "_ext" as well as the group "ALF_tous" will be rejected).