Synchronize users through LDAP integration

Last updated
Save as PDF

Introduction

The LDAP integration is used to provision users into Proxyclick directly from the internal user directory in an automatic fashion. This allows users to log into the Proxyclick application to validate his/her e-mail address and password.

This has the following advantages:

Users can use their company password, so there is no need for a new password.
Security settings for passwords defined by the company will also apply to accessing the Proxyclick application.
When a user is disabled or removed from the directory, she/he will no longer be able to connect to the Proxyclick application.

How to synchronize users through LDAP integration.png

Key features

One-way synchronization from your directory to the Proxyclick application.
No modification of the directory information.
Integration only reads the user data from the directory.

We recommend one of our alternative methods whenever possible, as they are more flexible and reliable. Find out if any of our other options would work for you here.

Requirements

The connection from Proxyclick to the directory server must be available. If the connection is down at the moment a user wants to log in, Proxyclick will not be able to verify his/her credentials, and the login will be refused with an error message. Also on user synchronization, Proxyclick cannot update the accounts in the database if the connection to the directory server is failing.

A good connection speed is furthermore a minimum in order to have good response times for the login and synchronization of users.

Additionally, you will need to ensure that you have activated this add on to your subscription.

Technical implementation

Access to the directory server uses the LDAP protocol (Lightweight Directory Access Protocol). Proxyclick supports LDAP over TLS/SSL (LDAPS) for securing the connection and data exchange over the internet.

The firewall needs to accept incoming connections to the directory server. We suggest you create a rule limited to the IP address of the Proxyclick LDAP proxy server: 149.202.139.23

We also suggest creating a separate account for accessing the directory. This account needs to be able to read data from the directory and search for users. Write access is not required, as Proxyclick will not modify directory information.

Supported Platforms

All directory servers that support the LDAP protocol can be used. This includes:

Microsoft Active Directory
Lotus Domino
OpenLDAP
Apache Directory

Login procedure at Proxyclick

If you need the users to be authenticated against the LDAP directory, they need to use a login page using a special URL:

https://app.proxyclick.com/login/[alias]

Where [alias] is used to know which directory server to access in order to validate the credentials. Please contact in order to get the alias (the alias is only available after we have set up the integration).

The user enters an email address and password.
A connection is opened to the directory server with the Proxyclick account, and a lookup is done to retrieve the user with the e-mail. If no result is found, the e-mail is invalid, and the login is refused (an error message is displayed). If an entry is found, the distinguished name (DN) of the user is retrieved for the next step.
Another connection is opened with the user DN and the password. If the directory server refuses the connection, the password is incorrect, and the login is refused (the user gets an error message). If the connection is accepted, the credentials are correct.
The login process checks if an account exists. If not, the account is created using the user information extracted from the directory.
Finally, if there are no errors, the user gets access to the application.

(Other authentication mechanisms are our standard login page (password stored on Proxyclick servers) or SSO).

User synchronization

Proxyclick will regularly synchronize the user from the directory with the Proxyclick accounts. A check is done in the Proxyclick database for every entry in the directory.

If an account for the user is found in Proxyclick, the data will be updated if it has changed. If no account is found, a new one is created.

Accounts in the Proxyclick database but missing in the user directory will be flagged as deleted.

User information extracted from the directory

The data to be retrieved for users in the user directory are:

First name (mandatory)
Last name (mandatory)
E-mail address (mandatory)
Mobile phone number (optional), E.164 format
Fixed phone number (optional), less than 20 characters
Language (optional), ISO 639-1 format

Proxyclick needs to know the attribute to use for every field to get the value.

Info needed for every location

In order to set up an integration with your AD, you need to send an email to support@proxyclick.com with the following info (for every location):

Person of contact: name and email of contact person (in case we have technical questions)
Server address: hostname or IP
Server port: typically 389 for LDAP (without encryption) or 636 for LDAPS (with encryption). In the case of LDAPS, if the certificate that the server will present does not match the server address (e.g., you provide address 192.168.1.1, but the certificate is for *.example.com), there will be an additional processing time for us to install the certificate in our trust store.
Credentials: username/password for searching the directory
Base DN: Distinguished name of entry the search of users is to be started from
Search Query: the query to find the users to be synchronized with Proxyclick (e.g., filter on OU, member of a group, …). This must be in LDAP query format:

(&(mail=*)(sn=*)(givenName=*)(objectclass=user)(objectcategory=person)(memberOf=CN=ProxyClick-Users,OU=Groups,OU=Sunfix,DC=sunfix,DC=com))

Attributes to use to get the first name, last name, and e-mail address of the users e.g.

mail = user email
givenName = user first name
sn = user last name