Microsoft Active Directory (LDAP)
-
How do I manage permissions when connected to LDAP Active Directory?
ONARKEN’s LDAP integration enables real-time user authentication when users scan their ID badges at the lockers. Unlike a traditional import or synchronisation process, this setup directly queries your Active Directory to verify credentials at the moment of badge scan.
Key Concepts
-
Real-Time Authentication:
- When a user scans their ID badge, ONARKEN queries your LDAP Active Directory to authenticate the user.
- This ensures that only authorised users with valid credentials can access lockers.
-
Role and Access Group Mappings:
- LDAP integration still relies on configured Role and Access Group mappings in ONARKEN.
- These mappings define the permissions and access rights for authenticated users.
Prerequisites
Before configuring the integration, ensure:
- Your ONARKEN instance is connected to Active Directory.
- You have administrative access to both ONARKEN and your LDAP Active Directory.
- The required attributes (e.g. card number) are available in your Active Directory schema.
For setup instructions, refer to the How to connect LDAP Active Directory? guide.
How LDAP Authentication Works
-
ID Badge Scanning:
- When a user scans their ID badge at the locker, ONARKEN extracts the badge ID and queries Active Directory.
- When a user scans their ID badge at the locker, ONARKEN extracts the badge ID and queries Active Directory.
-
LDAP Query:
- ONARKEN uses the configured Base DN and credentials to search for the user’s card number in Active Directory.
- If the card number is found and valid, ONARKEN authenticates the user.
- ONARKEN uses the configured Base DN and credentials to search for the user’s card number in Active Directory.
-
Role and Access Check:
- ONARKEN verifies the user’s Role and Access Group mappings to determine their permissions and access rights.
- ONARKEN verifies the user’s Role and Access Group mappings to determine their permissions and access rights.
-
Locker Access:
- If the user is authenticated and has appropriate permissions, they are granted access to the lockers or assets.
Configuring Role and Access Group Mappings for LDAP Authentication
-
Log in to the ONARKEN Management Platform:
Use your administrator credentials. -
Access the Integrations Section:
Navigate toIntegrationsin the main menu. -
Open LDAP Active Directory Configuration:
UnderLDAP Active Directory, clickConfigure Integration. -
Map Roles and Access Groups:
- For each Role or Access Group you want to map, click the Pencil icon.
- Use the search box to specify the Organisational Unit (OU) or security group name in Active Directory.
- Click
Add Mappingto save.
-
Save Settings:
Ensure all mappings are saved and reflect your organisational requirements.
-
-
How to connect LDAP Active Directory?
Integrating LDAP Active Directory with ONARKEN allows users to authenticate using their card scans, enabling seamless and secure access to lockers and assets. Follow these steps to set up the integration:
Steps to Connect LDAP Active Directory
-
Log in to the ONARKEN Management Platform:
Use your administrator credentials to access the system. -
Access the Integrations Section:
- Navigate to
Integrationsfrom the main menu.
- Navigate to
-
Select the LDAP Active Directory Integration:
- Under
LDAP Active Directory, clickConfigure Integration.
- Under
-
Complete the Setup Wizard:
Provide the required information:
-
-
- Host Address(es) / Name(s): The address or hostname of your AD server.
- Port Number: The port for LDAP communication (e.g., 389 for LDAP or 636 for LDAPS).
- Service Account Credentials: The username and password for the AD account with Full Read Access.
- Base DN: The starting point in the directory tree for user searches (e.g.,
OU=Users,DC=example,DC=com). - Card Number Attribute: The LDAP attribute stores user card numbers. If unavailable, ONARKEN can enable user self-registration.
- Optional Cost Code Attribute: An attribute for storing cost codes, if applicable.
-
-
Connect:
- Click
Connectto establish the integration.
- Click
Key Benefits of LDAP Integration
- Card-Based Authentication: Simplifies user access by linking card scans directly to Active Directory accounts.
- Centralised User Management: Leverages existing AD infrastructure for user authentication and permissions.
- Secure Communication: Supports LDAPS for encrypted and secure data transmission.
-
-
What information is required for the LDAP Active Directory integration?
Integrating ONARKEN lockers with your Active Directory (AD) allows for seamless user authentication and efficient management of access permissions. To set up the integration, specific information is required to ensure proper configuration and functionality.
Required Information
-
Host Address(es) / Name(s):
- The address or hostname of your Active Directory server(s).
- The address or hostname of your Active Directory server(s).
-
Port Number:
- The port used for communication with Active Directory (commonly 389 for LDAP or 636 for LDAPS).
- The port used for communication with Active Directory (commonly 389 for LDAP or 636 for LDAPS).
-
Active Directory Service Account:
- An account with Full Read Access to your Active Directory. This account is used to query and retrieve user information.
- An account with Full Read Access to your Active Directory. This account is used to query and retrieve user information.
-
Base DN (Distinguished Name):
- The root of the directory tree from which ONARKEN will search for user accounts. For example:
OU=Users,DC=example,DC=com.
- The root of the directory tree from which ONARKEN will search for user accounts. For example:
-
Card Number Attribute:
- The attribute in Active Directory that stores the user’s card number for authentication.
- Note: If card numbers are not stored in AD, ONARKEN can prompt users to self-register their cards during their first use.
-
Cost Code Attribute (Optional):
- If applicable, this attribute can store cost codes associated with users for tracking or billing purposes.
Best Practices for Setup-
Secure the Service Account:
Ensure that the service account used for the integration has the minimum required permissions (Full Read Access) to reduce potential security risks. -
Confirm Attribute Names:
Verify the exact attribute names for card numbers and cost codes in your Active Directory schema to avoid configuration errors. -
Test Connectivity:
Before finalising the setup, test the connectivity to your AD server using the provided host address, port number, and service account credentials. -
Use LDAPS for Security:
If possible, use LDAPS (LDAP over SSL) for encrypted communication between ONARKEN and Active Directory.
Next Steps
Once the required information is gathered, follow the ONARKEN integration setup wizard to configure and establish the connection. For further assistance, refer to your ONARKEN documentation or contact support.
-