To set up directory server integration, as a community manager, you need to gather information about your LDAP server configuration. This setup includes identifying the location of your key directory server and tree as well as mapping your users and groups so Jive can synchronize to them. Finally, you need to test your implementation to ensure it is successful.
This article provides an overview of the steps taken for integrating a directory server into Jive.
Directory server integration relies on preparation and testing to be successful. Using this list of overview steps to plan your integration (on a test implementation), you can avoid some frustrating mistakes associated with integrating these two complex products.
Gather Information About Server Configuration
To complete the integration setup, you need:
- The address of your directory server and how it will communicate with Jive.
If you are using Jive to host your community, you can contact Support for assistance with setting up the connection between these servers. Make sure you account for server referrals, especially if you use Active Directory.
- The Base DN associated with the users you want to sync with Jive.
You may (or may not) want to include all the users in your organization. Make sure your Base DN is associated with the part of the tree that provides for all the targeted users. Keep in mind that if you plan to map groups as well as users, your Base DN needs to be at a tree level that contains both users and groups. You can also narrow down your users by specifying a User DN relative to the Base DN during setup.
- The DN associated with an Administrator account that has read access to your directory server.
This account does not need to be linked to a Jive user.
- The field identifiers associated with any directory service fields you want to sync to Jive profile fields.
For example, the
Usernamefield is typically associated with the
sAMAccountNamefield for Active Directory. A suitable method for obtaining this information for your directory server setup is Using LDIF to Inventory Your Directory.
- Any LDAP filter expressions that are required to limit the number of users returned when you sync Jive to your LDAP tree.
Without the filters, synchronizing to your directory server returns every user associated with the Base DN you supplied. This may cause your Jive community to be populated with unwanted users.
- The field identifiers for any groups you want to map to permissions groups in Jive.
You do not need to map any groups if you are going to manage permissions entirely in the Jive community. You will also need to specify an attribute such as
memberOfthat can be used to associate users and groups.
Connect LDAP Server with Jive Instance
To connect LDAP Server with your Jive instance:
- Start the directory server integration setup by navigating to the Admin Console > People > Settings > Directory Server Settings.
The individual fields on this page have helpful tooltips that you can access by hovering on the question mark next to the field.
- Enter your connection settings and test the connection by clicking Test Settings at the bottom of the tab.
If you cannot connect, you may need to check your credentials. The account you are binding with must have read access to users and groups for the entire subtree rooted at the base DN.
- Click Save to save your connection settings and display the rest of the configuration settings in tabs.
Map LDAP Fields to Jive Profile Fields
To map LDAP fields to profile fields in Jive:
- In the User Mapping tab, map any Jive profile settings you want to populate from your directory server by supplying an LDAP string.
Fields for which you provide a mapping are updated from the directory server whenever a synchronization takes place. For more information, see Setting up Mapping of Users from a Directory Server.
- Click Test Settings to validate your mappings against the directory server.
If the attribute you specified cannot be found, you see an error message identifying the problem.
- Click Save to save the mapping settings.
Synchronize Permission Groups
In the Group Mapping tab, decide whether to use and synchronize the permissions groups you have set up in LDAP or use Jive to assign users to permissions groups. (Note that group permissions have nothing to do with social groups in Jive.) You can choose to maintain some Jive-created permission groups even if you use LDAP-managed groups: however, make sure they are distinctly named.
Important recommendations for synchronizing permission groups:
- When syncing LDAP groups to Jive, you should sync only the groups used by Jive. If you leave the Group Filter with the default setting, Jive will sync all groups a user is assigned to in LDAP.
- Maintaining less than 500 Jive user groups simplifies administration and minimizes any performance impact from having too many groups.
- After mapping groups from a directory server, you need a migration strategy to switch back to Jive for maintaining groups.
For more information, see Setting up Mapping of Groups from a Directory Server.
Set up Account Synchronization
Use the User Synchronization tab to determine when and how user information must be synchronized between LDAP and Jive.
An LDAP group is synced into Jive only when a user from that LDAP group logs into your community. So you may not see all your LDAP groups synced into the community once you create the groups, but they will be synced over some time. The sync runs in small batches after the user logs into Jive, to minimize the impact.
For more information, see Synchronizing LDAP Users.