LabKey Server can be configured to automatically synchronize with an external LDAP server, so that any user and groups found on the LDAP server are duplicated on LabKey Server.
There are several options to control the synchronization behavior, including:
- specifying a synchronization schedule
- whether or not LabKey Server creates a user account corresponding to an LDAP user.
- whether or not LabKey Server creates groups corresponding to LDAP groups.
- deactivating a LabKey account for users with inactive LDAP accounts
- synchronizing based on user and group filters
- field mapping between the LDAP and LabKey user information
- choosing to enforce or disallow the overwriting of user account information in LabKey
The synchronization is one way -- any changes made within LabKey will not be pushed back to the LDAP server.
Syncing nested groups is not supported. Groups that are members of other groups must be manually configured in LabKey.
Note that LDAP synchronization is independent of LDAP authentication
and requires a separate connection resource added to the labkey.xml file, described below.
To set up an LDAP synchronization connection:
- Add a <Resource> to the Tomcat configuration file (labkey.xml).
- See the example configuration below for a starting template. Replace ADMIN, ADMIN_PASSWORD, and MYLDAP.MYDOMAIN.COM with values appropriate to your organizations LDAP server.
<Resource name="ldap/ConfigFactory" auth="Container"
For details see labkey.xml Configuration File
LDAP Sync Settings
One the LDAP resource has been added, configure the synchronization behavior as follows:
- Go to > Site > Admin Console.
- Click Admin Console Links. Under Premium Features, click Ldap Sync Admin.
Available configuration options:
To test a connection with an LDAP server, click the Test Connection
Use the Search Strings
section to control which groups and users are queried on the LDAP server. These settings are optional.
An example Group Search
You can also control which groups to synchronize with using the graphical user interface described below
. The string settings made here override any groups chosen in the graphical user interface.
Use Field Mappings
to control how LabKey Server fields are populated with user data. The fields on the left refer to LabKey Server fields in the core.Users table. The fields on the right refer to fields in the LDAP server.
This section configures how LabKey Server responds to data retrieved from the synchronization.
- Read userAccountControl attribute to determine if active? If Yes, then LabKey Server will activate/deactivate users depending on the userAccountControl attribute found in the LDAP server.
- When a User is Deleted from LDAP? - LabKey Server can either deactivate the corresponding user, or delete the user.
- When a Group is Deleted from LDAP? - LabKey Server can either delete the corresponding group, or take no action.
- Group Membership Sync Method Changes in the LDAP server can either overwrite account changes made in LabKey, or account changes in LabKey can be respected by the sync.
- Set the LabKey user's information based on LDAP. - If Yes, then overwrite any changes made in LabKey.
Choose What to Sync
Choices made here are overwritten by any String Settings you make above.
- All Users - Sync all users found on the LDAP system.
- All Users and Groups - Sync all users and groups found on the LDAP system.
- Sync Only Specific Groups and Their Members - Available LDAP groups are listed on the left. To sync to specfic group, copy the group the right side. Click Reset Group List to clear the selected groups.
- Is Enabled? - If enabled, the schedule specified will run. If not enabled, you must sync manually using the Sync Now button below.
- Sync Frequency (Hours) - Specify the hourly cadence of sync refreshes.
Save and Sync
- Save All Settings on Page - Click this button to confirm any changes to the sync behavior.
- Preview Sync - Provides a popup window showing the results of synchronization. This is a preview only; does not actually make changes on LabKey Server.
- Sync Now - Provides a manual, unscheduled sync.