Configuring LDAP

A Safe Share administrator can add Covata users to their Covata Platform instance from an LDAP server/user directory by configuring an LDAP connection through Safe Share Administration.

The Covata Platform permits the configuration of more than one LDAP connection, thereby allowing the addition of users from multiple LDAP servers/user directories.

Notes:

• The Covata Platform only supports the configuration of LDAP connections on a Covata Platform instance with a single organization.
• LDAP connections are only recommended for on-site deployments of the Covata Platform. Covata does not support LDAP connections on cloud-deployed instances of the Covata Platform.

LDAP users have the following characteristics which are distinct from Local and External users (typically managed through Safe Share Organization Administration):

• The authentication of an LDAP user on the Covata Platform is delegated to (and handled by) its respective LDAP server. Hence, changing or resetting the password of an LDAP user account is performed through the account's LDAP server/user directory.
• An LDAP user account can be disabled or re-enabled through its LDAP server/user directory. However, disabling an LDAP user in this manner removes them from the organization, which permanently deletes all of the user's Secure Object ^* data within that organization. To disable an LDAP user's account but retain their Secure Object data:
  1. First, request that the Organization administrator remove the Covata user's account through Safe Share Organization Administration and while doing so, chooses the option to transfer ownership of the user's items (i.e. Secure Object data/content) to another Covata user account.
  2. Only then, disable the LDAP user's account through its LDAP server/user directory.
  ^* For more information about Secure Objects, see Administering files within the Safe Share Organization Administration section of this guide.
• Modifications to the fields of an existing LDAP user on the Covata Platform are conducted through the account's respective LDAP server/user directory...
  • These modifications are propagated through from the account's LDAP server/user directory to the Covata Platform when the Covata Platform next synchronizes with the LDAP server. By default, the LDAP synchronization frequency is five minutes.
  • As such, other than the role-related fields of Covata users within an organization, it is not possible to edit any of the other fields of an LDAP user's account through the Covata Platform.
  • To ensure that field modifications to LDAP user accounts are propagated through to the Covata Platform, verify that these accounts' respective LDAP connections have been enabled.
• The roles of an LDAP user within an organization are modified by an Organization administrator directly through Safe Share Organization Administration. Note also, however, that the Safe Share administrator role may also be granted to and removed from an LDAP user.

Configuring an LDAP connection

The LDAP Connections page of Safe Share Organization Administration (above) allows:

• The addition of new LDAP users to the Covata Platform through new connections to LDAP servers/user directories.
• Existing LDAP connections to be edited, as well as disabled or re-enabled.

Adding a new LDAP connection

Important: Before continuing ...

• If you intend to administer more than one organization on your Covata Platform instance, then do not add an LDAP connection. If one or more LDAP connections are configured, then the ability to add more organizations to your Covata Platform instance becomes permanently disabled.
• It is not possible to delete an LDAP connection once it has been added because:
  • the authentication of Covata users (added to the Covata Platform through this LDAP connection) is handled by the LDAP server and therefore,
  • this connection must remain in place to allow these LDAP users to continue being able to sign in.
• If you add an organization (resulting in two or more organizations on your Covata Platform instance), then the LDAP feature becomes disabled - i.e. the presence of more than one organization disables this feature. However, the LDAP feature can be re-enabled by removing all except one organization.

To add a new connection to an LDAP server/user directory on the Covata Platform:

1. Sign in to Safe Share Administration.
2. Click the LDAP option on the left of the Safe Share Administration interface to open the LDAP Connections page.
3. Click the Add LDAP Connection button.
4. In the Add LDAP connection dialog box, complete the LDAP connection fields described in the table (below).
5. ( Optional ) Test the connection by clicking the Test connection button.
   Note: A message is displayed indicating whether or not the connection to the LDAP server was successful.
6. Click Save and the LDAP connection will appear as a new entry on the LDAP Connections page.
   Note:
   • All accounts in the LDAP user directory will appear as new user accounts on the Covata Platform when the Covata Platform next synchronizes with the LDAP server.
   • All new LDAP user accounts added to the Covata Platform from an LDAP server/user directory automatically have the Originator role and are assigned the default plan.
   • If the email address of an existing user account on the Covata Platform matches that of the Email field of a user in the LDAP user directory, then a new account will not be added to the Covata Platform for that account in LDAP (during synchronization).

The following table describes all LDAP-related fields which are required by the Covata Platform for a successful connection to an LDAP server/user directory. All of these fields are mandatory.

Note: The content of the following table appears on the Add/Edit LDAP Connection dialog boxes. It is reiterated below for the convenience of LDAP server/user directory administrators who themselves are not a Safe Share administrator or Organization administrator, but need to provide the values of these fields to their Safe Share administrator/Organization administrator.

Field	Description	Maximum Length (where applicable)
Server URL	The address of the server running LDAP. LDAP over TLS is also supported. Example: ldap://ldap.xy-company.com
Server Timeout	The amount of time (in milliseconds) that the Covata Platform will wait when attempting to connect to or read data from the LDAP server.
Manager DN	The Distinguished Name (DN) of the 'manager' user who has privileges to perform LDAP authentication and synchronization and browse the Base DN.	512
Manager password	The password for the 'manager' user who has privileges to perform LDAP authentication and synchronization and browse the Base DN.	128
Base DN	The root node in LDAP from which the Covata Platform finds users and groups. Example: ou=users,dc=xy-company,dc=com	512
Sync filter	The filter used to specify which Covata users will be synchronized based on their LDAP path and attributes. Examples: Syncrhonizing users from a group: (memberOf=CN=groupName,OU=users,DC=xy-company,DC=com) All users: (&(objectclass=user)(objectcategory=person)) Users whose email matches a domain: (&(&(objectclass=user)(objectcategory=person))(mail=*@xy-company.com))	512
Auth filter	The LDAP field against which the Covata Platform matches the email address of a Covata user when they authenticate. Example: userPrincipalName={0}	512
Domain	The domain for the LDAP user directory.	64
Account Name	The LDAP field used to specify an additional/other name for Covata users. Example: sAMAccountName Note: This field is required for internal Covata Platform functionality.	64
Email Field	The LDAP field used to specify the email address for Covata users in Safe Share Administration or for an organization. Example: mail Note: Each email address from this field defines a Covata user's identity and forms part of the Covata user's sign-in credentials.	64
User Principal Name	The LDAP field used to specify the external user identifier for Covata users. Example: userPrincipalName Note: This field is required for internal Covata Platform functionality.	64
Full name field	The LDAP field used to specify the first name for Covata users in Safe Share Administration or for an organization. Example: name	64
Status field	The LDAP field used by the Covata Platform to determine whether or not a user is disabled. Example: userAccountControl	64
Status disabled	The value of the Status field (in the LDAP directory) to indicate that a user is disabled.	64

Editing an existing LDAP connection

To edit an existing connection to an LDAP server/user directory on the Covata Platform:

1. Sign in to Safe Share Administration.
2. Click the LDAP option on the left of the Safe Share Administration interface to open the LDAP Connections page.
3. Scroll to the relevant LDAP connection and click its Edit link.
4. In the Edit LDAP connection dialog box, modify the LDAP connection fields described in the table (above).
5. ( Optional ) Test the connection by clicking the Test connection button.
   Note: A message is displayed indicating whether or not the connection to the LDAP server was successful.
6. Click Save and the LDAP connection will be updated.
   Notes:
   • To ensure that any modifications to user accounts in the LDAP user directory are propagated through to the Covata Platform, verify that this LDAP connection has been enabled.
   • Since the Email address field of all user accounts on the Covata Platform is unique (because each account's Email address defines a user's unique identity and is also used for auditing purposes), then:
     1. If an LDAP account's email address is modified through its LDAP server/user directory, a new Covata user account will be created for that user upon next synchronization (and their original Covata user account is no longer used). However, unlike disabling an LDAP account in the LDAP server/user directory, the original Covata user account (associated with that LDAP account) is not removed and its Secure Object data remains available for ownership transferral.
     2. If this LDAP account's email address is modified back to its original address, the user's original Covata user account will be used again upon next synchronization (and their former Covata user account is no longer used).

Disabling or re-enabling an LDAP connection

Disabling an LDAP connection stops the Covata Platform from synchronizing with that LDAP connection's server/user directory. Once an LDAP connection has been disabled, however, the LDAP users (which had previously been added through this LDAP connection) can still sign in to the Covata Platform via delegated authentication. This is on the assumption that these user accounts have not been disabled or deactivated in their LDAP user directory.

Disabling an LDAP connection is useful if synchronization events between the Covata Platform and LDAP server impair network traffic. However, disabling an LDAP connection also prevents any updates (which have been made to LDAP accounts in their user directory) from being propagated through to the Covata Platform.

To disable, enable or re-enable an LDAP connection on the Covata Platform:

1. Sign in to Safe Share Administration.
2. Click the LDAP option on the left of the Safe Share Administration interface to open the LDAP Connections page and scroll to the relevant LDAP connection.
3. To:
   • Disable the LDAP connection - click the (green) Enabled button of this LDAP connection (on the left of the page) until it reads Disabled.
   • Enable or re-enable the LDAP connection - click the (red) Disabled button of this LDAP connection (on the left of the page) until it reads Enabled.

---

Please provide your feedback here

comments powered by Disqus