Best practices for setting up an AD LDAP directory

Editions: VIMP Corporate
Versions: 2.5.0+

For setting up a LDAP directory with AD we recommend the following procedure:

First, create a separate Organizational Unit (OU) for the groups of VIMP within the LDAP directory, containing only VIMP LDAP groups. Next, set the value of LDAP base group (ldap_base_group) to this OU. Thus, the assignment form of LDAP groups to VIMP roles within the backend of VIMP will only show those groups, e.g.:

ou=vimp,dc=subdomain,dc=domain,dc=tld

To avoid that all users of the LDAP directory are able to sign in with VIMP, it is recommended to create a new LDAP group and assign the users to it. By setting the value of LDAP user filter (ldap_user_filter) accordingly, only users of this group will be found, e.g.:

(&(objectClass=user)(memberOf=cn=vimpusers,ou=vimp,dc=subdomain,dc=domain,dc=tld))

Of course you can also assign already existing groups of the OU to VIMP roles. Thus, you save up one additional role, but the value of LDAP user filter (ldap_user_filter) has to be adapted for the groups in this case, e.g.:

(&(objectClass=user)(|(memberOf=cn=vimpadmins,ou=vimp,dc=subdomain,dc=domain,dc=tld)(memberOf=cn=vimpmods,ou=vimp,dc=subdomain,dc=domain,dc=tld)(memberOf=cn=vimpusers,ou=vimp,dc=subdomain,dc=domain,dc=tld)))

 

Last update on 2017/07/06 by Admin.

Go back