ID: 1173

Configuring Active Directory / LDAP

on Zoom Server

Configuring Active Directory

For many organizations, LDAP or Active Directory are a key way to allow their users to log into multiple systems. Evolphin Zoom has native support to integrate with your LDAP or Active Directory. Some common systems include Microsoft Active Directory, Novell Directory Service, and others. The following instructions provide you with information on how to setup Active Directory in Zoom Web Admin.

Requirements
  • Admin access to the Zoom Web Admin
  • The Active Directory management username and password
  • URL to Active Directory
  • Security Group for Zoom users
  • LDAP configured and installed on server
  • If enabling SSL, ensure that LDAP with SSL is enabled and configured

Configuring Active Directory Groups

Below is a sample LDAP/AD container hierarchy that will be referenced in the documentation below.

In order to pull users & groups from AD/LDAP into Zoom, a filter group must be created in the AD/LDAP repository first. For example CN=ZOOM_DAM_USERS, OU=Enterprise Apps, DC=corp,DC=acme,DC=com in the diagram below:

 

In addition, it is recommended to create Security Groups in AD/LDAP for the permissions that Zoom support, these permissions must be applied to group imported from AD/LDAP after the AD/LDAP groups have been pulled into Zoom:

Permission Effect
None Has no access to any resource
Distribute Can read only published project items
Review Inherits Distribute permission and can read those project items that have been marked for review
Read Inherits Review permission and can read/view any resource
Contribute Inherits Read permission and can add new items
Edit Inherits Contribute Permission and can delete their own items
Edit_All Inherits Edit Permission and can delete all items
Administer Inherits Edit_All Permission and can change project configuration

Any user or group in AD/LDAP must be a member of the Zoom filter group in order to be pulled into Zoom. That does imply you need to add users to both the Zoom filter group as well as the groups you will be pulling. If you failed to add users to the groups you wish to  pull, the groups will be empty in Zoom after import.

Also the “mail” attribute needs to be set for each user you wish to pull into Zoom. If the “mail” attribute is missing the user will not be pulled into Zoom.

In your preferred web browser, go to Web Administration Console.Setting Up LDAP (without SSL)

  1. Log in using your admin credentials.
  2. In the left sidebar, click on Server Control Panel under the Server section.
  3. Click on LDAP Server Settings.
  4. Fill in the following values to meet your organizations needs:
    Field Description
    Host The machine IP/Hostname where LDAP server is running
    Port Port number where the LDAP server is listening.Default 389
    Use SSL See section “Setting Up LDAP (with SSL)
    Base DN The distinguished name of the base context in the LDAP repository within which the users and groups defined; this will act as the base container from which any look up/search will execute. If you have thousands of users in LDAP, please create an appropriate container to limit the search scope.Note: If you have multiple OU organizational units that you are referring to for your users, your base DN needs to encapsulate both OUs.Ex. CN=Users,DC=ZOOM,DC=local
    Username Attribute The attribute that would mark the username.Ex. sAMAccountName
    Groupname Attribute The name of the attribute that would mark the name of the group: typically cn for any group entryEx. CN
    LDAP Searching Username The DN of the user name entity that will be used to bind to the ldap server. This username must be a member of a group with enough privileges to be able to search the LDAP db.Ex. ZOOM\Administrator or CN=Administrator,CN=Users,DC=ZOOM,DC=local
    LDAP Searching Password The password associated with the searching username.
    Exclude Users Comma separated list of user DNs to ignore
    Exclude Groups Comma separated list of group DNs to ignore
    Filter Groups The DN of a group that will contain all users who would operate with Zoom, and also all the groups that the users are organized into.Ex. CN=ZOOM_DAM_USERS, OU=Enterprise Apps, DC=corp,DC=acme,DC=com in the diagram above.
  5. Click Save. Settings should look similar to sample settings below:

    LDAP Settings

  6. You will be prompted to restart the server. Click Yes.
  7. Refresh your web browser.
  8. Log in using your admin credentials.
  9.  In the left sidebar, click Server Control Panel, then click Security Settings and verify the security realm is switched to ExtLdapRealm, if not change it to :
    ExtLdapRealm. This will switch the authentication provider to LDAP from local Zoom user database.
This is an irreversible switch, please make sure you really want to do this before switching.

  • In the left sidebar, click Manage accounts under User Accounts.
  • Click Pull Users and Roles From LDAP Server.

If successful, you should see a list of the names in your Security Group listed in the manage accounts and the following dialog:

Setting Up LDAP with SSL

The following sections describe how to configure the specific items to allow LDAP to authenticate over SSL using Microsoft Active Directory. These instructions assume that the base configurations were applied in sectionSetting Up LDAP (without SSL).

Exporting Certificate from Active Directory

Windows 2012

  1. Log into your Active Directory server using Administrator credentials.
  2. Search for certsrv.msc
    certsrv_msc
  3. Click Enter on your keyboard.
  4. Select Certification Authority in the left sidebar, right-click and select Properties.
  5. SSL_selectProperties
  6. Select the Details tab.
    SSL_clickDetails
  7. Click the Copy to file… button.
    SSL_copyToFile
  8. Click Next.
    SSL_copyToFile_Dlg01
  9. Select Base-64 encoded X.509 (.CER) and click Next.
    SSL_copyToFile_Dlg02
  10. Click Browse… and select your desired location to export the certificate file to. Then click Next.
    SSL_copyToFile_Dlg03
  11. Click Finish.
    SSL_copyToFile_Dlg04

Importing Certificate from Active Directory

In order for Zoom to properly connect to Active Directory using SSL, it will need to import the certificate into its keystore. The following instructions describe how to import the Active Directory certificate into the Java JRE.

NOTE: You need the Java keytool.exe installed on the machine. If it is not installed with your Evolphin jre, install a different jre on your computer. You may need to set your absolute path in order to run the keytool.exe command.

  1. Click Start menu.
  2. Search for cmd.
  3. Right-click on Command Prompt.
  4. Select Run as Administrator.
    SSL_runAsAdministrator
  5. Type into Command Prompt:
    cd "C:\Program Files (x86)\Evolphin\DAM\jre\lib\security"
  1. Hit Enter.
  2. Type into the Command Prompt:
    keytool -import -alias adcert -file <INSERT PATH TO CERTIFICATE> -keystore cacerts

    Make sure that your path is in quotation marks to escape the spaces in the path.

    The cacerts is relative to where you are in the command line, so if you are not in the security folder, you can put an absolute path here.

    The keytool application is not packaged along with the Zoom server. You can find it in any regular JRE installation.

  3. You will be prompted to enter the keystore password.
    By default, this is changeit.
  4. Hit Enter.
  5. You will be prompted whether you want to trust this certificate. Hit Yes.
  6. Hit Enter.

Your certificate should now have been installed correctly.

Configuring LDAP in Web Admin

These instructions have been truncated for SSL specific settings. For other settings, please refer to Setting Up LDAP (without SSL)

  1. In your preferred web browser, go to Web Administraton Console.
    ex. http://localhost:8443 or http://<zoomserver>:8443
  2. Log in using your admin credentials.
  3. In the left sidebar, click on Server Control Panel under the Server section.
  4. Click on LDAP Server Settings.
  5. Under LDAP Port, type 636.
    636 is the default SSL port for LDAP
  6. Check the box Use SSL.
  7. Click Save.
  8. You will be prompted to restart the server. Click Yes.
  9. Refresh your web browser.
  10. Log in using your admin credentials.
  11. In the left sidebar, click Manage accounts under User Accounts.
  12. Click Pull Users and Roles From LDAP Server.

If successful, you should see a list of the names in your Security Group listed in the manage accounts and the following dialog:

LDAP_Confirmation