The Active Directory connector synchronize user accounts between your corporate directory service and the Edjet LMS using LDAP protocol.
Supported AD editions:
Cloud-based AZURE AD is not supported, as LDAP doesn't work in the cloud.
When AD sync is triggered, the data are gathered and synchronized from Active Directory server into Edjet LMS database. Communication with the AD server is always in read-only mode.
Any changes made to user accounts on the LMS side will not be propagated to the AD server and will be overwritten on next synchronization.
When user try to sign in to the Edjet LMS, the application will try to authenticate user against configured AD server. There is nothing visible for the end-user when AD authentication is active.
For logging user in the "userPrincipalName" (preferred) or "SAMAccountName" property is used.
If the AD server is not accessible, or the response is invalid, sign in process will fail.
A new user is created automatically if not already in the Edjet LMS database.
Action is triggered when:
User is updated automatically if the user is in both AD and Edjet LMS database.
Match is found by the "login" (user name) property, which is unique.
Action is triggered when:
A user is deleted automatically from the Edjet LMS database if the user is no longer available (depending on the sync settings), with the exception of "Superadmin" account, which cannot be deleted.
Action is triggered when:
To keep the Edjet LMS database clean of old accounts, the AD server has to be properly set up to propagate all AD server settings changes into Edjet LMS database.
Edjet LMS support both user types (admin, user) to sync.
Also, all roles are supported (Learner, Admin, Trainer), with exception for Superadmin role, that cannot be synchronized for security reasons.
All the setting and options of the AD connector can be managed in the admin panel.
To setup AD authentication and synchronization:
| Setting | Options and description |
|---|---|
| ldap_auth |
Enable or disable AD for authentication and sync.
Data type: integer |
| ldap_base_dn |
Active Directory Base DN (Distinguished Name). If more than one, separate with colons. Example: dc=example,dc=com Data type: string |
| ldap_domains |
Domain controller(s). If more than one, separate with semicolons. Example: corp.example.com;dc.example.com Data type: string |
| ldap_port |
Port on which the AD server listens. Default: 389 Data type: integer |
| ldap_use_ssl |
Secure the connection between the project and the AD server using SSL. If you enable this option, you should set the port number as well. Default: false Data type: boolean |
| ldap_use_tls |
Secure the connection between the project and the AD server using TLS. If you enable this option, you should set the port number as well. Default: false Data type: boolean |
| ldap_username |
Username of an AD account with at least read permissions for the users and groups in the AD. Example: Administrator Default: empty Data type: string |
| ldap_password |
Password of an AD account (as entered in "ldap_username"). Do not leave empty. Default: empty Data type: string |
| ldap_acc_prefix |
Account prefix will be prepended to all usernames in the AD authentication process. Example: NETBIOSDomain\ Default: empty Data type: string |
| ldap_acc_suffix |
Account suffix will be appended to all usernames in the AD authentication process. Example: @corp.example.com Default: empty Data type: string |
| ldap_sync_roles |
List of AD groups which correspond to Edjet LMS user roles. When a user is created for the first time, his role will correspond to what is specified here. A user will be created based on the first match, from left to right, so put the more powerful groups first (f.e. Admin role). If the Edjet LMS Role is not found, the Role ID=3 (learner) is used. Role ID=1 (superadmin) cannot be set for security reasons. Active Directory roles are case-sensitive. Separate multiple roles by semicolon. Format: <AdGroup>=<EdjetLMSRoleId> Example: Administrators=21;Trainers=4 Default: Administrators=21;Trainers=4;Students=3 Data type: string |
| ldap_sync_groups |
Users are authorized and synced only when they are members of a specific AD groups(s). Leave empty if you wish to get all users from AD (no matter what group are they in). Separate multiple groups by semicolon. Active Directory groups are case-sensitive. Example: Sales;Office;Admins Default: Administrators;Trainers;Students Data type: string |
| ldap_cmn_fields |
Useful for field that are not present in AD. However, if these fields are in AD, it will be overwritten by this value. Format: <EdjetLMSField>=<value> Separate multiple fields by semicolon. Example: lang=cs-CZ Default: empty Data type: string |
| ldap_sync_fields |
List of Edjet LMS fields (database columns) of the user account to be overwritten by data from AD on sync. The settings also maps the corresponding LMS fields to AD fields. Format: <EdjetLMSField>=<AdField> Separate multiple fields by semicolon. Login must be unique in Edjet LMS system, so choose corresponding unique AD field. Example: login=userprincipalname;email=mail;surname=sn;name=givenname Default: login=userprincipalname;email=mail;prefix=personaltitle;surname=sn;name=givenname;company=company;job_title=title;street=streetaddress;city=city;zip=postalcode;region=state;state=country;tel1=mobile;tel2=telephonenumber;tel3=facsimiletelephonenumber;content=description Data type: string |
It is recommended to trigger the sync of all user accounts via CLI using your job scheduler.
Example:
php /var/www/html/components/ldap_sync.php cliYou can add this task to the daily period using CRON tab (Linux) or Task Scheduler (Windows Server).
To debug the script, pass the "errout" parameter as well to see the error output:
php /var/www/html/components/ldap_sync.php cli erroutInstead of CLI, you can also use the HTTP mode.
It generates HTTP request to the domain name specified as a parameter, eg. "localhost" or "corp.example.com".
php /var/www/html/components/ldap_sync.php corp.example.comTo debug the script, pass the "errout" parameter as well to see the error output:
php /var/www/html/components/ldap_sync.php corp.example.com erroutChech the domain in the "ldap_username" and try to move it to the "ldap_acc_suffix". Also make sure, the "ldap_acc_suffix" begins with "@" character.