Integrate Adobe Connect with LDAP directory service

Learn how you can create Adobe Connect user accounts automatically or authenticate Adobe Connect users via LDAP directory service.

Directory service integration overview

You can integrate Adobe Connect with a directory service to authenticate users against the LDAP directory and to avoid manually adding individual users and groups. User accounts are created automatically in Adobe Connect through manual or scheduled synchronizations with the directory of your organization.

To integrate with Adobe Connect, your directory server must use Lightweight Directory Access Protocol (LDAP) or secure Lightweight Directory Access Protocol (LDAPS). LDAP is an Internet client-server protocol for lookup of user contact information from an LDAP-compliant directory server.

Adobe Connect connects as an LDAP client to an LDAP directory. Adobe Connect imports users and groups, and synchronizes information about these users and groups with the LDAP directory. You can also configure Adobe Connect to authenticate users against the LDAP directory.

Any LDAP-compliant directory service may integrate with Adobe Connect. For a list of certified LDAP directories, see www.adobe.com/go/learn_cnn_sysreqs_en.

About LDAP directory structure

LDAP directories organize information according to the X.500 standard.

A user or group in an LDAP directory is called an entry. An entry is a collection of attributes. An attribute consists of a type and one or more values. Types use mnemonic strings, such as ou for organizational unit or cn for common name. Attribute values consist of information such as phone number, email address, and photo. To determine your organization’s LDAP directory structure, contact your LDAP administrator.

Each entry has a distinguished name (DN) that describes a path to the entry through a tree structure from the entry to the root. The DN for an entry in the LDAP directory is a concatenation of the name of the entry (called a relative distinguished name, RDN) and the names of its ancestor entries in the tree structure.

A tree structure may reflect geographical locations or departmental boundaries within a company. For example, if Alicia Solis is a user in the QA department of Acme, Inc. in France, the DN for this user might be as follows:

cn=Alicia Solis, ou=QA, c=France, dc=Acme, dc=com

Importing directory branches

When importing users and groups from an LDAP directory into Adobe Connect, you specify a path to a section of the LDAP tree by using the DN of the section. This specifies the scope of the search. For example, you can import only the users of a particular group within your organization. To do this, know where the entries for that group are located in the directory tree structure.

A common technique is to use the organization’s Internet domain as the root for the tree structure. For example, Acme, Inc. might use dc=com to specify the root element in the tree. A DN that specifies the Singapore sales office for Acme, Inc. might be ou=Singapore, ou=Marketing, ou=Employees, dc=Acme, dc=com. (In this example, ou is an abbreviation for organizational unit, and dc is an abbreviation for domain component.)

Note:

Not all LDAP directories have a single root. In this situation, you can import separate branches.

Importing users and groups

There are two ways of structuring user and group entries in an LDAP directory: under the same node of a branch or under different branches.

If users and groups are under the same node in an LDAP branch, user and group settings for importing entries contain the same branch DN. This means that when you import users, you must use a filter to select only users, and when you import groups, you must use a filter to select only groups.

If users and groups are under different branches in the tree, use a branch DN that selects the user branch when you import the users and the group branch when you import the groups.

You can also import subbranches to import users from all branches below a certain level. For example, if you want to import all the employees in the sales department, you might use the following branch DN:ou=Sales, dc=Acme, dc=comHowever, salespeople might be stored in subbranches. In that case, on the User Profile Mapping screen, set the Subtree Search parameter to true to ensure that users are imported from the subbranches below that level in the tree.

ou=Sales, dc=Acme, dc=com

Filtering selected entries

A filter specifies a condition that an entry must satisfy to be selected. This restricts the selection of entries within a part of the tree. For example, if the filter specifies (objectClass=organizationalPerson), only entries that have the attribute organizationalPerson are selected for import.

Note:

The attribute objectClass must be present in every entry in an LDAP directory.

Internal and external users and groups

Users and groups that you create directly in Adobe Connect rather than importing them from an LDAP directory are called internal users and groups. Users and groups imported into the Adobe Connect database from an LDAP directory are called external users and groups.

To ensure that imported groups are kept synchronized with the external LDAP directory, you cannot add internal users and groups to external groups. However, you can add external users and groups to internal groups.

If the value of the login or name of an imported user or group entry matches the login for an existing internal user or group, synchronizing the directories changes the imported user or group from internal to external and places a warning in the synchronization log.

Integrate Adobe Connect with an LDAP directory

Directory service integration takes place in the Directory Service Settings tab of the Application Management Console. Use an Administrator account.

You can configure one directory server for user authentication and LDAP synchronization. The configuration can point to one or several branches of the directory service.

Open the Application Management Console.

Choose Start > Programs > Adobe Connect Server > Configure Adobe Connect Server.

Enter LDAP server connection settings.

Select the Directory Service Settings tab. Enter values on the LDAP Settings > Connection Settings screen and click Save.

When you click Save, Adobe Connect tests the LDAP connection. If the test fails, you see the following message:

Your settings were successfully saved but LDAP connectivity could not be verified. Please check your LDAP URL and port.

 

Field

Default value

Description

LDAP Server URL

No default.

Usual form is ldap://[servername:portnumber]. If your organization uses a secure LDAP server, use ldaps://.

If you do not specify a port, Adobe Connect uses the standard LDAP port (389) or LDAPS port (636). LDAPS requires SSL certificates. If you configure Adobe Connect to work in a Microsoft Active Directory forest where the Global Catalog is enabled, use the Global Catalog (standard port: 3268).

LDAP Connection Authentication Method

No default.

The mechanism for authenticating the credentials (LDAP user name, LDAP password) of the LDAP service account for Adobe Connect (admin rights).

Simple (standard authentication - recommended). Anonymous (no password - your LDAP server must be configured to allow anonymous login). Digest MD5 (configure your LDAP server to allow digest authentication).

LDAP Connection Username

No default.

Administrative login on the LDAP server.

LDAP Connection Password

No default.

Administrative password on the LDAP server.

LDAP Query Timeout

No default.

Time that can elapse before the query is canceled, in seconds. If you leave the field empty, there is no timeout. Set this value to 120.

LDAP Entry Query Page Size Limit

No default.

The page size of the results returned from the LDAP server. If this box is blank or 0, a page size is not used.

Use this field for LDAP servers that have a maximum results size configured. Set the page size to less than the maximum results size so all the results are retrieved from the server in multiple pages.

For example, if you try to integrate a large LDAP directory that can only display 1000 users and there are 2000 users to import, the integration fails.

If you set the Query Page Size to 100, the results would be returned in 20 pages and all users would be imported.

 

The following is an example of LDAP syntax for connection settings:

URL:ldap://ldapserver.mycompany.com:389 
UserName:MYCOMPANY\jdoe 
Password:password123 
Query timeout:120 
Authentication mechanism:Simple 
Query page size:100

Map Adobe Connect and LDAP directory user profiles.

Choose the User Profile Mapping tab, enter values, and click Save.

Field

Default value

Description

Login

No default.

The directory service login attribute.

First Name

No default.

The directory service first name attribute.

Last Name

No default.

The directory service last name attribute.

Email

No default.

The directory service email attribute.

If you have defined custom fields, they are added to the User Profile Mapping screen. This example maps an Adobe Connect user profile to an Active Directory LDAP user profile; Network Login is a custom field.

Login:mail 
FirstName:givenName 
LastName:sn 
Email:userPrincipalName 
NetworkLogin:mail

(Optional) Add a user branch.

Click Add to add user information from a particular branch of your company. Enter values in the Branch and Filter fields and click Save.

If you want to import users from subbranches, select True from the Subtree Search menu; otherwise, select False.

For more information, see About LDAP directory structure.

Field

Default value

LDAP attribute/notes

Branch DN

No default.

DN (distinguished name) of the branch root node. A link to the selected branch is displayed.

Filter

No default.

The query filter string.

Subtree Search

True

True or False. A value of True initiates a recursive search of all subtrees in the branch.

Map Adobe Connect and LDAP directory group profiles.

Select the Group Profile Mapping tab, enter values, and click Save.

Note: Adobe Connect group profiles do not support custom fields.

Field

Default value

LDAP attribute/notes

Group Name

No default.

The directory service group name attribute.

Group Member

No default.

The directory service group member attribute.

The following is a mapping between LDAP group entry attributes and an Adobe Connect group profile:

Name:cn 
Membership:member

(Optional) Add a group branch.

Click Add to add user information from a branch of your organization. Enter values in the Branch and Filter fields and click Save.

If you want to import groups from subbranches, select True from the Subtree Search menu; otherwise, select False.

For more information, see About LDAP directory structure.

Field

Default value

LDAP attribute/notes

Branch DN

No default.

DN (distinguished name) of the branch root node. Each branch in the organization has its own LDAP DN attribute. A link to the selected branch is displayed.

Filter

No default.

The query filter string.

Subtree Search

True

A Boolean value of true or false. A value of true initiates a recursive search of all subtrees in the branch.

The following example shows one LDAP syntax for adding a branch of the organization and defining its groups:

DN:cn=USERS,DC=myteam,DC=mycompany,DC=com 
Filter:(objectClass=group) 
Subtree search:True

Enter authentication settings.

Select the Authentication Settings tab. If you want to authenticate Adobe Connect users against the directory service of your organization, select “Enable LDAP Directory authentication”. If you do not select this option, Adobe Connect uses native authentication (user credentials stored in the Adobe Connect database).

If you check “Enable Connect fall-back on unsuccessful LDAP Directory authentication”, Adobe Connect uses native authentication.

Note:

This option can be useful if a temporary LDAP connectivity failure on your network. However, LDAP credentials can be different from credentials in the Adobe Connect database.

Check “Create Connect user account upon successful LDAP Directory authentication” to provision first-time users on the Adobe Connect server if LDAP authentication is successful. If any user in your directory service is allowed to use Adobe Connect, leave this option checked and select “Internal” as user account type. For more information, see Internal and external users and groups.

Check “Enable group enrollment on first login only” to create a login ID in Adobe Connect and place users into specified groups when users log in to Adobe Connect for the first time. Enter the groups in the Group names box.

Schedule synchronization.

Select the Synchronization Settings tab. On the Schedule Settings screen, select the Enable scheduled synchronization check box to schedule regular synchronizations either once daily, weekly, or monthly at a certain time. For more information, see Recommended practices for synchronization.

You can also perform a manual synchronization on the Synchronization Actions screen.

Set a password policy and a deletion policy.

Select the Policy Settings tab, choose a Password Setup Policy and a Deletion Policy, and click Save. For more information about password policy, see Managing passwords.

Note:

If you select the Delete users and groups... option, during a synchronization, all external users that have been deleted from the LDAP server are also deleted from the Adobe Connect server.

Preview the synchronization.

Select the Synchronize Actions tab. In the Preview Directory Synchronization section, click Preview. For more information, see Recommended practices for synchronization.

Managing passwords

If you do not enable LDAP authentication, you must choose how Adobe Connect authenticates users.

When Adobe Connect imports user information from an external directory, it does not import network passwords. Therefore, implement another method for managing passwords for users imported into the Adobe Connect directory.

Notifying users to set a password

On the Policy Settings screen of the Synchronization Settings tab, you can choose to send an email to imported users with a link that lets them set a password.

Set the password to an LDAP attribute

You can choose to set the initial password of an imported user to the value of an attribute in directory entry of that user. For example, if the LDAP directory contains the employee ID number as a field, you could set the initial password for users to their employee ID number. After users log in using this password, they can change their passwords.

As an administrator, you can synchronize Adobe Connect with the external LDAP directory in two ways:

  • You can schedule synchronization so that it takes place at regular intervals.

  • You can perform a manual synchronization that immediately synchronizes the Adobe Connect directory with the organization’s LDAP directory.

Before you import users and groups in an initial synchronization, it’s a good idea to use an LDAP browser to verify the connection parameters. The following browsers are available online: LDAP Browser/Editor and LDAP Administrator.

Note:

Do not restart your LDAP server or run parallel jobs during synchronization. Doing so can cause users or groups to be deleted from Adobe Connect.

Scheduled synchronizations

Scheduled synchronizations are recommended because they ensure that Adobe Connect has an up-to-date picture of the users and groups imported from the organization’s LDAP directory.

If you are importing many users and groups, the initial synchronization might consume significant resources. If so, schedule this initial synchronization at an off-peak time, such as late at night. Alternatively, you can do the initial synchronization manually.

To set up a scheduled synchronization, use the Synchronization Settings > Schedule Settings screen in the Application Management Console.

When a synchronization takes place, Adobe Connect compares LDAP directory entries to Adobe Connect directory entries and imports only those entries that contain at least one changed field.

Previewing the synchronization

Before you import users and groups in an initial synchronization, Adobe recommends that you test your mappings by previewing the synchronization. In a preview, users and groups are not imported, but errors are logged; you can examine these errors to diagnose problems in the synchronization.

To access the synchronization logs, use the Synchronization Logs screen. Each line of the log shows a synchronization event; the synchronization produces at least one event for each principal (user or group) processed. If any warnings or errors are generated during the preview, they are listed in a second warning log.

Log file values

The synchronization logs store values in a comma-separated format. In the following tables, principal refers to user and group entries. The following values are included in the log entries:

Field

Description

Date

The formatted date-time value, with time to the millisecond. The format is yyyyMMdd’T’HHmmss.SSS.

Principal ID

The login or group name.

Principal type

A single character: U for user, G for group.

Event

The action taken or condition encountered.

Detail

Detailed information about the event.

The following table describes the different kinds of events that can appear in the synchronization log files:

Event

Description

Detail

add

The principal was added to Adobe Connect.

An abbreviated XML packet that describes the updated fields using a series of tag pairs in the format <fieldname>value</fieldname> (for example, <first-name>Joe</first-name>). The parent node and non-updated fields are omitted.

update

The principal is an external user and some fields were updated.

 

update-members

The principal is an external group, and principals were added to or removed from membership in the group.

An abbreviated XML packet that describes the added and removed members. The parent node is omitted:

<add>ID list</add> <remove>ID list</remove>The ID list is a series of <id>principal ID</id> packets where principal ID is an ID that would be listed in the Principal ID column, such as a user login or group name. If there are no members of an ID list, the parent node is output as <add/> or <remove/>.

delete

The principal was deleted from Adobe Connect.

 

up-to-date

The principal is an external principal in Adobe Connect and is already synchronized with the external directory. No changes were made.

A user or group created in Adobe Connect is considered an internal principal. A user or group created by the synchronization process is considered an external principal.

make-external

The principal is an internal principal in Adobe Connect and was converted to an external principal.

This event permits the synchronization to modify or delete the principal and is followed by another event that does one or the other. This event is logged in the warning log.

warning

A warning-level event occurred.

A warning message.

error

An error occurred.

Java exception message.

About LDAPS

Adobe Connect supports the secure LDAP protocol, LDAPS, natively. The LDAP directory server must provide SSL connectivity. To connect securely to an LDAP directory server, use the LDAPS protocol in the connection URL, as follows: ldaps://exampleDirectoryServer:portNumber.

 Adobe

Get help faster and easier

New user?