How to synchronize users through LDAP integration

Set up an integration between Proxyclick and your directory server to automatically synchronize company users and create accounts

Pearl McGuire avatar
Written by Pearl McGuire
Updated over a week ago

Introduction

The LDAP integration is used to provision users into Proxyclick directly from the internal user directory in an automatic fashion. This allows a user to log into the Proxyclick application to validate his/her e-mail address and password.

This has the following advantages:

  • Users can use their company password, so there is no need for a new password.

  • Security settings for passwords defined by the company will also apply for accessing the Proxyclick application

  • When a user is disabled or removed from the directory, she/he will not be able to connect to the Proxyclick application anymore

Key features

  • One-way synchronization from your directory to the Proxyclick application

  • No modification of the directory information

  • Integration only reads the user data from the directory

Whenever possible we recommend one of our alternative methods, as they are more flexible and reliable. Find out if any of our other options would work for you here.
​

Requirements

The connection from Proxyclick to the directory server must be available. If the connection is down at the moment a user wants to log in, Proxyclick will not be able to verify his/her credentials and the login will be refused with an error message. Also on user synchronization, Proxyclick cannot update the accounts in the database if the connection to the directory server is failing.
​

A good connection speed is furthermore a minimum in order to have good response times for the login and synchronization of users.
​
Additionally, you will need to ensure that you have activated this add on to your subscription.
​

Technical implementation

Access to the directory server uses the LDAP protocol (Lightweight Directory Access Protocol). Proxyclick supports LDAP over TLS/SSL (LDAPS) for securing the connection and data exchange over the internet.

The firewall needs to accept incoming connections to the directory server. We suggest you create a rule limited to the IP address of the Proxyclick LDAP proxy server: 149.202.139.23

We also suggest to create a separate account for accessing the directory. This account needs to be able to read data from the directory and to search for users. Write access is not required as Proxyclick will not modify directory information.

Supported Platforms

All directory servers that support the LDAP protocol can be used. This includes:

  • Microsoft Active Directory

  • Lotus Domino

  • OpenLDAP

  • Apache Directory

Login procedure at Proxyclick

If you need the users to be authenticated against the LDAP directory, they need to use a login page using a special URL:

where [alias] is used to know which directory server to access in order to validate the credentials. Please contact in order to get the alias (the alias is only available after we have set up the integration).

  1. The user enters an email address and password.

  2. A connection is opened to the directory server with the Proxyclick account and a lookup is done to retrieve the user with the e-mail. If no result is found, then the e-mail is invalid and the login is refused (an error message is displayed). If an entry is found, the distinguished name (DN) of the user is retrieved for the next step.

  3. Another connection is opened with the user DN and the password. If the directory server refuses the connection, then the password is not correct and the login is refused (the user gets an error message). If the connection is accepted, the credentials are correct.

  4. The login process checks if an account exists. If not, the account is created using the user information extracted from the directory.

  5. Finally, if there are no errors, the user gets access to the application.

(Other authentication mechanisms are our standard login page (password stored on Proxyclick servers) or SSO).

User synchronization

Proxyclick will regularly synchronize the user from the directory with the Proxyclick accounts. For every entry in the directory, a check is done in the Proxyclick database.

If an account for the user is found in Proxyclick, the data will be updated if it has changed. If no account found, a new one is created.

Accounts that exist in the Proxyclick database but are missing in the user directory will be flagged as deleted.

User information extracted from the directory

The data to be retrieved for users in the user directory are:

  • First name (mandatory)

  • Last name (mandatory)

  • E-mail address (mandatory)

  • Mobile phone number (optional), E.164 format

  • Fixed phone number (optional), less than 20 characters

  • Language (optional), ISO 639-1 format

For every field, Proxyclick needs to know the attribute to use to get the value.

Info needed for every location

In order to set up an integration with your AD, you need to send an email to support@proxyclick.com with the following info (for every location):

  • Person of contact: name and email of contact person (in case we have technical questions)

  • Server address: hostname or IP

  • Server port: typically 389 for LDAP (without encryption) or 636 for LDAPS (with encryption). In case of LDAPS, if the certificate that will be presented by the server does not match the server address (e.g. you provide address 192.168.1.1 but the certificate is for *.example.com), there will be an additional processing time for us to install the certificate in our trust store.

  • Credentials: username/password for searching the directory

  • Base DN: Distinguished name of entry the search of users is to be started from

  • Search Query: the query to find the users to be synchronized with Proxyclick (e.g. filter on OU, member of group, …). This must be in LDAP query format:

(&(mail=*)(sn=*)(givenName=*)(objectclass=user)(objectcategory=person)(memberOf=CN=ProxyClick-Users,OU=Groups,OU=Sunfix,DC=sunfix,DC=com))
  • Attributes to use to get the first name, last name, e-mail address of the users e.g.

mail = user email
givenName = user first name
sn = user last name

You can also contact us if you have any additional questions at support@proxyclick.com or via chat.


​
​

Did this answer your question?