Overview of LDAP Integration

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.  LDAP user authentication validates a username/password combination against a directory server such as Active Directory or OpenLDAP.

With the Metric Insights LDAP integration, you can automatically create Metric Insights users based upon the existing user and group information in your LDAP server. Although this requires a bit of upfront configuration, it greatly simplifies installations with hundreds or thousands of users.

Metric Insights LDAP integration currently supports the following features:

  • Authenticate users against LDAP (If users change their passwords for their other applications, the new password will also work to access Metric Insights)
  • Automatically create Metric Insights users with user profile information (ex: first name, last name, email, etc.) from LDAP (for more details, refer to Script to synchronize/create users with LDAP )
  • Automatically add Metric Insights users to specific Metric Insights groups based upon LDAP group membership
  • Automatically sync user profile info on successful login
  • Auto-creation of LDAP users can be selectively turned on or off
  • Optionally, auto-remove users from MI groups based upon LDAP group membership

To read more about configuring this integration, see Configuring LDAP Authentication

1. Basic use-case

Basic use-case

The process is as follows:

  1. User enters credentials on the Metric Insights login page
  2. Metric Insights passes credentials to the associated customer's LDAP/Active Directory
  3. LDAP verifies that the user is authorized. In case this user profile has not  been previously created in Metric Insights, it is automatically created based on the LDAP user data (first name, last name, group membership, etc.). If any user information has been changed on LDAP server since previous login, it is automatically updated in Metric Insights.
  4. User is logged into Metric Insights

2. Use-case for new Users

Use-case for new Users
  1. An Administrator creates Group(s) in Metric Insights and maps them to LDAP "organizational units"; i.e., groups
  2. New user enters credentials into Metric Insights
  3. Metric Insights passes credentials to the associated customer's LDAP/Active Directory
  4. LDAP verifies that user is authorized
  5. User is logged into Metric Insights
  6. Metric Insights issues an API call to obtain other information about the new user, including name, email, and LDAP group assignments
  7. Metric Insights will assigns the new user to all Groups that can be matched to LDAP organizational units

Example:  Metric Insight's"Finance" Group is mapped to LDAP organizational unit "finance_group".  New user is a member of LDAP organization unit "finance_group", so Metric Insights assigns user to Metric Insights "Finance" Group. If appropriate, Metric Insights will assign the user to multiple Groups.

NOTE: The Metric Insights API can be used to do this work.  It is not necessary to do it manually in the Metric Insights User and Group Editors.

3. User-case for Users that change Groups

User-case for Users that change Groups
  1. An Administrator can establish optional configuration parameters to auto-remove users from MI groups based upon LDAP group membership
  2. When appropriately set, Metric Insights issues an API call each time a user logs into Metric Insights
  • API call returns LDAP/Active Directory LDAP organizational unit assignment(s)
  • Metric Insights updates a user's Group assignments based on information returned from the API call

To read more about configuring this, see Configuring LDAP Authentication

4. Optional settings for new Users

Optional settings for new Users

An Admin can set an optional configuration parameter that will prevent new user accounts from being created automatically. This permits LDAP/Active Directory integration while giving Administrators direct control over the creation of new user accounts.

To read more about configuring this, see Configuring LDAP Authentication

0 Comments

Add your comment

E-Mail me when someone replies to this comment