The Vocera LDAP Adapter settings enable direct communication between the adapter and the Vocera Platform.
-
Navigate to the New Adapter option, or navigate to an existing adapter to edit.
See Creating a New Adapter and Editing an Adapter for instruction as needed.
The configuration fields are the same for new and existing adapters.
-
Complete the LDAP Settings configuration fields as
described in the table.
Set up a connection to an LDAP or ActiveDirectory server to allow users to authenticate using the same credentials they do elsewhere in the organization. Each configuration allows one LDAP server per organization. The LDAP Settings section displays example settings for server connections, and must be changed to the appropriate settings for the organization's LDAP server.
Note: Once you have entered the LDAP Settings information in this section, click the Save button at the bottom of the page. In order to retrieve the attributes and groups from the LDAP server, the adapter must first be active and running in the system.
LDAP Settings Field Description Use Automatic Discovery Check the Use Automatic Discovery box to automatically discover the LDAP server(s) for the given base Distinguished Name (DN). Select this option instead of using the LDAP Server and Port settings described below.
LDAP Server Enter the host name or IP address of the LDAP server hosting the facility's directory service. Vocera Platform supports one LDAP server connection per organization.
LDAP Port Enter the port, usually 389/tcp, that Vocera Platform will use to communicate with the facility's LDAP server. The LDAP port setting must match the port set in the LDAP server.
Use SSL Check the SSL box to set the port to 636/tcp. Toggle this checkbox on and off to view the default port settings for the LDAP Port and Use SSL fields. Select the Use SSL checkbox to enforce Secure Sockets Layer (SSL) security for communication over the Internet when retrieving data from the directory service.
Base DN Enter the Distinguished Name (DN) for the top level entry in the LDAP directory. The base DN describes where to load users and groups.
Some example entry names include CN=Users for the common name attribute, or DC=example.com for a domain component attribute. This must be a domain partition root; other partitions, such as OU or Organization Unit, will not synchronize properly.
DN of Schema Enter the Distinguished Name (DN) of the facility's LDAP schema to obtain the set of rules governing what can be stored as entries in the LDAP directory. This allows Vocera Platform to retrieve attributes from LDAP to match to the Users dataset.
DN of Service Account Enter the DN of the LDAP Service Account for Vocera Platform to use to authenticate with the organization's server. Leave this field blank for anonymous access.
Service Account Password Enter the password for the LDAP Service Account for Vocera Platform to use to authenticate with the organization's server. Leave this field blank for anonymous access.
Site Select a Vocera Platform site name from the dropdown list. This site will be linked to all new users and groups.
Note: During synchronization, existing users will not be linked to the selected site if they are already linked to a different site. See Synchronizing Users and Groups. -
Complete the Read Attributes configuration fields as
described in the table.
Read Attributes Field Description Retrieve Attributes and Groups Once connected to the LDAP server, you can read the attributes and groups in the organization's directory service.
Click Save at the bottom of the adapter page, if LDAP settings were just added or changed. The Vocera LDAP Adapter must be running, and the configuration must be saved if new settings were applied, in order to access the service.
Select the Retrieve Attributes and Groups button in the Read Attributes and Groups section to collect all configured attributes and groups from the LDAP server. The retrieval will take several minutes, depending on the quantity of data to transfer.
-
Complete the Attribute Mappings configuration fields as
described in the table.
If a mapping has already been set up, the existing mapping will be validated against the new LDAP Attributes and new USERS Dataset Attributes. If the mapping is still valid (both the USERS Attributes and the LDAP Attributes exist), the user will be able to save the form. If any mapping is invalid (either a USERS Attribute or an LDAP Attribute does not exist) the user will not able to save the form.
Refer to Storing LDAP Images and Binary Data in User Attributes for information about mapping binary data, such as photos.
The following default attributes are paired when there are no pre-existing mappings for the systems:
Vocera maps to LDAP USERS.login maps to LDAP.sAMAccountName USERS.ldap_dn maps to LDAP.distinguishedName USERS.first_name maps to LDAP.givenName USERS.last_name maps to LDAP.sn USERS.middle_initials maps to LDAP.initials USERS.email maps to LDAP.mail After the data is retrieved from the LDAP server, map Vocera Platform attributes to the retrieved LDAP attributes. The attributes login and ldap_dn are required.
Attribute Mappings Field Description Vocera Attribute Select a mapping for a Vocera Platform attribute. LDAP Attribute Select a mapping for an LDAP attribute. -
Complete the Contact Detail Mappings configuration fields as described
in the table.
Contact Detail Mappings Description Contact Detail Type Select a mapping for a Vocera Platform attribute. LDAP Attribute Select a mapping for an LDAP attribute. -
Complete the Group Mappings configuration fields as
described in the table.
At most one mapping should exist in each section for any particular LDAP group, although this is not enforced.
Group Mappings Field Description Vocera Group Name Select a mapping for a Vocera Platform Group. Enter the Vocera Platform group name to which an LDAP group will be mapped.
Group names provide auto completion from the retrieved Vocera Platform groups based on the configured site, but they can be any value (if a Vocera Platform group does not exist for the group name, a new group will be created and a warning will be shown).
LDAP Group Select a mapping for an LDAP Group. Choose from the LDAP groups found during synchronization.
LDAP group names provide auto completion which will search the configured AD Server for groups matching the keyword. LDAP groups that do not exist in the AD server will result in an error message preventing updating the configuration until a valid LDAP group is specified.
-
Complete the User Principal Mapping configuration fields
as described in the table.
LDAP matches externally authenticated users to LDAP directory entries using the user's principal values. LDAP allows 0 or more mappings from a principal value type to an LDAP attribute which will be matched to identify the LDAP entry. The user principal mapping is required for SSO Kerberos use in authentication and generating a keytab file. See Establishing Security in the Vocera Platform Administration Guide.
In addition to the given configuration, every instance is an implicit mapping from the user's username to the login attribute configured in the attribute mapping (using the unmodified username).
Each user is looked up in LDAP based on the requested or authenticated identity and their Vocera Platform data is updated to match their LDAP data. Users are considered authorized only if they are a member of at least one of the mapped LDAP groups. Authentication adds a step to check their password against LDAP.
User Principal Mapping Field Description Principal Type Select the type of principal this mapping supports from the dropdown list. A principal represents a unique identity. Options provided are NT Principal, X.509 Certificate Subject, Email Address, Kerberos Principal, or Other Principal.
Active Check the Active box to enable the configuration in the Vocera Platform system.
LDAP Attribute Select the LDAP attribute from the dropdown list to which the principal value will be matched.
Regular Expression Enter the regular expression which the given principal type value must match to be matched to LDAP.
LDAP Value Mapping Enter a regular expression mapping for the value to use in searching for the principal in LDAP. A mapping of '$0' will leave the value unchanged.
