The Vocera LDAP Adapter settings enable direct communication between the adapter and the Vocera Platform.
Configuration Field | Description |
---|---|
Component Name | Click the Component Name field to display a list of the systems and devices that the Vocera Platform currently supports. Select the name of the adapter to create. |
Reference Name | Enter a short descriptive name in the Reference Name field to uniquely identify an adapter instance. It may demonstrate the adapter function or other information; for example, Production adapter may differentiate a live adapter from a development or "sandbox" adapter. |
Enabled | Select the Enabled checkbox to allow the Vocera Platform to use the new adapter. The Vocera Platform ignores the adapter if this option is disabled. |
Required Datasets | If more than one dataset exists that meets the adapter's requirements, select the appropriate datasets for the new adapter to function correctly. The system searches for the datasets that meet the adapters requirements. If the datasets already exist, the system will use them. If the datasets do not exist, the system will create them automatically. Select Create in the drop-down menu to create a new dataset to meet the organization's requirements. |
Set up a connection to an LDAP or ActiveDirectory server to allow users to authenticate using the same credentials they do elsewhere in the organization. Each configuration allows one LDAP server per organization. The LDAP Settings section displays example settings for server connections, and must be changed to the appropriate settings for the organization's LDAP server.
LDAP Settings Field | Description |
---|---|
Use Automatic Discovery |
Check the Use Automatic Discovery box to automatically discover the LDAP server(s) for the given base Distinguished Name (DN). Select this option instead of using the LDAP Server and Port settings described below. |
LDAP Server |
Enter the host name or IP address of the LDAP server hosting the facility's directory service. Vocera Platform supports one LDAP server connection per organization. |
LDAP Port |
Enter the port, usually 389/tcp, that Vocera Platform will use to communicate with the facility's LDAP server. The LDAP port setting must match the port set in the LDAP server. |
Use SSL |
Check the SSL box to set the port to 636/tcp. Toggle this checkbox on and off to view the default port settings for the LDAP Port and Use SSL fields. Select the Use SSL checkbox to enforce Secure Sockets Layer (SSL) security for communication over the Internet when retrieving data from the directory service. |
Base DN |
Enter the Distinguished Name (DN) for the top level entry in the LDAP directory. The base DN describes where to load users and groups. Some example entry names include CN=Users for the common name attribute, or DC=example.com for a domain component attribute. This must be a domain partition root; other partitions, such as OU or Organization Unit, will not synchronize properly. |
DN of Schema |
Enter the Distinguished Name (DN) of the facility's LDAP schema to obtain the set of rules governing what can be stored as entries in the LDAP directory. This allows Vocera Platform to retrieve attributes from LDAP to match to the Users dataset. |
DN of Service Account |
Enter the DN of the LDAP Service Account for Vocera Platform to use to authenticate with the organization's server. Leave this field blank for anonymous access. |
Service Account Password |
Enter the password for the LDAP Service Account for Vocera Platform to use to authenticate with the organization's server. Leave this field blank for anonymous access. |
Site |
Select a Vocera Platform site name from the dropdown list. This site will be linked to all new users and groups. Note: During synchronization, existing users will
not be linked to the selected
site if they are already linked to a different site. See
Synchronizing Users and Groups.
|
Read Attributes Field | Description |
---|---|
Retrieve Attributes and Groups |
Once connected to the LDAP server, you can read the attributes and groups in the organization's directory service. Click Save at the bottom of the adapter page, if LDAP settings were just added or changed. The Vocera LDAP Adapter must be running, and the configuration must be saved if new settings were applied, in order to access the service. Select the Retrieve Attributes and Groups button in the Read Attributes and Groups section to collect all configured attributes and groups from the LDAP server. The retrieval will take several minutes, depending on the quantity of data to transfer. |
If a mapping has already been set up, the existing mapping will be validated against the new LDAP Attributes and new USERS Dataset Attributes. If the mapping is still valid (both the USERS Attributes and the LDAP Attributes exist), the user will be able to save the form. If any mapping is invalid (either a USERS Attribute or an LDAP Attribute does not exist) the user will not able to save the form.
Refer to Storing LDAP Images and Binary Data in User Attributes for information about mapping binary data, such as photos.
The following default attributes are paired when there are no pre-existing mappings for the systems:
Vocera | maps to | LDAP |
---|---|---|
USERS.login | maps to | LDAP.sAMAccountName |
USERS.ldap_dn | maps to | LDAP.distinguishedName |
USERS.first_name | maps to | LDAP.givenName |
USERS.last_name | maps to | LDAP.sn |
USERS.middle_initials | maps to | LDAP.initials |
USERS.email | maps to | LDAP.mail |
After the data is retrieved from the LDAP server, map Vocera Platform attributes to the retrieved LDAP attributes. The attributes login and ldap_dn are required.
Attribute Mappings Field | Description |
---|---|
Vocera Attribute | Select a mapping for a Vocera Platform attribute. |
LDAP Attribute | Select a mapping for an LDAP attribute. |
Contact Detail Mappings | Description |
---|---|
Contact Detail Type | Select a mapping for a Vocera Platform attribute. |
LDAP Attribute | Select a mapping for an LDAP attribute. |
At most one mapping should exist in each section for any particular LDAP group, although this is not enforced.
Group Mappings Field | Description |
---|---|
Vocera Group Name |
Select a mapping for a Vocera Platform Group. Enter the Vocera Platform group name to which an LDAP group will be mapped. Group names provide auto completion from the retrieved Vocera Platform groups based on the configured site, but they can be any value (if a Vocera Platform group does not exist for the group name, a new group will be created and a warning will be shown). |
LDAP Group |
Select a mapping for an LDAP Group. Choose from the LDAP groups found during synchronization. LDAP group names provide auto completion which will search the configured AD Server for groups matching the keyword. LDAP groups that do not exist in the AD server will result in an error message preventing updating the configuration until a valid LDAP group is specified. |
LDAP matches externally authenticated users to LDAP directory entries using the user's principal values. LDAP allows 0 or more mappings from a principal value type to an LDAP attribute which will be matched to identify the LDAP entry. The user principal mapping is required for SSO Kerberos use in authentication and generating a keytab file. See Establishing Security in the Vocera Platform Administration Guide.
In addition to the given configuration, every instance is an implicit mapping from the user's username to the login attribute configured in the attribute mapping (using the unmodified username).
Each user is looked up in LDAP based on the requested or authenticated identity and their Vocera Platform data is updated to match their LDAP data. Users are considered authorized only if they are a member of at least one of the mapped LDAP groups. Authentication adds a step to check their password against LDAP.
User Principal Mapping Field | Description |
---|---|
Principal Type |
Select the type of principal this mapping supports from the dropdown list. A principal represents a unique identity. Options provided are NT Principal, X.509 Certificate Subject, Email Address, Kerberos Principal, or Other Principal. |
Active |
Check the Active box to enable the configuration in the Vocera Platform system. |
LDAP Attribute |
Select the LDAP attribute from the dropdown list to which the principal value will be matched. |
Regular Expression |
Enter the regular expression which the given principal type value must match to be matched to LDAP. |
LDAP Value Mapping |
Enter a regular expression mapping for the value to use in searching for the principal in LDAP. A mapping of '$0' will leave the value unchanged. |