LDAP Settings

Table 1. Settings
Field Name	Description
Authentication Mode	The Authentication mode refers to the process of verifying the validity of a user's information or credentials. Choose one of the following three modes: Built-in- In this mode, the server keeps its old logic. LDAP users, who may have been added when the server was running in other modes will be shown in the list of users but authentication for these users will fail with the authenticate_ldap_auth_disabled error code. LDAP- In this mode, authentication is fully delegated to LDAP except for Anonymous and Admin users. Users, who are added in the Built-in mode will still be visible in the user list but authentication for these users will fail with the authenticate_built_in_auth_disabled error code. When this mode is applied: Upon a successful login, the user record is automatically created in the CoreIdentity table. First and last names and email addresses are copied from the LDAP server. No other checks such as for maximum login counts or password policy are performed for LDAP users. LDAP users receive a special identityType : identity_ldap_user = identity_user \| identity_ldap If a naming conflict occurs between LDAP and Built-in users (for example., "Foo" and "foo"), an error is returned (authenticate_ldap_naming_conflict. You can use the Transfer Identities to LDAP feature to address such conflicts. Permission checks are performed using regular service shell logic. LDAP connections are pooled. To improve performance, the security API caches the LDAP user password and calls the LDAP server only after the timeout defined by the Core > Security > Policy > Quick Check Timeout property. (The default is 60 seconds, 0 means no timeout meaning LDAP calls are executed on each server request.) The same logic is used for policy checks. Mixed - Authentication depends on the current identity type. Built-in users (created by the Trapeze administrator) are authenticated by Trapeze built-in security, LDAP users by the LDAP server.
Case Sensitive User Names	If selected, correct case is required for LDAP user names.
Members of Mapped Groups Only	If selected, only members of mapped groups (using the Security Group Mapping feature) are included.
Auto Synchronize Groups Mode	Choose one of the following three options: Disabled - Users become members of corresponding mapped groups only when they are initially created in the LDAP server, imported from the LDAP server during initial setup or due to changes in the LDAP user search filter(s). No further synchronization is performed. User group membership can be altered manually in the Users and Security screen. Full - LDAP users become members of Trapeze Security groups if a group is mapped to one of the LDAP server user groups that they belong to. Changes in LDAP group membership are reflected in Trapeze Security Membership. Changing group membership from the security user interface will have no effect in this case because group membership will be always kept in synchronization with the LDAP server according to the current group mapping. Mapped Groups Only - Only mapped Trapeze Security group memberships are automatically synchronized with the LDAP server. If a Trapeze security group is not mapped to any LDAP server groups then its users can become members of this group by manual assignment.
Use Auto-delete Timeout	Enter the time in minutes after which users deleted from the LDAP server are then automatically deleted from the Trapeze database.

Authentication Mode

The Authentication mode refers to the process of verifying the validity of a user's information or credentials.

Choose one of the following three modes:

Built-in- In this mode, the server keeps its old logic. LDAP users, who may have been added when the server was running in other modes will be shown in the list of users but authentication for these users will fail with the authenticate_ldap_auth_disabled error code.

LDAP- In this mode, authentication is fully delegated to LDAP except for Anonymous and Admin users. Users, who are added in the Built-in mode will still be visible in the user list but authentication for these users will fail with the authenticate_built_in_auth_disabled error code.

When this mode is applied:

Upon a successful login, the user record is automatically created in the CoreIdentity table. First and last names and email addresses are copied from the LDAP server. No other checks such as for maximum login counts or password policy are performed for LDAP users.

LDAP users receive a special identityType : identity_ldap_user = identity_user | identity_ldap

If a naming conflict occurs between LDAP and Built-in users (for example., "Foo" and "foo"), an error is returned (authenticate_ldap_naming_conflict.

You can use the Transfer Identities to LDAP feature to address such conflicts.

Permission checks are performed using regular service shell logic.

LDAP connections are pooled. To improve performance, the security API caches the LDAP user password and calls the LDAP server only after the timeout defined by the Core > Security > Policy > Quick Check Timeout property. (The default is 60 seconds, 0 means no timeout meaning LDAP calls are executed on each server request.) The same logic is used for policy checks.

Mixed - Authentication depends on the current identity type. Built-in users (created by the Trapeze administrator) are authenticated by Trapeze built-in security, LDAP users by the LDAP server.

Case Sensitive User Names

If selected, correct case is required for LDAP user names.

Members of Mapped Groups Only

If selected, only members of mapped groups (using the Security Group Mapping feature) are included.

Auto Synchronize Groups Mode

Choose one of the following three options:

Disabled - Users become members of corresponding mapped groups only when they are initially created in the LDAP server, imported from the LDAP server during initial setup or due to changes in the LDAP user search filter(s).

No further synchronization is performed. User group membership can be altered manually in the Users and Security screen.

Full - LDAP users become members of Trapeze Security groups if a group is mapped to one of the LDAP server user groups that they belong to. Changes in LDAP group membership are reflected in Trapeze Security Membership. Changing group membership from the security user interface will have no effect in this case because group membership will be always kept in synchronization with the LDAP server according to the current group mapping.

Mapped Groups Only - Only mapped Trapeze Security group memberships are automatically synchronized with the LDAP server. If a Trapeze security group is not mapped to any LDAP server groups then its users can become members of this group by manual assignment.

Use Auto-delete Timeout

Enter the time in minutes after which users deleted from the LDAP server are then automatically deleted from the Trapeze database.