Support for Domain User Synchronization

Old Content - visit altium.com/documentation

To simplify the process of connecting to and accessing company networks, Altium Vault 2.1 introduces directory services support through the vault’s browser interface.

This offers domain user synchronization based on the Lightweight Directory Access Protocol (LDAP), which queries the network’s central LDAP server to retrieve domain user group and role membership information. Authenticating domain users through established directory services in this way offers the potential of a single login for access to all company systems, including the Altium Vault.

The vault LDAP synchronization queries the network services on a user Role basis, where role membership information is gathered for vault user access authorization. Polling the domain membership through the LDAP service (synchronizing) allows the system to respond to a domain user configuration change within a synchronization cycle.

For more information on the LDAP principles, capabilities and implementation syntax, see https://tools.ietf.org/html/rfc4510 and its constituent documentation pages.

Vault LDAP configuration

To access and configure LDAP user synchronization for the Vault, connect to the vault services through the browser interface and select the LDAP Sync tab on the USERS page. Create a new LDAP query entry by selecting the Add sync task link.


Use the LDAP Sync tab to add a new LDAP synchronization task in the Edit/Add LDAP sync task dialog.

LDAP queries you create attempt to establish synchronization with the network directory services based on established roles. In the example above, the configured role ‘Documentation’ shown in the Roles tab listing is selected as the Target Role for the LDAP sync task.

Here also, the entered LDAP Url represents the service where the LDAP operation is processed. The URL string follows the LDAP protocol standards which allow for additional attributes such as filter, scope and domain-specific constructs. In the shown example, the LDAP service is specified with the Domain Components (DC) references ‘altium’ and ‘biz’, and the Organizational Unit Name (OU) references of ‘Kiev’, ‘Users’ and ‘EMEA’.

Complete the LDAP server Authentication details with the credentials required to connect to the server. Note that you may need to check for the correct LDAP URL query syntax and login credentials with your company network administrator. For a full account of the LDAP syntax reference information, refer to the Lightweight Directory Access Protocol technical documentation.

There is a wide range of software available for communicating with (and hosting) Directory Services via LDAP. This includes freeware and open source client solutions such as the Ldap admin browser/editor, which amongst other capabilities, provides a simple approach to creating LDAP Sync queries.

The LDAP synchronization task is completed by configuring the user Attribute mapping to match the type of LDAP server providing the directory services (Active Directory, Open Ldap etc).

Each type of LDAP service type responds in a specific user information format, and this is mapped to suit though the various user attribute settings in the dialog's Attribute Mapping section. For example, givenName represents a user's First Name in an ActiveDirectory service, while gn is used in OpenLdap. The default settings are for a Windows Active Directory LDAP service.

When the Windows authentication type applies, the dialog's final User authentication type section allows you to define the correct domain for users of the service. When LDAP rather than Windows authentication type selected, the Domain entry field does not apply.

In the Edit/Add LDAP sync task dialog, the correct LDAP synchronization query entries for your circumstances will depend on the type and configuration of the target network and server.

For hints and information about entry fields in the sync task dialog, hover the mouse pointer over each field's help icon .

The LDAP Sync feature in the Vault browser interface allows you to add multiple synchronization tasks for each of your target Roles. Existing tasks can be edited or deleted, or forced to run using the Run all tasks button – see the Last start date: entry above the task listings to check for LDAP synchronization activity.

You are reporting an issue with the following selected text and/or image within the active document: