We will walk you through the process of creating and connecting user directories using an example. For this guide, we are using a Microsoft Active Directory.
Creating a user directory
Log in to COYO as an administrator and open the administration section. Click on the item "User directories". There you will see, as you can see in the picture, the user directory "Application Database". This directory contains all local users that are created in COYO.
Click on "Create Directory" to add a new user directory.
Then select a name, the type "Active Directory" and activate the directory in which you set a checkmark in the checkbox.
The next step is to fill in the details in the individual tabs. We start with the connection: Hostname, Port, Base DN, Username, and Password are mandatory fields that must be filled in.
As hostname, you enter the server that manages your user directory.
The default LDAP port is 389. The default port for encrypted SSL communication is port 636. If you enable SSL, your AD server needs an officially signed certificate. The encryption works "out of the box".
It is not possible to use a self-signed certificate in our COYO Cloud. For COYO Enterprise installations it is possible to enter a self-signed certificate in the JVM of the backend container.
An entry for AD domain is only necessary if you manage multiple domains in your AD. If this is the case for you, but you only want to include one domain, enter it here.
Due to the limitations of the LDAP protocol, wildcards cannot be used for DN attributes.
In the field "Filter for group objects" we specify an LDAP filter syntax to synchronize only certain groups. COYO checks "User attribute for group memberships" and "Group ID". If both values are equal, the user will be assigned to this group. In our example, all groups starting with "COYO-GROUPS-" are filtered.
Nested groups are not considered.
The remaining attributes are optional. We recommend you use the default values. If you are using OpenLDAP, "User attribute for group memberships" must be specified.
Users can be stored in the directory as a link to another domain or directory, with the setting "Follow links", the links will be considered.
If your sync terminates with a timeout error, it may be due to an attempt to follow a link that is not reachable or insufficient permissions.
With "Just-in-time synchronization" the users are only created and the user data synchronized when they log in. This setting makes sense if you only want to import users who log in. For this purpose, automatic synchronization should be deactivated so that not all users already exist in COYO.
"Orphaned Users" are users who currently exist as active users in COYO but are no longer present in the LDAP directory. It is possible to ignore, deactivate or delete these users.
The item "Restore Users" allows to reactivate deactivated or deleted users if they are present in the user directory again.
It is not possible to restore anonymous users. The previously anonymous user can then only be created as a new user. Anonymization is deactivated by default and can be activated in the "General Settings" of the administration.
- 0 0 * * * * = Every day at midnight.
- */10 * * * * * = Every 10 seconds.
- 0 0 8-10 * * * = 8, 9 and 10 o'clock every day.
- 0 0 6,19 * * * = 6am and 7pm every day.
- 0 30 3 * * * = 3:30 in the morning every day.
- 0 0/30 8-10 * * * = Every 30 minutes from 8 am to 10:30 am every day.
- 0 0 9-17 * * MON-FRI = Every hour from 9 am to 5 pm from Monday to Friday.
- 0 0 0 25 12 ? = Midnight on Christmas Eve.
From version 24 we are limiting the options for sync execution to once per day (at night), several times a day (every four hours) and once per hour