Create and connect user directories in COYO – COYO Campus

In COYO, different user directories can be connected through LDAP. You can choose between Active Directory and LDAP, both use the LDAP protocol. The difference lies in the values that are suggested for the attributes and the field "AD domain".

We will walk you through the process of creating and connecting user directories using an example. For this guide, we are using a Microsoft Active Directory.

Creating a user directory

Log in to COYO as an administrator and open the administration section. Click on the item "User directories". There you will see, as you can see in the picture, the user directory "Application Database". This directory contains all local users that are created in COYO.

Click on "Create Directory" to add a new user directory.

Then select a name, the type "Active Directory" and activate the directory in which you set a checkmark in the checkbox.

Connection

The next step is to fill in the details in the individual tabs. We start with the connection: Hostname, Port, Base DN, Username, and Password are mandatory fields that must be filled in.

As hostname, you enter the server that manages your user directory.

The default LDAP port is 389. The default port for encrypted SSL communication is port 636. If you enable SSL, your AD server needs an officially signed certificate. The encryption works "out of the box".

Note:
It is not possible to use a self-signed certificate in our COYO Cloud. For COYO Enterprise installations it is possible to enter a self-signed certificate in the JVM of the backend container.

An entry for AD domain is only necessary if you manage multiple domains in your AD. If this is the case for you, but you only want to include one domain, enter it here.

For each connection, the Base Distinguished Name ("Base DN") must be entered. Optionally, additional DNs can be entered to define more precisely where to search for user accounts.

As user name LDAP needs a user who has sufficient read permission for the objects that are synchronized. COYO will not change anything in your user directory and therefore does not need to write permission. The password of this user is required.

With a click on "Test connection", your directory will be checked if your directory is accessible with these settings.

User

This tab defines which users will be synchronized. Without any further configuration, everything will be read, so we need at least an user object class. By default, every user of an active directory should be a person.

For a more precise selection of users, you define "additional user DN" ("additional user dn").

In addition to this selection, you can work with LDAP filter syntax via "User object filter". This allows only users to be considered for COYO, which are e.g. members of the group "COYO-GROUPS-ALL". Furthermore, users who are no longer members of this group are treated as orphaned users. You can read more about this in the article below. More complex filters are also possible.

We recommend that you only use "objectGUID" as your user ID, as this attribute is unique and does not change. The remaining attributes and profile fields are optional. We recommend that you use the default attributes to avoid issues.

Groups

To synchronize groups from the user directory, you first have to activate the checkbox "Synchronize groups". In this example, we use the suggested values and an additional group DN, which defines the location of the groups.

In the field "Filter for group objects" we specify an LDAP filter syntax to synchronize only certain groups. COYO checks "User attribute for group memberships" and "Group ID". If both values are equal, the user will be assigned to this group. In our example, all groups starting with "COYO-GROUPS-" are filtered.

Note:
Nested groups are not considered.

The remaining attributes are optional. We recommend you use the default values. If you are using OpenLDAP, "User attribute for group memberships" must be specified.

Synchronization

In this tab, you can make settings for synchronization. Since the LDAP protocol works with page numbering, "Page Size" must be defined. A value of 100 means that COYO synchronizes 100 elements per query.

Users can be stored in the directory as a link to another domain or directory, with the setting "Follow links", the links will be considered.

Note:
If your sync terminates with a timeout error, it may be due to an attempt to follow a link that is not reachable or insufficient permissions.

The "Activation" checkbox allows new and restored users to be activated during synchronization. Otherwise, you would have to manually set the status of the users to "Active" in the user management. If you have activated terms of use in the administration, the new and restored users will remain on "Hidden" until they have accepted them.

With "Just-in-time synchronization" the users are only created and the user data synchronized when they log in.

"Orphaned Users" are users who currently exist as active users in COYO but are no longer present in the LDAP directory. It is possible to ignore, deactivate or delete these users.

The item "Restore Users" allows to reactivate deactivated or deleted users if they are present in the user directory again.

Note:
It is not possible to restore anonymous users. The previously anonymous user can then only be created as a new user. Anonymization is deactivated by default and can be activated in the "General Settings" of the administration.

Sync Execution

Here you can configure the regularity of the synchronization. The configuration is done by a so-called cron pattern.

Examples:

0 0 * * * * = Every day at midnight.
*/10 * * * * * = Every 10 seconds.
0 0 8-10 * * * = 8, 9 and 10 o'clock every day.
0 0 6,19 * * * = 6am and 7pm every day.
0 30 3 * * * = 3:30 in the morning every day.
0 0/30 8-10 * * * = Every 30 minutes from 8 am to 10:30 am every day.
0 0 9-17 * * MON-FRI = Every hour from 9 am to 5 pm from Monday to Friday.
0 0 0 25 12 ? = Midnight on Christmas Eve.