User Directories

This view allows adding external user directories such as Microsoft Active Directory to the STAGE system to authenticate user access.

Overview

User Management - User Directories

The DETAILS section on the right can be expanded/collapsed by clicking on the left or right arrow symbols.

Using the User Directory view

Adding a User Directory

Click . See section #Connected-User-Directories.
Select the directory interface type you want to add from the drop-down list.
In the Setup tab, in addition to a Name for the User Directory, enter the general connection settings such as Connection URL, Bind DN (user name) and Bind Credentials (user password) etc.
In the User Search tab, enter the user attributes required to retrieve the user data from the directory’s database.
Optional: In the Group Sync tab, enable group synchronization if desired and enter the relevant configuration parameters.
In the Extended tab, enable Import Users and Sync Registrations to create a local copy of the users in the directory and to keep them synchronized.
Click .
On the Setup tab, check the connection and authentication by clicking the buttons.
Click on the button to activate the connection to the User Directory.

Connected User Directories

The table lists all the User Directories currently set up in STAGE.

By clicking on a User Directory, Details are displayed in the right-hand side panel.

	Set a filter to display only user directories whose search text is found in the name.
	Click to add a new user directory. See section #Adding-a-User-Directory.
	Indicates whether the user directory is enabled () or disabled () in STAGE.
Name	Shows the name of the user directory.
Provider	Shows the Protocol used by STAGE to connect to the external user directory.

Selected User Directory

The Details section on the right displays full information about the selected user directory.

Any changes in this section need to be confirmed by clicking the button.
Click the button to discard any changes.
The button removes the selected user directory after confirmation.

Setup Tab

Info

Name

Set the Name of this user directory.

Type

Shows the user directory type that was selected during the creation of this User Directory connection.
STAGE version 1.0 only supports Active Directory.

Status

Indicates whether the user directory is enabled () or disabled () in STAGE.

Click to Enable / Disable the connection to the User Directory.

Sync

Last Sync

Shows the date and time when STAGE was last synchronized with this user directory.

Click to to immediately trigger a manual synchronization the user directory.

Connection

Connection URL	Shows the URL of the user directory.
Connection URL	Set the URL of the user directory. Regarding Firewall access, please see chapter Default Ports #STAGE Cluster <> Active Directory (both Internal & External Nodes).
Enable Start TLS	Set to initiate the encryption of network communication using Transport Layer Security (TLS).
Use Truststore SPI	Set the use of Trustore SPI (`Always` or `Never`).
Connection Timeout	Set the time period (in seconds) in which a response is expected for the connection.
Connection Pooling	Set to use an existing database connection that is used for requests.
Authentication Type	Set the authentication type (`Simple` or `None`).
Bind DN	Set the distinguished name for the directory you want to access.
Bind Credentials	Set the password to connect to the server.
Users DN	Set the Distinguished Name to uniquely identify an entry in the user directory. For example, ou=users, dc=example, dc=com.

Test Connection / Authentication

Test Connection

Click to test the connection to the user directory.

The test result is displayed to the left of the button.

Test Authentication

Click to test the authentication to the user directory.

The status result is displayed to the left of the button.

User Search Tab

Custom User Search Filter	Set a query to search for users in a specific directory attribute.
User Name Attribute	Set the field for the user name attribute. userPrincipalName — The logon name for the user. objectGUID — The unique identifier of a user. sAMAccountName — A logon name that supports previous Windows version. objectSid — Security identifier (SID) of the user. sIDHistory — The previous SIDs for the user object.
UUID Attribute	Set a syntax for attribute values that can hold values that represent universally unique identifiers (UUIDs).
RDN Attribute	Set the object's name relative to its parent.
User Object Classes	Set the mandatory and optional attributes that can be associated with an entry of that class.
Read Timeout	Set the time period (in seconds) in which a response to a read command is expected. `0` = unlimited / no timeout.
Edit Mode	Set the edit policy you have with the directory. `ReadOnly`: Elements will be unchangeable. `Writeable`: Changed elements in STAGE will be updated in the directory. `Unsynced (Default)`: Changed elements in STAGE will not by updated in the directory.
SearchScope	Set the search depth. `One Level:` The search is only fetched from the level set by the Bind DN parameter. `Subtree:` The search is fetched from the full tree set by the Bind DN parameter and below.
Use Pagination	Set to enable the retrieval of the result of a query even if the request to the directory exceeds the server’s standard page size. Pagination should be activated for more than 1000 users to be synchronized.

Group Sync Tab

Sync Groups	Set to keep local groups synchronized with the user directory.
Groups DN	Set the Distinguished Name to uniquely identify an entry in the groups directory, e.g. ou=groups, dc=example, dc=com.
Group Name Attribute	Set the group name attribute for you directory. For example, for Active Directory, use `sAMAccountName`.
Group Object Classes	Set the attributes that can be used to define an entry.
Ignore Missing	Set to ignore missing groups in the group hierarchy. Set this option to ensure that groups are successfully found.
Membership Attribute	When Membership Attribute Type is `UID`, this is typically set as `memberUid`. In all other scenarios the value will be `member` .
Membership Attribute Type	Set the membership type. DN: This LDAP group has it's members declared in form of their full DN. UID: This LDAP group has members declared in form of pure user uids.
Membership User Attribute	Set the name of the LDAP attribute for the user. This is used for membership mappings and is used only if Membership Attribute Type is `UID`. For example if value of Membership User Attribute' is `UID` and the LDAP group has '`memberUid: john`', then it is expected that particular LDAP user will have attribute '`uid: john`' .
Custom Group Filter	Set a query to filter the whole query to retrieve specific groups. Each filter is to be contained within (parenthesis). To retrieve all groups, leave this field empty.
Mode	Set how to retrieve user groups. `Load Groups by Member Attribute` : The user roles will be retrieved by sending a query to retrieve all groups where 'member' is our user. `Get Groups from User Memberof Attribute` : The user groups will be retrieved from 'memberOf' attribute of our user. Or from the other attribute specified by Member Of Attribute. `Load Groups by Member Attribute Recursively` : This option applies to Active Directory only: user groups will be retrieved recursively with use of LDAP_MATCHING_RULE_IN_CHAIN Ldap extension.
Member Of Attribute	When Mode is set to `Get Groups from User Memberof Attribute`, set the name of the LDAP attribute on the LDAP user, which contains the groups, that the user is a member of. Usually this is `memberOf`, the default value.
Drop non-existing Groups	Set to delete groups in the Keycloak database that are no longer found during an LDAP synchronization.

Extended Tab

Import Users	Set to create a local copy of users in the user directory.
Sync Registrations	Set to keep local users synchronized to the user directory. User that are no longer found are removed from the user directory.
Sync Batch Size	Describes how many users are fetched per chunk. For up to 1000 users, all users are fetched in one go with the value "-1". For more users, a good value is "25".
Changed Sync Period	Defines whether periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled. ”-1” means disabled, a value “>1” defines the time period in seconds in which STAGE resynchronizes all users. This is only recommended if changed or added users are to be synchronized automatically and if this happens frequently.
Full Sync Period	Defines whether the periodic full synchronization of LDAP users to Keycloak should be enabled. ”-1” means disabled, a value “>1” defines the time period in seconds in which STAGE resynchronizes all users. This is a significant load on the system and is not recommended.
Kerberos Integration	Allow Authentication with Kerberos: Set to allow authentication with Kerberos.
Kerberos Integration	Use Kerberos for Password Authentication: Set to use Kerberos for password authentication.
Extended Configuration	LDAPv3 password modify extended operation: Set to hash the passwords when storing them in the LDAP server. Certain LDAP servers hash passwords by default. Other LDAP servers store the passwords in plain text unless you set this option.
	Validate Password Policy: Set to validate the strength of user passwords to further enforce security.
	Trust Email: Set to send users a verification email to confirm their existence.