Configuring Active Directory Authentication
GlobalForms 10.1 supports Active Directory Integration for Authentication. To configure this, you will need the following information prior to getting started:
- The Server Name of a Domain Controller or network address that resolves one or more domain controllers.
- Your Base Domain Name, is the root FQDN of your Domain. For example; subdomain.root.local, it's base domain name is root.local.
- The Organization Units where users live that you'll be enabling to access GlobalForms.
- A username and password of an account to authenticate against Active Directory.
Once you've gathered this information, it needs to be entered into X:\GlobalForms\config\default.json. X:\GlobalForms represents the location you installed GlobalForms 10.
- Open your default.js file in a text editor such as Notepad or Notepad++.
- Locate the LDAP Section, this by default is commented out.
- Note, if you have upgraded from a GlobalForms 10.0, the LDAP section will not be in your configuration file and will need to be manually added.
- Remove the the starting slashes "\\" to uncomment the LDAP Lines until it your configuration matches the one below.
The options you can set are:
- URL: The location of your Domain Controller, by default LDAP uses port 389 to connect.
- BaseDN: The root FQDN of your server, ie: square9.local, would be entered as dc=square9,dc=local.
- OU: You can limit GlobalForms 10 to pull objects from OUs specified here.
- Interval: How frequently users are synced from AD, in minutes. Note that specifying 0 will indicate that the system should never automatically sync.
- Filter: Filter to specific objects, if you leave this commented, all objects will be pulled.
- Username: This is a username used to authenticate to your domain, this username must have sufficent rights and access to read users/groups on your domain.
- Password: The password to connect to the aforementioned user.
Once this is configured, simply restart your GlobalForms Service in the Services area in Windows. The GlobalForms service in services should be running as local system.
Synchronization can be done manually by clicking on the "Synchronize AD" button after logging into GlobalForms 10 as the administrator user. Automatic synchronization will not commence until the first interval period has elapsed after starting the service.
Once complete with setup and sync, usage is transparent. Any AD groups synchronized into the GlobalForms platform we be available from the access tab on a form. Note that permissions applied on the access tab are considered "in addition to" permissions that may be applied by GlobalCapture to a specific submission in a validate node.
Customer should target specific OU's to prevent cluttering the system with unneeded and / or unnecessary users and groups. The access tab of GlobalForms will become important in scenarios where you don't want specific users to be able to submit forms into a process. By default any user that has been synchronized will have access to create new submissions for any form. This default behavior is a direct result of the default permission set for a form being set to the "Authenticated" role.