To synchronize an LDAP server to the NexJ CRM server, you must first create and configure the sync target for the LDAP server, then configure the user and user group links, which are automatically created but filled with default values.

The server is the main location for the information that is stored, while each link points to a location within the server where user or user group data is stored.

LDAP servers can only be involved in inbound synchronization, not in outbound synchronization, which means that the information in NexJ Customer Relationship Management will be updated according to the information on the LDAP server, but changing information in NexJ CRM will not affect the LDAP server.

Synchronization with the LDAP server occurs automatically at set intervals, though you can also perform a manual synchronization from this page. All updates to the LDAP server (creations, modifications, deletions) are synchronized to NexJ CRM. This synchronization only updates users that are synchronized with this LDAP server.

You can set up LDAP server synchronization in either a single-domain environment or a multi-domain environment. When setting up synchronization in a multi-domain environment, you should give your NexJ Customer Relationship Management server access to your LDAP Global Catalog.

User and email synchronization details

NexJ differentiates between users created in the application and those from synchronization with an LDAP server.

When new users are synchronized to the NexJ server from the LDAP server, each user's attributes that are accessed from the LDAP server, such as first and last names, are uneditable in NexJ CRM or NexJ Admin Console. However, the user details that were not taken from the server are still editable.

There is a conflict when a user in the LDAP server is created independently in NexJ Admin Console with the same login name. The conflict is resolved by merging the two users.

When an LDAP user has been deleted (or removed from a synchronized group), the corresponding NexJ user is soft-deleted (removed from the application, but not from the database). When this LDAP user is recreated (or added back to a synchronized group), the corresponding NexJ user is restored to the active status.

Email addresses for a user are also synchronized from LDAP to NexJ. If the NexJ user does not have a default email address, then it is set to the default LDAP email address. Also, deleting emails in the LDAP server only affects the emails which have been synchronized from LDAP. The emails created in NexJ CRM will not be removed.

All emails that are synchronized from the LDAP server will become read-only tasks in NexJ CRM, and will only be updated or deleted through the LDAP server.

The LDAP synchronization will work best if the users and user groups are kept in separate folders, and if the folders you search contain nothing but the objects that should be synchronized (users or user groups).

Adding and configuring LDAP sync targets

To configure NexJ CRM to synchronize with an LDAP server, you must first set up a sync target to the LDAP server.

To add and configure an LDAP sync target in NexJ Admin Console:

Navigate to the Synchronization page.
At the top of the Targets list, click the Add Server button and select LDAP. A new LDAP server appears in the list. In the target details area, the new server's details appear, with default values entered in every field. Note also that the server has two default links displayed at the bottom of the page: LDAP user group link and LDAP user link.
In the target details area, click the Edit button . The Edit LDAP Server dialog opens.
In the Name field, enter a name for the LDAP server.

Each server must have a unique name.
In the URL field, enter the URL that points to the LDAP server.

In a multi-domain environment, the URL should point to an LDAP server that has the Global Catalog role enabled. If you use ldaps:// for the beginning of your URL, then the network traffic will be encrypted using SSL; if the LDAP server does not use SSL, the URL should begin with ldap://. If this is the case, Kerberos authentication can be used to encrypt the network traffic. LDAP target configuration without SSL or Kerberos encryption is discouraged.
In the Authentication protocol field, choose how your NexJ CRM server will authenticate with the LDAP server.
- Kerberos v5
  Authenticates with the LDAP server using Kerberos tickets.
- Simple password-based
  Authenticates with the LDAP server using a specified username and password.
If you selected Simple password-based, in the Login and Password fields, enter the credentials that will be used to authenticate with the LDAP server.
In the Timer period, minutes field, enter the time, in minutes, that you want the system to wait between synchronizations. The default value, 60, indicates that the NexJ CRM server will synchronize with the LDAP server once every hour.
Select the Inbound checkbox to enable synchronization from the LDAP server to NexJ CRM. If you want to disable inbound synchronization from the LDAP server, clear this checkbox.

Outbound synchronization to LDAP servers is not supported in NexJ CRM. Selecting the Outbound checkbox has no effect.
The Number of entities read per page and Search time limit, ms. fields are related to how the information on the LDAP server is accessed, and can be left as their default values.
Click OK to save the LDAP sync target.

Once an LDAP sync target has been added, it cannot be removed or deleted. It can, however, be disabled so that no synchronization occurs.
The Edit LDAP Server dialog closes.

You have set up a sync target for the LDAP server.

Before synchronization can take place, you must next configure the user link and user group link for the sync target.

Configuring links

Every LDAP server is given two links: LDAP user group link and LDAP user link.These two links point to where the information related to user groups and users is stored, respectively. To configure either of these two, follow these steps:

After you have finished configuring the LDAP server synchronization, you must synchronize with the server once to establish group mapping (see step 6) before being able to synchronize users.

Navigate to the Synchronization page.
In the Synchronization tab, click the link you want to configure in the Links list. The link's details will appear in the link details area.
In the link details area, click the Edit button . The Edit LDAP Group Link dialog opens.
Enter a name for the link in the name field or leave it as the default value.
Like the LDAP server, each link has an Inbound checkbox and an Outbound checkbox. Select the Inbound checkbox to enable inbound synchronization for the information stored in that link.

A link is synchronized only when both the link and the corresponding server synchronizations are enabled.
You will now configure where in the server the link will point to and how data will be gathered.

For steps 4 and 5 you will need direct access to the attributes of the objects (i.e. folders, users, and user groups) in your server. The Active Directory Users and Computers administrative tool does not allow you to see these attributes; you need to use an LDAP browser, which you can find online and are available for free to download.
The Distinguished name for the context field is used in conjunction with the Scope field to specify where in the LDAP server you will search. Each object in the LDAP server has a distinguishedName attribute that serves to identify it in the server's hierarchical structure. In the Distinguished name for the context field, enter the value of the distinguishedName attribute of the location (i.e., folder) in the LDAP server you want to search.
The Scope field determines how far in the hierarchy you will search. There are three options:
Search the context
This will search the object that was specified by the distinguished name you entered above, and nothing else. If you specified a folder, the synchronization will not return any users or user groups, as NexJ will only look at the folder object.
Search directly under the context
This will search all of the files that are children (i.e. directly under) of the object that was specified by the distinguished name you entered. If you specified a folder, the synchronization will return any users or user groups that are in that folder, but not including any found within sub-folders.
Search the subtree rooted at the context
This is the same search as the previous one, except all users and user groups found in sub-folders of the folder you specified will be included as well.
The ID attribute will be used to uniquely identify a user or user group. You should use the ObjectGUID attribute, if it exists on your server; if not, you may use the distinguishedName attribute instead.The transformation determines how the information accessed in the LDAP server is converted into information that is stored as objects in the NexJ database. Leave this value as the default value.
While the previous attributes may be configured independently in the user groups link and users link, the membership attribute fields for the user groups and users links must be configured together. This field uses two attributes (one belonging to user groups and the other belonging to users) to map users to groups - essentially, to determine which users belong to which groups.

The values of the attributes specified in the membership attribute fields on the users link and user groups link must be the same for membership to be determined.
For example, for a Windows Active Directory, you can enter the memberOf attribute in the users link and distinguishedName attribute in the user groups link for these fields. In the Active Directory, when a user belongs to a group, it acquires a new memberOf attribute with a value of the distinguishedName of that group, hence these two values being equal will establish membership.

Configuring LDAP group mappings

In the LDAP Group Mapping tab, you can configure the user groups that will be synchronized and how they will be synchronized.

The NexJ server must have been synchronized once to the LDAP server before you begin configuring the user groups.

If you have not yet synchronized once with the server, no groups will appear. Click the Get Snapshot From the External System button at the top of the LDAP Server list in the LDAP Group Mapping tab to sync the LDAP user group link. Note that you cannot use this button to sync the LDAP user link; to do this, you must use the button in the Synchronization tab.

Each row displays the current properties and settings of one group:

Name

The name of the group, as it is identified in the LDAP server.

Synchronize Users

This checkbox allows you to enable and disable the synchronization of this group of users. If checked, all users who belong to this group will be synchronized with the NexJ server.

A user may belong to different user groups. As long as one of the groups to which he or she belongs has synchronization enabled, the user will be synchronized. This includes group hierarchies: if a user belongs to a group that is synchronized, then the user will also be synchronized, even if the intermediate group's Synchronize Users checkbox is not checked.

Description

A brief text description of the group.

User Template

The user type that will be used when creating new users of this group.

Priority order for User Template choice

Because a user may belong to different groups, there may be a conflict between which user type to assign to the user because of different values in the User Template field. This is resolved by setting priority values to the different groups; a lower number indicates a higher priority for the group.

Manually synchronizing LDAP servers or links

You can manually synchronize LDAP servers and links without affecting the periodic automatic synchronization.

To manually synchronize the LDAP server without affecting the periodic automatic synchronization:

Navigate to the Synchronization page.
In the Targets list, select the server and click the Get snapshot from the external system button .

You can select a link and click the same button at the top right of the Links list to synchronize only that link.