This is an example of a configuration file that is used to configure the LDAP integration settings. You can test these settings against a non-production testing P4 Plansever before connecting to your live database to make sure that everything is set up correctly.
You should also make sure that you are receiving administration emails before tweaking settings so you can see the changes that are made by the integration and the errors that are reported.
Copy
// Configure Hansoft Login
HansoftHost localhost // The IP address or DNS name of the Hansoft server to connect to.
HansoftPort 50256 // The port of Hansoft server to connect to.
HansoftDatabase "Company Projects" // The Hansoft database to connect to.
HansoftUser AuthIntegrationSDK // The SDK account in the Hansoft database to connect to.
HansoftPassword secret // The password for the SDK account in the Hansoft database to connect to.
HansoftSDKSessionTimeout 0 // The number of seconds until the SDK session timeouts if it cannot communicate with the Hansoft server. If set to 0 the default value is used.
//////////////////////////////////////////////////////////////////////////////////////////
// Configure Certificate
EnableCertificates 0 // Enable usage of certificates
PublicCertificatePath "" // If found the file overrides PublicCertificateData
PublicCertificateData "" // Server public certificate
PrivateKeyPath "" // If found the file overrides PrivateKeyData
PrivateKeyData "" // Private key
// Use these settings to specify a certificate authority that is not in your OS trust store. The OS trust store will still be used
// to authenticate the Hansoft server in addition to these settings.
CertificateVerifyHostnameMatches 1
CertificateVerificationDepth 9 // You can reduce this if you have a known certificate depth
CACertificatePath "" // If set and found the file overrides CertificateCACertificateData
CACertificateData "" // Certificate Authority data
PathToCRLs "" // Certificate Revocation List store directory, disabled if empty
CRLPath "" // If found the file overrides CertificateCRLData
CRLData "" // Certification Revocation List data
//////////////////////////////////////////////////////////////////////////////////////////
// Misc configuration
ProvideAuthenticationServices 1 // Set to 0 to completely disable Windows/SSPI authentication. If set to 1 (the typical setting) the HansoftUser SDK user account must have the "Account can provide login authentication integration services" user property checked.
ProvideCredentialResolutionServices 0 // Set to 1 to provide credential resolution services to other Hansoft SDK Services. If set to 1, the HansoftUser SDK user account must have the "Account can provide credential resolution services" user property checked.
ErrorRetryTime 10 // The number of minutes to wait before retrying after an exception such as a LDAP server being down, or the license being exceeded.
LockResourcesWithNoMapping 1 // When set to 1 resources that are deleted in LDAP will be locked in Hansoft. The resources have to be manually unlocked or deleted in Hansoft if they are to be removed.
UpdateInterval 60 // The number of seconds to wait between polling the LDAP server.
Uninstall 0 // Set to 1 to remove any trace of the LDAP integration from the Hansoft server you connect to. This will remove the any pairing data and the LDAP tab from resource edit dialog.
FuzzyMatchingStrength 0.0 // Fuzzy matching strength (0-1.0, default is 0) 0 means only a faster case-insensitive match will be made. A suitable starting value for fuzzy matching is 0.25
//////////////////////////////////////////////////////////////////////////////////////////
// *** IMPORTANT *** Configure Email Notification
EmailEnableLogging 0 // Logs email communication with the smtp server to the "LogEmail" folder to enable debugging email settings
EmailServer smpt.example.local // The SMTP server to send emails through.
EmailServerPort 25 // The port of the SMTP server to send emails through.
EmailsFromName "Hansoft Auth Integration" // The name appearing in the from field on sent emails.
EmailsFromEmail "hansoft@example.local" // The email appearing in the from field on sent emails.
EmailServerLoginName "" // The login name to use to login to the SMTP server. Leave blank to disable login.
EmailServerLoginPassword "" // The password to use to login to the SMTP server.
EmailSecurityProtocol "None" // The email security protocol to use, available options are: None, SSL or TLS
EmailSendAdminEmailsTo "admin@example.local" // The email address to send administrative emails to.
EmailSendAdminEmailsToName "Admin" // The name for the email address to send administrative emails to.
EmailSendAdminNotifications 1 // Set to 1 for the administrative email to receive notifications about all operations the integration performs. Recommended to have turned on at least while setting up the integration.
//////////////////////////////////////////////////////////////////////////////////////////
// Configure Windows Single-Sign On
AllowClientUserNameSave 1 // Set to 0 to prevent clients from remembering LDAP account names (note: clients never store LDAP account passwords)
//AuthenticationPackagesEnabled "Negotiate" // The authentication packages used to authenticate clients. Default is "Negotiate". Could be anything supported by both client and server windows installations. Normally 'NTLM', 'Kerberos' or 'Negotiate'. You can specify several by delimiting them with ','. The first supported package will be used.
//AuthenticationServiceDescription "Central Hansoft LDAP integration" // Seen by the clients when errors occurs when logging in. Can be useful if several LDAP integrations are used within a group of Hansoft server connected through shares. The default is the domain of the computer running the Auth Integration.
//////////////////////////////////////////////////////////////////////////////////////////
// Configure LDAP servers
// You can specify several LDAPServer sections to connect to several servers at once
LDAPServer
{
Servers "example.local" // The LDAP server to connect to. If left blank the default ldap server will be used. You can specify the domain name, the server DNS address, or several server addresses separated by space if the domain have redudant servers. If you need to specify different ports for each server do so with server:port
ServersPort "389" // The port of the server to connect to. Typically set to 636 if you enable SSL, 389 otherwise.
ServersUseSSL 0 // Enables SSL connection corresponding to the LDAP_OPT_SSL option.
ServersSigning 1 // Enabled signing corresponding to the LDAP_OPT_SIGN option. Cannot be used together with SSL.
ServersEncrypt 1 // Enabled kerberos encryption corresponding to the LDAP_OPT_ENCRYPT option. Cannot be used together with SSL.
BindMethod "Negotiate" // Sets bind method. Can be: "Negotiate", "Simple", "Digest", "DPA", "NTLM", "Sicily"
BindDN "" // Leave this one blank to use the credentials of the service to log in to the LDAP server. You will probably need to change the credentials that the service runs under for this to work. You can also specify the credentials to login with: //BindDN "example.local\\HansoftAuthIntegration:secret" // The credentials is specified in the format: "domain\\user:password"
// You can specify several AutocreateResources sections to use different settings for different queries. If a user is found in several sections, the settings of the first section that the user is encountered in will be used.
AutocreateResources
{
SearchBase "CN=Users,DC=example,DC=local" // The base DN where you want to search for users.
SearchScope "SubTree" // Can be Base, OneLevel and SubTree. Base searches only the base directory.
OneLevel searches all directories under the base directory (not recursive), but not the base directory. SubTree searches the base directory and all subdirectories recursively.
SearchFilter "(objectClass=person)" // The search filter to apply to the users. Set to "" to return all users in search base. The syntax is the default LDAP filter syntax. Example:
// SearchFilter "(&(objectClass=person)(memberOf=CN=Hansoft Users,CN=Users,DC=example,DC=local))" // This search filter will limit the users returned to the users that are members of the 'Hansoft Users' Group.
ResolveGroupsRecursively 0 // Set to 1 to recursively resolve resources by following recursive group memberships
RecursiveGroupObjectClass "group" // The object class that specifies a group when resolving recursively
RecursiveResourceObjectClass "person" // The object class that specifies a resource when resolving recursively
RecursiveMemberAttribute "member" // The attribute to use to resolve groups recursively
LogSearchResults 0 // Set to 1 to return the result of the above query to the log file
LogSearchResultAttributes 0 // Set to 1 to return the result of querying the attributes below to the log file
ResourceNameAttribute "name" // The LDAP attribute to get the resource name from. Multiple attributes is seperated by ";" and will be checked in order until a valid name is found. Required.
ResourceGUIDAttribute "objectGUID" // The LDAP attribute to get a identifier that uniquely identifies the LDAP user. Required.
EmailAttribute "mail" // The LDAP attribute to get the resource email address for the user from. Optional.
DisabledAttribute "userAccountControl" // The LDAP attbibute to get the disabled state of the user from. Optional.
DisabledAttributeFlag "2" // The value to bitwise AND with the value of the DisabledAttribute. If the resulting value differs from 0 the resource is considered disabeld. Optional.
SendPasswordEmailToResource 1 // Set to 1 to send a welcome email with password to the email of the resource. If no email is specified for the resource the email will be sent to the admin email address instead.
SendPasswordEmailToAdmin 1 // Set to 1 to send the welcome emails to the administrator email. If SendPasswordEmailToResource is set to 1 only a notification will be sent to the administrator.
SendAccountNameChangeEmailToResource 1 // Set to 1 to send a rename email to the email of the resource. If no email is specified for the resource the email will be sent to the admin email address instead.
SendAccountNameChangeEmailToAdmin 1 // Set to 1 to send the rename email to the administrator email. If SendAccountNameChangeEmailToResource is set to 1 only a notification will be sent to the administrator.
LogSearchResultAttributes 1 // Set to 0 to stop sending user attributes of LDAP search results in administrative e-mails
LogSearchResults 1 // Set to 0 to stop sending the results of LDAP user searches in administrative e-mails altogether // LogMaxEmailLines 100 // Maximum number of search results to include in administrative e-mails.
AutoCreateResources 1 // Set to 0 to disable automatic creation of resources. Could be useful when initially binding resources manually.
AutoAssignAlreadyCreatedHansoftResources 1 // Resources will paired with LDAP users based on partial fuzzy matching of the name. You can override the assigned LDAP users from within Helix Plan by editing the resource and selecting the LDAP tab.
AutoAssignAlreadyCreatedHansoftGhostResources 1 // Ghost resources will be paired witd LDAP users based on partial fuzzy matching of the name. The resources will be converted based on AutoConvertResourcesToType. If AutoConvertResourcesToType is set to NoConvert the resources will be converted to normal resources. You can override the assigned LDAP users from within Hansoft by editing the resource and selecting the LDAP tab.
AutoConvertResourcesToType NoConvert // Sets the type that resources in this search should be upgraded to. Possible values: NoConvert, QAAccount, NormalResource.
AutoRenameResourcesWhenNameChanged 1 // Renames resources in Hansoft when users are renamed in LDAP. Caution, this also applies to auto paired resources, and the resources will be immediately renamed.
DefaultEnabledAuthenticationMethods 3 // Default enabled authentication methods for new users: 1 = Hansoft password only, 2 = Windows/LDAP only, 3 = both methods
WelcomeSubject "Welcome to Hansoft Project Manager" // The subject of welcome emails.
WelcomeText // The main body text of welcome emails. {0} = Database | {1} = Server and port | {2} = Account name | {3} = Account password | {4} = Hansoft URL for the server and database
"A new account has been created for you in the Hansoft database '{0}'.
To log in please download and install the client from http://www.hansoft.se/
When the client has started, connect to the following server:
{1}s
And then log in to the following database with the following account and password:
Database: {0}
Account: {2}
Password: {3}
You can click the following link to connect to the correct server automatically (only works after install):
{4}"
WelcomeTextLDAPPassword // Text displayed instead of a Hansoft password for users that only have Windows login enabled
"Your Windows account password. You can log in without typing your password when 'Login via Windows' is displayed."
WelcomeTextEitherPassword // Text displayed immediately following the password for users that have both Helix Plan and Windows login enabled
"Preferably, use your Windows account password or log in without typing a password when 'Login via Windows' is displayed."
AccountRenameSubject "Your Project Manager account has been renamed" // The subject of rename emails.
AccountRenameText // The main body text of rename emails. {0} = Database | {1} = Server and port | {2} = Account name | {3} = Old account name | {4} = Hansoft URL for the server and database
"Your account in the Hansoft database '{0}' has been renamed.
The old account name was:
{3}
The new account name is:
{2}
You can click the following link to connect to the server where your account was renamed:
{4}
"
}
// You can specify several AutocreateResourceGroups sections to use different settings for different queries. If a group is found in several sections, the settings of the first section that the group is encountered in will be used.
AutocreateResourceGroups
{
SearchBase "CN=Users,DC=example,DC=local" // The base DN where you want to search for groups.
SearchScope "SubTree" // Can be Base, OneLevel and SubTree. Base searches only the base directory. OneLevel searches all directories under the base directory (not recursive), but not the base directory. SubTree searches the base directory and all subdirectories recursively.
SearchFilter "(objectClass=group)" // The search filter to apply to the groups. Set to "" to return all groups in search base. The syntax is the default LDAP filter syntax. Example:
// SearchFilter "(&(objectClass=group)(memberOf=CN=Hansoft Groups,CN=Users,DC=example,DC=local))" // This search filter will limit the groups returned to the groups that are members of the 'Users' Group.
ResourceGroupNameAttribute "name" // The LDAP attribute to get the group name from. Multiple attributes is seperated by ";" and will be checked in order until a valid name is found. Required.
ResourceGroupGUIDAttribute "objectGUID" // The LDAP attribute to get a identifier that uniquely identifies the LDAP group. Required.
ResourceAssignAttribute "member" // The LDAP attribute to get the fully qualified DN of members of this group.
Required.
ResourceAssignGUIDAttribute "objectGUID" // The LDAP attribute to get the unique identifier for the member users from the fully qualified DN returned from ResourceAssignAttribute. Must correspond to the GUID returned for users in the AutocreateResources sections.
ResourceAssignRecursive 1 // Set to 1 to recursively resolve members of resource groups.
AutoAssignAlreadyCreatedHansoftResourceGroups 1 // Resource groups will paired with LDAP groups based on partial fuzzy matching of the name.
AutoRenameResourceGroupssWhenNameChanged 1 // Renames resource groups when groups are renamed in LDAP. Caution, this also applies to auto paired resource groups, and the groups will be immediately renamed.
LogSearchResultAttributes 1 // Set to 0 to stop sending group attributes of LDAP search results in administrative e-mails
LogSearchResults 1 // Set to 0 to stop sending the results of LDAP group searches in administrative e-mails
altogether
// LogMaxEmailLines 100 // Maximum number of search results to include in administrative e-mails
}
}