Helix TeamHub LDAP interface

The Helix TeamHub LDAP interface allows the integration of external tools to TeamHub users, bots, and groups, and use of TeamHub as an authentication provider.

Note

The TeamHub LDAP interface is available to On-premises customers with a license of at least 7 seats.

Upgrading from Helix TeamHub 3.10.0 and older versions

Helix TeamHub 3.11.0 added support for bot accounts and introduced additional accounts branch. Configurations should be updated to use the new ou=users,ou=accounts branch instead of the old ou=users branch (see Directory Tree below). Binding and searching users by using the old branch is still supported until the next major release.

Enable Helix TeamHub LDAP Interface

The following steps describe how to enable the LDAP interface in TeamHub. For advanced configuration parameters, see Section: backend.

You can also perform a full synchronization of external tools by enabling hashed passwords. However, hashed passwords are only visible to company administrators. Existing TeamHub users must change their password to make it available.

Note

You cannot enable hashed passwords with pass-through LDAP authentication.

To enable the LDAP interface:

  1. Browse to your TeamHub instance at http(s)://[hostname]/admin.
  2. In the navigation pane on the left, click Preferences.
  3. In the Configure instance view, under Helix TeamHub LDAP interface, select the Enable Helix TeamHub LDAP interface check box.
  4. To perform a full synchronization of external tools, select the Enable SHA hashed user passwords check box.
  5. Click Save preferences.

Configure Helix TeamHub LDAP with External Tools

To access TeamHub LDAP, use either the unencrypted ldap://example.com:389 , or encrypted ldaps://example.com:636 (LDAPS) URLs. Configure SSL to use LDAPS.

The following table includes commonly used settings to use with external tools. OpenLDAP can be used as a base configuration if the tool provides pre-configured settings. TeamHub LDAP interface supports read-only access.

Setting Description Examples
Base DN The root node of the LDAP to search from. Use company ID in place of example. o=example
Additional account DN Prepended to the base DN to search users and bots. The complete DN will be ou=accounts,o=example. ou=accounts
Additional user DN Prepended to the base DN to search users. The complete DN will be ou=users,ou=accounts,o=example. ou=users,ou=accounts
Additional bot DN Prepended to the base DN to search bots. The complete DN will be ou=bots,ou=accounts,o=example. ou=bots,ou=accounts
Additional group DN Prepended to the base DN to search groups. The complete DN will be ou=groups,o=example. ou=groups
Username and password Provide a full user DN of a company admin account and a password. These credentials are used when binding to LDAP. Anonymous binding is not supported. uid=norris,ou=users,ou=accounts,o=example
Account search filter Use inetOrgPerson to search for accounts by objectClass. Use employeeType attribute to search for accounts by type (bot or user). Use uid attribute to search for a specific account. (objectClass=inetOrgPerson)(employeeType=user)(uid=norris)
Group search filter Use groupOfNames to search for groups by objectClass. Use cn attribute to search for a specific group. (objectClass=groupOfNames)(cn=developers)
Member search filter Use member attribute to find groups for a user. The value of the attribute contains the full user DN. (member=uid=norris,ou=users,ou=accounts,o=example)
MemberOf search filter Use memberOf attribute to find users for a group. The value of the attribute contains the full group DN. (memberOf=cn=developers,ou=groups,o=example)
Account password attribute Account password will be visible to company admins in userPassword attribute when SHA hashed password setting is enabled. {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
Unique identifier A universally unique identifier is available in entryUUID attribute. cdfd2ece-c1db-4c76-ae45-2d75968afddd

Helix TeamHub LDAP Structure and Example Entries

Directory Tree

  o=example
    ├── ou=accounts
    │   ├── ou=users
    │   │   └── uid=norris
    │   └── ou=bots
    │        └── uid=bot
    ├── ou=groups
    │   └── cn=developers
    └── ou=projects
        └── ou=sample

Example User Entry

# norris, users, accounts, example
dn: uid=norris,ou=users,ou=account,o=example
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: norris
cn: Chuck Norris
displayName: Chuck Norris
givenName: Chuck
sn: Norris
mail: norris@example.com
telephoneNumber: +123456
description: Not needed
title: Champion
entryUUID: cdfd2ece-c1db-4c76-ae45-2d75968afddd
memberOf: cn=developers,ou=groups,o=example
memberOf: cn=managers,ou=groups,o=example
employeeType: user

Example Bot Entry

# bot, bots, accounts, example
dn: uid=bot,ou=bots,ou=accounts,o=example
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: bot
cn: bot
displayName: bot
givenName: bot
sn: bot
entryUUID: 21f02b44-3832-4523-b7b4-c3602932535e
employeeType: bot
mail: bot@helixteamhub.invalid

Example Group Entry

# developers, groups, example
dn: cn=developers,ou=groups,o=example
objectClass: top
objectClass: groupOfNames
cn: developers
description: All our developers
entryUUID: 3c9ad9eb-6234-4cf2-b147-f2d945d77b67
member: uid=norris,ou=users,ou=accounts,o=example
member: uid=bruce,ou=users,ou=accounts,o=example

Example Project Entry

# sample, projects, example
dn: ou=sample,ou=projects,o=example
objectClass: top
objectClass: organizationalUnit
ou: sample
description: Sample project
entryUUID: a671a3bb-edb9-45f7-aa71-f3be44a075c2