Server - LDAP Configuration
Implementing Workamajig’s LDAP User Authentication will allow you to validate your users on your LDAP server rather than using Workamajig’s security. The basic login process is as follows:
- The User enters their User ID and Password in the Workamajig login screen.
- Workamajig will send an authentication request to the LDAP server specified in the Task Manager (see LDAP Server settings below).
If the user exists in the LDAP Server:
- If the User ID and Password are authenticated, the system will then check to make sure they are a valid user in Workamajig.
- If they are a valid (active) user, their Workamajig security settings and preferences are loaded as normal and the user is directed to the Desktop.
If the user does NOT exist in the LDAP Server:
- By default, the login will fail and no access will be given.
- You can, however, create unique users in your Workamajig instance that don't rely on LDAP to authenticate. To do this, their User ID in Workamajig cannot match any User IDs in your LDAP list.
The benefit of using LDAP User Authentication in Workamajig is that users will be able to use the same password to access all of the company’s systems.
EMPLOYEE SETUP NOTE: If you have implemented LDAP, on the employee record there is an ability to Change Password on Next Login. This setting is incompatible with LDAP and should NOT be used. Using this setting will cause an error during the login process.
NOTES: We are unable to support the mapping of WebDAV folders to the workstation if using LDAP authentication. Also, CalDAV sync of calendars does not support LDAP Authentication. This authentication is only possible if you host your Workamajig Server on the same network as your LDAP Server.
LDAP Server Settings
Various LDAP Server settings will need to be entered into Workamajig Task Manager. This will allow Workamajig to connect to the site’s LDAP server to authenticate users. These settings are input in the WMJServiceConfig.exe tool where all other web settings are input. Click on the LDAP tab to set up the following. After the settings have been entered, you must apply them to the website.
Active Directory: Check this box if the LDAP Server uses Active Directory.
LDAP Server: Enter the IP address or Name of the LDAP Server.
Root Search DN: Enter the Root LDAP Distinguished Name (DN) that Workamajig will use when attempting a search for users on the LDAP server. (ex: cn=WMJUsers,ou=MainLocation,o=HQ)
Search Attribute: Enter an attribute to use when searching for users. If you leave it blank, it will search using either “cn” or “uid”.
Administrator DN / Admin User ID:
Password: Enter the LDAP Administrator user’s password that Workamajig will use when it performs the initial bind.
Note: if using Active Directory: when searching for Workamajig users, the LDAP component matches the userPrincipalName attribute to the User ID entered. If the User ID does not match the userPrincipalName attribute of the user, the Password validation will fail.
Timeout: Enter the timeout period (in seconds) that Workamajig will set on the LDAP component when connecting. If this is left blank, the default will be 10. This may need to be adjusted if it takes longer for Workamajig to connect to some LDAP servers.
Port: Enter the port that WMJ Task Manager will use when connecting to the LDAP Server. If this is left blank, Workamajig will use the default port 389.
Test User ID and Test Password: can be used to test a user login ID and password against the LDAP server, to ensure that you have the settings configured correctly.
Apply to Website: click this button to commit your settings to Workamajig
NOTE: There are areas/functions of Workamajig that are NOT able to use LDAP Authentication. These are:
- Sync tools that synchronize your calendar and contacts with Outlook and Mac.
ICal Program On A Mac
These programs use Digest Authentication. In digest authentication, you must be able to retrieve the known password from your records because it is never actually transmitted. Since the LDAP Server will not return a password, we are unable to authenticate in this manner. You may enter a User ID and Password for the person in Workamajig. Workamajig will authenticate against these credentials for these programs.
NOTE: Using CalDAV to sync to your calendars is not supported if using LDAP.
Workamajig will validate the user against its own internal user ID and password. This allows you to set up all your employees in the LDAP server and not have to use LDAP for clients and vendor logins.
- If you have checked Active Directory above, then enter the User ID of the LDAP Administrator that Workamajig will use to perform the initial bind to the LDAP server. If the Admin user is not under the same root DN as the Root Search DN, then enter a / followed by the DN where the Admin user is located, such as this: admin/cn=administrators,ou=MainLocation,o=HQ
- If the Admin user is in the same DN as the Root Search DN, then just enter the Admin User ID to search for.
- If you have NOT checked Active Directory above, then enter the LDAP Distinguished Name (DN) that CM will use to perform the initial bind to the LDAP server. This needs to be the full DN path to the Administrator user. Example: cn=Administrator,cn=CMUsers,ou=MainLocation,o=HQ