Helix TeamHub LDAP Interface

Helix TeamHub LDAP interface allows integrating external tools to Helix TeamHub users, bots, and groups, and use of Helix TeamHub as an authentication provider. Note: Helix TeamHub LDAP interface is available to On-premises customers with a license of at least 7 seats.

Upgrading from Helix TeamHub 3.10.0 and older versions

Helix TeamHub 3.11.0 added support for bot accounts and introduced additional accounts branch. Configurations should be updated to use the new ou=users,ou=accounts branch instead of the old ou=users branch (see Directory Tree below). Binding and searching users by using the old branch is still supported until the next major release.

Enable Helix TeamHub LDAP Interface

Browse to Helix TeamHub Manage at http(s)://[hostname]/admin where Helix TeamHub is installed, and select Preferences from the left navigation. Check "Enable Helix TeamHub LDAP interface", and click "Save preferences".

To perform a full synchronization of external tools, enable SHA hashed user passwords through LDAP interface. Hashed passwords are only visible to company administrators, existing Helix TeamHub users must change their passwords to make it available. This feature cannot be enabled when pass-through LDAP authentication is used.

Configure Helix TeamHub LDAP with External Tools

To access Helix TeamHub LDAP, use either the unencrypted ldap://example.com:389 , or encrypted ldaps://example.com:636 (LDAPS) URLs. Configure SSL in order to use LDAPS.

The following table includes commonly used settings to use with external tools. OpenLDAP may be used as a base configuration if the tool provides pre-configured settings. Helix TeamHub LDAP interface supports read-only access.

Setting Description Examples
Base DN The root node of the LDAP to search from. Use company ID in place of example. o=example
Additional account DN Prepended to the base DN to search users and bots. The complete DN will be ou=accounts,o=example. ou=accounts
Additional user DN Prepended to the base DN to search users. The complete DN will be ou=users,ou=accounts,o=example. ou=users,ou=accounts
Additional bot DN Prepended to the base DN to search bots. The complete DN will be ou=bots,ou=accounts,o=example. ou=bots,ou=accounts
Additional group DN Prepended to the base DN to search groups. The complete DN will be ou=groups,o=example. ou=groups
Username and password Provide a full user DN of a company admin account and a password. These credentials are used when binding to LDAP. Anonymous binding is not supported. uid=norris,ou=users,ou=accounts,o=example
Account search filter Use inetOrgPerson to search for accounts by objectClass. Use employeeType attribute to search for accounts by type (bot or user). Use uid attribute to search for a specific account. (objectClass=inetOrgPerson) (employeeType=user) (uid=norris)
Group search filter Use groupOfNames to search for groups by objectClass. Use cn attribute to search for a specific group. (objectClass=groupOfNames) (cn=developers)
Member search filter Use member attribute to find groups for a user. The value of the attribute contains the full user DN. (member=uid=norris,ou=users,ou=accounts,o=example)
MemberOf search filter Use memberOf attribute to find users for a group. The value of the attribute contains the full group DN. (memberOf=cn=developers,ou=groups,o=example)
Account password attribute Account password will be visible to company admins in userPassword attribute when SHA hashed password setting is enabled. {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
Unique identifier A universally unique identifier is available in entryUUID attribute. cdfd2ece-c1db-4c76-ae45-2d75968afddd

Helix TeamHub LDAP Structure and Example Entries

Directory Tree:

  o=example
    ├── ou=accounts
    │   ├── ou=users
    │   │   └── uid=norris
    │   └── ou=bots
    │        └── uid=bot
    ├── ou=groups
    │   └── cn=developers
    └── ou=projects
        └── ou=sample

Example User Entry:

# norris, users, accounts, example
dn: uid=norris,ou=users,ou=account,o=example
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: norris
cn: Chuck Norris
displayName: Chuck Norris
givenName: Chuck
sn: Norris
mail: norris@example.com
telephoneNumber: +123456
description: Not needed
title: Champion
entryUUID: cdfd2ece-c1db-4c76-ae45-2d75968afddd
memberOf: cn=developers,ou=groups,o=example
memberOf: cn=managers,ou=groups,o=example
employeeType: user

Example Bot Entry:

# bot, bots, accounts, example
dn: uid=bot,ou=bots,ou=accounts,o=example
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: bot
cn: bot
displayName: bot
givenName: bot
sn: bot
entryUUID: 21f02b44-3832-4523-b7b4-c3602932535e
employeeType: bot
mail: bot@helixteamhub.invalid

Example Group Entry:

# developers, groups, example
dn: cn=developers,ou=groups,o=example
objectClass: top
objectClass: groupOfNames
cn: developers
description: All our developers
entryUUID: 3c9ad9eb-6234-4cf2-b147-f2d945d77b67
member: uid=norris,ou=users,ou=accounts,o=example
member: uid=bruce,ou=users,ou=accounts,o=example

Example Project Entry:

# sample, projects, example
dn: ou=sample,ou=projects,o=example
objectClass: top
objectClass: organizationalUnit
ou: sample
description: Sample project
entryUUID: a671a3bb-edb9-45f7-aa71-f3be44a075c2
Updated on: 5 October 2017