Deveo LDAP Interface

Deveo LDAP interface allows integrating external tools to Deveo users, bots, and groups, and use of Deveo as an authentication provider. Note: Deveo LDAP interface is available to On-premises customers with a license of at least 7 seats.

Upgrading from Deveo 3.10.0 and older versions

Deveo 3.11.0 added support for bot accounts and introduced additional accounts branch. Configurations should be updated to use the new ou=users,ou=accounts branch instead of the old ou=users branch (see Directory Tree below). Binding and searching users by using the old branch is still supported until the next major release.

Enable Deveo LDAP Interface

Browse to Deveo Manage at http(s)://[hostname]/admin where Deveo is installed, and select Preferences from the left navigation. Check "Enable Deveo LDAP interface", and click "Save preferences".

To perform a full synchronization of external tools, enable SHA hashed user passwords through LDAP interface. Hashed passwords are only visible to company administrators, existing Deveo users must change their passwords to make it available. This feature cannot be enabled when pass-through LDAP authentication is used.

Configure Deveo LDAP with External Tools

To access Deveo LDAP, use either the unencrypted ldap://example.com:389 , or encrypted ldaps://example.com:636 (LDAPS) URLs. Configure SSL in order to use LDAPS.

The following table includes commonly used settings to use with external tools. OpenLDAP may be used as a base configuration if the tool provides pre-configured settings. Deveo LDAP interface supports read-only access.

Setting Description Examples
Base DN The root node of the LDAP to search from. Use company ID in place of example. o=example
Additional account DN Prepended to the base DN to search users and bots. The complete DN will be ou=accounts,o=example. ou=accounts
Additional user DN Prepended to the base DN to search users. The complete DN will be ou=users,ou=accounts,o=example. ou=users,ou=accounts
Additional bot DN Prepended to the base DN to search bots. The complete DN will be ou=bots,ou=accounts,o=example. ou=bots,ou=accounts
Additional group DN Prepended to the base DN to search groups. The complete DN will be ou=groups,o=example. ou=groups
Username and password Provide a full user DN of a company admin account and a password. These credentials are used when binding to LDAP. Anonymous binding is not supported. uid=norris,ou=users,ou=accounts,o=example
Account search filter Use inetOrgPerson to search for accounts by objectClass. Use employeeType attribute to search for accounts by type (bot or user). Use uid attribute to search for a specific account. (objectClass=inetOrgPerson) (employeeType=user) (uid=norris)
Group search filter Use groupOfNames to search for groups by objectClass. Use cn attribute to search for a specific group. (objectClass=groupOfNames) (cn=developers)
Member search filter Use member attribute to find groups for a user. The value of the attribute contains the full user DN. (member=uid=norris,ou=users,ou=accounts,o=example)
MemberOf search filter Use memberOf attribute to find users for a group. The value of the attribute contains the full group DN. (memberOf=cn=developers,ou=groups,o=example)
Account password attribute Account password will be visible to company admins in userPassword attribute when SHA hashed password setting is enabled. {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
Unique identifier A universally unique identifier is available in entryUUID attribute. cdfd2ece-c1db-4c76-ae45-2d75968afddd

Deveo LDAP Structure and Example Entries

Directory Tree:

  o=example
    ├── ou=accounts
    │   ├── ou=users
    │   │   └── uid=norris
    │   └── ou=bots
    │        └── uid=bot
    ├── ou=groups
    │   └── cn=developers
    └── ou=projects
        └── ou=sample

Example User Entry:

# norris, users, accounts, example
dn: uid=norris,ou=users,ou=account,o=example
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: norris
cn: Chuck Norris
displayName: Chuck Norris
givenName: Chuck
sn: Norris
mail: norris@example.com
telephoneNumber: +123456
description: Not needed
title: Champion
entryUUID: cdfd2ece-c1db-4c76-ae45-2d75968afddd
memberOf: cn=developers,ou=groups,o=example
memberOf: cn=managers,ou=groups,o=example
employeeType: user

Example Bot Entry:

# bot, bots, accounts, example
dn: uid=bot,ou=bots,ou=accounts,o=example
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: bot
cn: bot
displayName: bot
givenName: bot
sn: bot
entryUUID: 21f02b44-3832-4523-b7b4-c3602932535e
employeeType: bot
mail: bot@deveo.invalid

Example Group Entry:

# developers, groups, example
dn: cn=developers,ou=groups,o=example
objectClass: top
objectClass: groupOfNames
cn: developers
description: All our developers
entryUUID: 3c9ad9eb-6234-4cf2-b147-f2d945d77b67
member: uid=norris,ou=users,ou=accounts,o=example
member: uid=bruce,ou=users,ou=accounts,o=example

Example Project Entry:

# sample, projects, example
dn: ou=sample,ou=projects,o=example
objectClass: top
objectClass: organizationalUnit
ou: sample
description: Sample project
entryUUID: a671a3bb-edb9-45f7-aa71-f3be44a075c2
Updated on: 28 April 2017