Helix TeamHub LDAP Sync Application

Integrating the corporate LDAP directory to Helix TeamHub is straightforward. Follow the steps below to setup synchronization. On-premises installations of Helix TeamHub can also be configured to use LDAP Authentication. In such case the LDAP Sync application can still be used to keep existing Helix TeamHub accounts up to date.

Requirements

Create Company Admin Bot

Login to Helix TeamHub App with a Company Admin account (On-premises users: login to your instance). Click the company name on the top navigation and select Bots from the left menu. Create a new Company Admin bot and take a note of the API keys, they'll be used later when configuring synchronization.

LDAP Sync app

Setup and Configure LDAP Sync

Download Helix TeamHub LDAP Sync application from the LDAP Sync app download page and extract it. The application is configured using YAML file. Copy one of the example config files and use it as a base for configuration. Use the example_ad.yml if the source is Active Directory or example_ldap.yml if the source is some other OpenLDAP compliant server.

Configure General and Helix TeamHub API Settings

Uncomment and set a unique name for the source. The source is used to identify which users in Helix TeamHub are synchronized from this LDAP source. Make sure to use the same value for the source that was used in Helix TeamHub Admin authentication preferences if using LDAP Authentication. For synchronization strategy, choose either to sync all the users from LDAP to Helix TeamHub, or only keep existing Helix TeamHub users in sync. In both cases deactivated or deleted LDAP users will also be deleted from Helix TeamHub. The keep_in_sync strategy is recommended for LDAP Authentication.

Please note: Using sync_all strategy will sync all the users found from LDAP to Helix TeamHub and new users will receive a registration/welcome email.

Set value for company_key and account_key previously noted. If using Helix TeamHub On-premises, set the api_url to point to the Helix TeamHub instance API. You may enable certificate verification with Helix TeamHub API requests by setting a path to the root certificate of the certificate used in Helix TeamHub for the api_server_certificate attribute. The path can be either relative to where hth-ldapsync.jar is executed or an absolute path.

Configure your LDAP settings

Set the LDAP host, port, auth_username and auth_password for a user with read access for the source, and choose the encryption method for LDAP connection. Then set the LDAP base tree where to sync the users from. Users can be ignored from synchronization by adding the short_name to the ignored_users list.

Finally configure the attribute mappings between the LDAP schema and Helix TeamHub.

Configure Groups (optional)

Starting from Helix TeamHub version 2.7.1 and LDAP Sync version 1.3.0, it is now possible to synchronize groups from the base directory to Helix TeamHub. Define which groups are created by using group_base and group_query_filters.

Attribute mappings between the directory and Helix TeamHub can be configured using ldap_group_attributes. The default mapping will work for most users, but revise the value of the source attribute. The source defines whether the LDAP groups are linked to Helix TeamHub groups by common name cn or distinguished name (dn).

Group synchronization can be enabled by using the group-sync switch:

java -jar hth-ldapsync.jar --config myconfig.yml --group-sync

Test Configurations

Try out the configurations by running the LDAP Sync application and giving it the configuration file as a parameter. By default no modifications are made, shown instead are details of what the synchronization would do. For example:

java -jar hth-ldapsync.jar --config myconfig.yml

If there are already users in Helix TeamHub that need to be synchronized from the source, use the --force-sync switch with the first run. It will map the existing Helix TeamHub users to the source and update them instead of creating new users.

LDAP Sync preview

Run the LDAP Sync

Once the configuration is ready, run the actual synchronization by adding the --apply switch. This will synchronize users to Helix TeamHub.

java -jar hth-ldapsync.jar --config config.yml --apply

The LDAP Sync application can also be setup to run at intervals like once per hour, by using a scheduler.

Updated on: 5 October 2017