How to import users from LDAP into KentixONE?
This guide shows you step by step how to connect KentixONE with your LDAP/Active Directory, map user groups and synchronize user attributes. For detailed explanations of all fields, you will find a link to the complete form description at the end.
Requirements
- IP address or hostname of the LDAP server
- Security mode: unencrypted (LDAP) or encrypted (LDAPS/SSL)
- Port of the LDAP service (default: 389 or 636 for LDAPS)
- Base DN (e.g.
DC=example,DC=local) - Bind DN of an LDAP account with read permissions and associated password
- Optional: LDAP groups for assigning KentixONE roles (Viewer/Manager/Administrator)
Step-by-step guide
1. Set up LDAP server
Open the communication settings in KentixONE and select LDAP. Enable the service and enter server, port, encryption and Base DN.
The "Soft Delete" option locks deleted LDAP users in KentixONE instead of deleting them. This way, histories are preserved.
2. Configure authentication
Enter the credentials of the LDAP account (Bind DN) with read permissions and the password.
3. Map system permissions (groups)
Map your LDAP groups to KentixONE roles. Users of the respective LDAP group automatically receive the corresponding permission in KentixONE.
Up to three groups can be mapped. Nested groups are not supported.
4. Map attributes
Define which LDAP attributes are mapped to which KentixONE fields (e.g. sAMAccountName → username, mail → email, phone number etc.).
Use a boolean attribute for the "User active" field or map e.g. userAccountControl to automatically deactivate users.
5. Start synchronization
Save the settings and start the synchronization to import users. Alternatively, set an interval for automatic synchronization.
If DoorLocks need to work without connection to the AccessManager (e.g. emergency access), make sure to include relevant attributes like PIN/RFID in the mapping.
Tips and tricks
A complete field description with all options can be found in the form article: LDAP Configuration.
PIN and RFID
Data for identifying users in the system. If these are already recorded in LDAP when creating users, they can be imported.
Set the total length of PINs system-wide in "Security". If rack levers RA4 with PINs are used for access and switching of alarm groups, note: Only numbers 1-4 are available for input there. Therefore, create PINs only in this number range for users of the rack levers.
Emergency access
Allows selected users to access when the DoorLock cannot establish a connection to the AccessManager. The user's data with this permission is stored locally in the DoorLock. Use an attribute with "0" or "1" (emergency access active) for this.
- Emergency access is not available immediately after assignment to a user.
- The user data for emergency access is transferred during bookings at DoorLocks. To store each emergency user locally in the DoorLock, the same number of access bookings is therefore required as emergency users were created.
Access profiles from LDAP
If profiles with identical names exist in KentixONE and in the LDAP structure, access profiles can be transferred with the users. These profiles are linked at user level in KentixONE. Multiple access profiles can be created in LDAP as an enumeration. The notation is: Profile1, Profile2, Profile3.
Groups are imported into KentixONE for access control. The permissions for accessing the KentixONE system can be configured there for the groups.
Glossary
- LDAP: Network protocol for querying and managing directory services (e.g. Active Directory).
- LDAPS: LDAP over SSL/TLS. Encrypted variant of LDAP, typically port 636.
- Base DN: Entry point (Distinguished Name) in the directory structure from which the search for objects begins (e.g. DC=example,DC=local).
- DN: Distinguished Name; unique path of an object in the LDAP directory.
- OU: Organizational Unit; logical unit/folder in the directory tree, e.g. for departments.
- Bind DN: User identification that KentixONE uses to authenticate to the LDAP server to perform queries.
- Attribute mapping: Mapping of LDAP attributes to fields in KentixONE (e.g. mail → email, sAMAccountName → username).
- User active: Boolean field/attribute that controls whether a user is active in KentixONE.
- userAccountControl: Active Directory attribute containing account status flags (can be used for active/disabled logic).