Using LDAP Authentication

This feature is specific to Clearvale Enterprise.

By default Clearvale keeps track of all network members in a database of usernames and passwords. However, if you prefer to use an authentication service for your network members, you can configure your network to use LDAP or OpenID.

When LDAP  is configured for a network, it serves as an additional user authentication service in addition to the default Clearvale authentication database. The authentication server that is used for a particular member is determined when the member registers with Clearvale. A user can use only one authorization server per network.

Note that LDAP support is a Premium Service.

Configuring LDAP

Network administrators have the option of requiring LDAP authentication before members access a network. You can use your own LDAP-compliant or Active Directory server for user authentication with your Clearvale network.  Once configured, Clearvale uses the LDAP server to authenticate members when they register or log into a network.

Configured profile information is synchronized from the LDAP server to the Clearvale profile at the time of the first login. No information is ever updated on the LDAP server from Clearvale and the password stored in LDAP is never stored in Clearvale.

To enable LDAP or reconfigure your settings on a specific network:

  • Go to Admin>Authentication>LDAP Basic.
  • Set the LDAP Authentication and Integration field to Enabled.
  • Enter the LDAP configuration information, such as host, port, and so on. If you are not familiar with the LDAP values required for your network, contact your LDAP administrator.
  • Decide how to synchronize profile attributes. By default, user profile information is synchronized from the LDAP server to the Clearvale profile when a user logs into Clearvale the first time. The network administrator must provide mappings for any attributes that should be synchronized (see below).
    You can change this and have Clearvale synchronize the profile from the LDAP server to Clearvale profile each time a user logs into Clearvale by setting Synchronize Profile Attributes to Enabled. If this is set, users should not change mapped attributes in Clearvale since they will be overwritten upon the next log in.
  • For Attribute Mapping, you must map the Clearvale attributes contactemail, firstname, and lastname to LDAP attributes.
    For example:
    contactemail=mail : firstname=displayName : lastname=givenName
    If the mapping is not correctly configured (either the mapping for those attributes is missing or a valid value cannot be retrieved from the mapping), then the commonly used default LDAP attributes (‘mail’, ‘givenName’, and ‘sn’) are used to retrieve those attributes. For example: contactemail=mail : firstname=givenName : lastname=sn
    If there are attributes that you do not want other network users to see (for example, phone number), you should not map those attributes. For a list of Clearvale attributes, see “Clearvale Attributes,” next.
  • Set LDAP Users Can Register and Login Without Being Invited to Enabled to let any user in your LDAP system join your Clearvale network without being invited. When these users join the network, they simply use their LDAP login and password to access the network.
  • Click Save.

Clearvale Attributes

The following profile attributes are defined by Clearvale:

Attribute Clearvale Profile Attribute Typical LDAP Attribute Name Required?
firstname First Name givenName Yes
lastname Last Name sn Yes
firstname_pr First Name Pronunciation
lastname_pr Last Name Pronunciation
displayname Display Name displayName
companyname Company Name
briefdescription Job Title title
department Department
location Location postalAddress
country Country c / friendlyCountryName
interests Interests
skills Specialized in
contactemail Contact email mail Yes
mobileemail Mobile Email
phone Telephone telephoneNumber
mobile Mobile phone mobile
website My Website
skypeid Skype ID
msnid MSN
yahooid Yahoo
aolimid AOL IM

Using LDAP Groups

If you use LDAP groups, you can map an LDAP group to a Clearvale profile attribute.

  1. Configure your network to use LDAP as described above. You must enable LDAP for your network.
  2. Click Admin>Authentication>LDAP Groups.
  3. Enter the Clearvale profile attribute and the LDAP group name to map together.
  4. Specify how to evaluate group membership. You have two options:
    • Evaluate group memberships from user objects directly. With this option, you simply specify the name of the user attribute in LDAP that contains the user’s groups. This is the easiest approach, but not all LDAP servers support this option.
    • Evaluate group memberships from group objects indirectly. With this option, Clearvale checks all groups and finds the ones that contain the member. In this case, you need to specify the LDAP DN to search through the group object classes and the name of the group attribute in LDAP.
  5. Click Save.

Logging Into a Network with LDAP Authentication

When a user is invited to the network, the user’s email address is searched in the LDAP server. If the email address is found in the LDAP server, they are prompted for their LDAP username and password. If the person is not in the LDAP server (for example, your LDAP server includes just employees and you invited a partner to your network), Clearvale adds the person to the Clearvale authentication server. When they log into the network in the future, Clearvale knows to use the Clearvale authentication server for this member instead of LDAP authentication.

Accessing Non-LDAP Authenticated Networks

You can use LDAP authentication on some networks and not on others. When an LDAP authentication service is added, Clearvale uses the email address for each member to link the member in the Clearvale user database with the member in the LDAP server. In the case of someone who is a member of a network that uses the default Clearvale authentication database as well as a network that uses LDAP, they are recognized as the same Clearvale user as long as the same email address is used on both networks. However, the username and password may be different for those two networks. For example, if you log into Clearvale Connect at http://cvc.clearvale.com or if you log into the www.clearvale.com website, you must specify your Clearvale username and password instead of LDAP username and password. Neither of these websites are configured to use LDAP authentication.

If You Decide to Use LDAP After Your Network Has Members

Contact your service provider’s Support department for help. They can migrate your network to use LDAP authentication instead of Clearvale authentication. Once they update your network, members must sign in using their LDAP credentials.

If an Employee Leaves Your Company

If you have an employee leave your company, you should delete them from the LDAP server and disable them in the network:

  • Once a user is disabled or deleted from LDAP, that user can no longer log into the network.
  • A network administrator should disable the user from the network by selecting Admin>Member Administration and setting the member’s network role as Disabled.

LDAP and SSL

If you want to use LDAP over SSL, contact your service provider for help configuring this for your system.