LDAP Configuration
The LDAP Interface, when enabled, provides the ability to configure LDAP settings within the RALS™ SYSTEM for one or more LDAP servers.
Jump to a heading on this page:
Sync Status
Sync Options
Test Connection
LDAP Filters
Operator Defaults
LDAP Attribute Mappings
Institution Access
Adding
Editing
Cloning
Deactivating or Deleting
Fields
Sync Status
An LDAP configuration’s sync status will be in one of the following states:
| Icon | Status | Notes |
|---|---|---|
|
Successful | Last LDAP sync was successful |
|
Pending | LDAP sync is in progress |
|
|
Error | Last LDAP sync encountered an error due to any problem or failure other than a connection problem; when displayed, refer to the Last Failure Reason field for more information regarding the type of error |
|
Failed | Last LDAP sync failed due to a connection problem with the LDAP server |
|
Never Synced | No LDAP sync has ever been requested |
Sync Options
Sync options determine which action(s) the LDAP Interface will take when importing operators from an LDAP server. One or more of the following sync options may be selected for an LDAP configuration:
- Add Operators (see Adding Operators via the LDAP Interface for more information)
- Edit Operators (see Editing Operators via the LDAP Interface for more information)
- Activate Operators (see Activating Operators via the LDAP Interface for more information)
- Deactivate Operators (see Deactivating Operators via the LDAP Interface for more information)
Note that when Add Operators is selected, selections under Operator Defaults become available to view/edit.
Test Connection
A test connection exists in each LDAP configuration, which can be used to test connectivity to the LDAP server using the configuration’s connection settings.
When you perform a test connection, a message will be displayed with one of the following:
| Message | Location | Notes |
|---|---|---|
| LDAP connection successful | Test Connection Result | Connection to the LDAP server was successful |
| LDAP connection failed | Test Connection Result | Incorrect data has been entered in the Server, Port, and/or TLS field(s), or the LDAP server is unreachable or not responding |
| LDAP invalid credentials | Test Connection Result | Incorrect data has been entered in the Authentication Type, Authentication DN, and/or Authentication Password field(s) |
| Invalid connection entries are preventing the test connection | Snackbar Error Message | One or more Connection fields are in an invalid state (i.e. missing data) |
LDAP Filters
LDAP filters are used to refine the search selection, and they can be as broad or as narrow as necessary for any given LDAP configuration. Filtering begins at the configuration’s Base DN and is used in conjunction with the Search Scope to create the list of operators to return back from the hospital’s LDAP system to the RALS™ SYSTEM.
Search Filter
The search filter is used to restrict the number of search objects that are returned via the LDAP Interface. The search filter field defaults to:
(&(objectCategory=person) (objectClass=user))
For an instance where you want to return only person entities (operators) under a specific department number, the search filter would be:
(&(objectCategory=person) (objectClass=user) (departmentNumber=<desired department number>))
For an instance where you want to return person entities (operators) across multiple Organizational Units, the search filter would be:
(&(objectCategory=person) (objectClass=user)
(|(memberOf=CN=OU=Security,OU=Groups,OU=VA-CLV,OU=America,OU=Sites,DC=alere,DC=com)
(memberOf=CN=OU=Distribution,OU=Groups,OU=CN-OTT,OU=America,OU=Sites,DC=alere,DC=com)))
Search Scope
The scope determines which part of the hospital’s LDAP system is to be searched. Search scope is required, and the options are limited to:
- Base: Includes the level specified by the base DN, excluding any levels below it
- One-Level: Includes only the level immediately below the base DN
- Subtree: Includes the base DN and all levels below it
Operator Defaults
Operator defaults specify the default values for the RALS™ SYSTEM operator fields when operators are imported using the LDAP Interface. When an operator is added to the RALS™ SYSTEM using the LDAP Interface, the newly created operator’s fields will be set to the specified default values unless the LDAP configuration defines a specific mapping for a field (e.g. Home Location). Operator defaults are only applicable to the Add Operators sync option.
Note: A valid Home Location Optional Mapping will override the Home Location in Operator Defaults. However, if there is a failure with the mapped Home Location for added operators, the LDAP configuration will use the Home Location field located in Operator Defaults.
See Operators for more information about RALS™ SYSTEM operator fields.
LDAP Attribute Mappings
LDAP attribute mappings are used to map fields used in the hospital’s LDAP system to the RALS™ SYSTEM operator fields through common LDAP attributes. LDAP attribute mappings also allow the user to add text as a prefix and/or suffix at the individual attribute level and/or the overall generated text.
When an LDAP attribute mapping is created, the RALS™ SYSTEM will first apply any LDAP attribute’s prefix and suffix, then, if applicable, any RegEx match pattern and RegEx replace pattern to the individual attribute(s). Next, the individual attributes are combined in order from top to bottom. Then, any overall prefix and/or suffix are applied to the generated text, creating a combined value that is used to populate the specified operator field.
The following fields and sub-fields exist in required and optional LDAP attribute mappings:
| Field | Sub-field | Notes |
|---|---|---|
| RALS Operator Field | Maps a RALS™ SYSTEM operator field to LDAP server attribute(s); see Required Mappings and Optional Mappings for more information | |
| Prefix | Text added to the beginning of the value generated from the combined LDAP attribute mappings for the RALS Operator Field | |
| LDAP Attributes | Contains one or more attributes associated with field names on the LDAP server; used to generate a value for the RALS Operator Field specified in the mapping | |
| LDAP Attributes | Prefix | Text added to the beginning of a value generated based on the individual LDAP attribute associated with a field name on the LDAP server |
| LDAP Attributes | LDAP Attribute | Individual attribute associated with a field name on the LDAP server |
| LDAP Attributes | RegEx Match Pattern | Regular expression that defines the text which is to be matched and replaced by the substitutions and text in the RegEx Replace Pattern field; Applied to the individual attribute associated with a field name on the LDAP server; see RegEx Patterns for more information |
| LDAP Attributes | RegEx Replace Pattern | Consists of substitutions and text which replace the text specified in the RegEx Match Pattern field; Applied to the individual attribute associated with a field name on the LDAP server; see RegEx Patterns for more information |
| LDAP Attributes | Suffix | Text added to the end of a value generated based on the individual LDAP attribute associated with a field name on the LDAP server |
| Suffix | Text added to the end of the value generated from the combined LDAP attribute mappings for the RALS Operator Field |
RegEx Patterns
RegEx patterns are used to define text that is to be matched and replaced within an individual attribute.
The following are examples of RegEx patterns that can be used in an LDAP configuration’s attribute mappings:
| Description | RegEx Match Pattern | RegEx Replace Pattern | Supplied Text | Resulting Text |
|---|---|---|---|---|
| Remove domain from email | ^(? |
${keep} | JohnDoe@yourorg.com | JohnDoe |
| Remove @yourorg.com | (? |
${keep} | JohnDoe@yourorg.com-POCC | JohnDoe-POCC |
| Replace characters | [!@] | Z | !JohnDoe@ | ZJohnDoeZ |
| Keep first 8 alphabetical characters | ^(? |
${first8} | JohnADoe_User | JohnADoe |
| No match (in the case where the RegEx does not match) | [0-9] | REPLACE_VALUE | JohnDoe | JohnDoe |
| For attributes containing only 4 numerical characters, add 00 to the end | ^(? |
${val}00 | 1234 | 123400 |
Required Mappings
Mappings to the following RALS™ SYSTEM operator fields are required for LDAP configurations, as they are required for all operators in the RALS™ SYSTEM:
- Name
- Operator ID
See Operators for more information about operator fields.
Optional Mappings
Mappings to the following RALS™ SYSTEM operator fields are optional for LDAP configurations:
- Fax
- Home Location
- Notes
- Phone
Notes:
- For a mapped Home Location, the LDAP Alias on a RALS™ SYSTEM location (not the location’s name) is used for matching to the location in the hospital’s LDAP system. A location will not be mapped by the LDAP Interface if it does not contain an LDAP Alias.
- If the result of the mapped Home Location attribute successfully matches a RALS™ SYSTEM location’s LDAP Alias, then that location is saved as the Home Location in the synced operator’s record.
- If the result of the mapped Home Location attribute is unsuccessful in matching a RALS™ SYSTEM location’s LDAP Alias, then that operator’s details will not be updated in the RALS™ SYSTEM.
See Locations for more information about locations.
- A valid Home Location Optional Mapping will override the Home Location in Operator Defaults. However, if there is a failure with the mapped Home Location for added operators, the LDAP configuration will use the Home Location field located in Operator Defaults.
See Operators for more information about operator fields.
Institution Access
LDAP configurations are not institution-specific.
Adding
LDAP configurations can be manually added to the RALS™ SYSTEM. See Add Fields for more information.
Editing
LDAP configurations can be edited. See View or Edit Details Fields for more information.
Cloning
All LDAP configurations can be cloned. All values will be copied, except:
| Field | Notes |
|---|---|
| Active | New LDAP configurations will be created as active |
| Name | You will be prompted to enter a new one |
| Sync Order | You will be prompted to enter a new one; defaults to next numeric value after the largest existing sync order |
| Automatic Sync | Defaults to unselected |
| Sync Status | Defaults to “Never Synced” |
| Last Successful Sync Time | |
| Last Attempted Sync Time | |
| Last Failure Reason |
Deactivating or Deleting
LDAP configurations can be deactivated, but not deleted. Deactivated LDAP configurations cannot be synced. A deactivated LDAP configuration can be reactivated.
Fields
LDAP configuration fields are located in the following places in the RALS™ SYSTEM:
Data Table Fields
When viewing LDAP configurations in a data table, the fields are defined as follows:
| Field | Notes |
|---|---|
| General | |
| Key | Unique identifier |
| Active | An LDAP configuration can and will only be synced if it is active |
| Automatic Sync | When enabled, automatic syncing of LDAP configurations is performed before automatic Operator Recertification, based on when Operator Recertification is configured to start |
| Name | Name associated with the LDAP configuration |
| Sync Options | See Sync Options for more information |
| Sync Order | Numeric value which dictates the order in which multiple LDAP configurations are synced; configurations are synced in order from lower- to higher-numbered values |
| Connection | |
| Authentication DN | The distinguished name/user name used to authenticate to the LDAP serverBase DN |
| Authentication Type | Type of authentication used for the LDAP server; select one of the following options: Anonymous; Basic; Negotiated |
| Base DN | The base distinguished name is the point (root) from which the LDAP server will start the search for the login authentication; ex.: “DC=Abbott, DC=Com”, “OU=Engineering, DC=Abbott, DC=Com”; see LDAP Filters for more information |
| Port | The 16-bit port number used by the RALS™ SYSTEM in combination with the Server name or IP to communicate with the LDAP server |
| Server | IP address or hostname of LDAP server |
| TLS | Determines whether enhanced security protocols (TLS/SSL) will be used for the synchronization |
| Disable Referral Chasing | Enables/disables chasing referrals when searching for operators across multiple domains |
| LDAP Filters | |
| Search Filter | Applied filter which serves to further narrow the search request; see LDAP Filters for more information |
| Search Scope | Selection determines which part of the hospital’s LDAP system is to be searched; see LDAP Filters for more information |
| Sync Status | |
| Last Attempted Sync Time | Date and time when the LDAP configuration was last attempted to be synced |
| Last Failure Reason | If the last LDAP configuration sync failed, the reason for failure will display |
| Last Successful Sync Time | Date and time when the LDAP configuration was last successfully synced |
| Sync Status | Status of the most recent sync; see Sync Status for more information |
| Notes | |
| Notes | Open text field that can be used at your discretion |
Add Fields
When adding an LDAP configuration, the fields are defined as follows:
| Field | Notes |
|---|---|
| General | |
| Name | Name associated with the LDAP configuration |
| Sync Options | See Sync Options for more information |
| Sync Order | Numeric value which dictates the order in which multiple LDAP configurations are synced; configurations are synced in order from lower- to higher-numbered values |
| Automatic Sync | When enabled, automatic syncing of LDAP configurations is performed before automatic Operator Recertification, based on when Operator Recertification is configured to start |
| Connection | |
| Server | IP address or hostname of LDAP server |
| Port | The 16-bit port number used by the RALS™ SYSTEM in combination with the Server name or IP to communicate with the LDAP server |
| TLS | Determines whether enhanced security protocols (TLS/SSL) will be used for the synchronization |
| Base DN | The base distinguished name is the point (root) from which the LDAP server will start the search for the login authentication; ex.: “DC=Abbott, DC=Com”, “OU=Engineering, DC=Abbott, DC=Com”; see LDAP Filters for more information |
| Authentication Type | Type of authentication used for the LDAP server; select one of the following options: Anonymous; Basic; Negotiated |
| Authentication DN | The distinguished name/user name used to authenticate to the LDAP server |
| Password | The password used to authenticate to the LDAP server |
| LDAP Filters | |
| Search Filter | Applied filter which serves to further narrow the search request; see LDAP Filters for more information |
| Search Scope | Selection determines which part of the hospital’s LDAP system is to be searched; see LDAP Filters for more information |
| Operator Defaults | |
| Home Location | Default home location for operators added via the LDAP Interface (unless a valid Home Location is mapped as an Optional Mapping); see Operator Defaults for more information |
| Password | Default password for operators added via the LDAP Interface; see Operator Defaults for more information |
| Role | Default role for operators added via the LDAP Interface; see Operator Defaults for more information |
| Operator Language | Default language for operators added via the LDAP Interface; see Operator Defaults for more information |
| Active | Default active selection for operators added via the LDAP Interface; see Operator Defaults for more information |
| Access All Institutions | Default access all institutions selection for operators added via the LDAP Interface; see Operator Defaults for more information |
| Access All Certification Groups | Default access all certification groups selection for operators added via the LDAP Interface; only displayed if certification groups are enabled; see Operator Defaults and Certification Group for more information |
| Login Locked | Default login locked selection for operators added via the LDAP Interface; See Operator Defaults for more information |
| Required Mappings | |
| Name | RALS™ SYSTEM Operator Field mapping that is required for LDAP configurations; see LDAP Attribute Mappings for more information |
| Operator ID | RALS™ SYSTEM Operator Field mapping that is required for LDAP configurations; see LDAP Attribute Mappings for more information |
| Optional Mappings | |
| Optional Mappings | RALS™ SYSTEM Operator Field mappings that are optional for LDAP configurations; see LDAP Attribute Mappings for more information |
| Sync Status | |
| Sync Status | Status of the most recent sync; see Sync Status for more information |
| Last Successful Sync Time | Date and time when the LDAP configuration was last successfully synced |
| Last Attempted Sync Time | Date and time when the LDAP configuration was last attempted to be synced |
| Last Failure Reason | If the last LDAP configuration sync failed, the reason for failure will display |
| Notes | |
| Notes | Open text field that can be used at your discretion |
View or Edit Details Fields
When viewing or editing an LDAP configuration’s details, the fields are defined as follows:
| Field | Notes |
|---|---|
| General | |
| Name | Name associated with the LDAP configuration |
| Sync Options | See Sync Options for more information |
| Sync Order | Numeric value which dictates the order in which multiple LDAP configurations are synced; configurations are synced in order from lower- to higher-numbered values |
| Automatic Sync | When enabled, automatic syncing of LDAP configurations is performed before automatic Operator Recertification, based on when Operator Recertification is configured to start |
| Connection | |
| Server | IP address or hostname of LDAP server |
| Port | The 16-bit port number used by the RALS™ SYSTEM in combination with the Server name or IP to communicate with the LDAP server |
| TLS | Determines whether enhanced security protocols (TLS/SSL) will be used for the synchronization |
| Base DN | The base distinguished name is the point (root) from which the LDAP server will start the search for the login authentication; ex.: “DC=Abbott, DC=Com”, “OU=Engineering, DC=Abbott, DC=Com”; see LDAP Filters for more information |
| Authentication Type | Type of authentication used for the LDAP server; select one of the following options: Anonymous; Basic; Negotiated |
| Authentication DN | The distinguished name/user name used to authenticate to the LDAP server |
| Password | The password used to authenticate to the LDAP server |
| LDAP Filters | |
| Search Filter | Applied filter which serves to further narrow the search request; see LDAP Filters for more information |
| Search Scope | Selection determines which part of the hospital’s LDAP system is to be searched; see LDAP Filters for more information |
| Operator Defaults | |
| Home Location | Default home location for operators added via the LDAP Interface (unless a valid Home Location is mapped as an Optional Mapping); see Operator Defaults for more information |
| Password | Default password for operators added via the LDAP Interface; see Operator Defaults for more information |
| Role | Default role for operators added via the LDAP Interface; see Operator Defaults for more information |
| Operator Language | Default language for operators added via the LDAP Interface; see Operator Defaults for more information |
| Active | Default active selection for operators added via the LDAP Interface; see Operator Defaults for more information |
| Access All Institutions | Default access all institutions selection for operators added via the LDAP Interface; see Operator Defaults for more information |
| Access All Certification Groups | Default access all certification groups selection for operators added via the LDAP Interface; only displayed if certification groups are enabled; see Operator Defaults and Certification Group for more information |
| Login Locked | Default login locked selection for operators added via the LDAP Interface; see Operator Defaults for more information |
| Required Mappings | |
| Name | RALS™ SYSTEM Operator Field mapping that is required for LDAP configurations; see LDAP Attribute Mappings for more information |
| Operator ID | RALS™ SYSTEM Operator Field mapping that is required for LDAP configurations; see LDAP Attribute Mappings for more information |
| Optional Mappings | |
| Optional Mappings | RALS™ SYSTEM Operator Field mappings that are optional for LDAP configurations; see LDAP Attribute Mappings for more information |
| Sync Status | |
| Sync Status | Status of the most recent sync; see Sync Status for more information |
| Last Successful Sync Time | Date and time when the LDAP configuration was last successfully synced |
| Last Attempted Sync Time | Date and time when the LDAP configuration was last attempted to be synced |
| Last Failure Reason | If the last LDAP configuration sync failed, the reason for failure will display |
| Notes | |
| Notes | Open text field that can be used at your discretion |
| Sessions | See LDAP Sessions for more information |