LDAP integration features

Authentication with LDAP integration

Unica applications query Unica Platform for user authorization information. When LDAP integration is implemented, users enter their valid LDAP user name and password for authentication to Unica applications.

Managing internal and external users

When integration is configured, you cannot add, modify, or delete the imported user accounts in Unica Platform. You must perform these management tasks on the LDAP side, and your changes will be imported when synchronization occurs. If you modify imported user accounts in Unica Platform, users may encounter problems with authentication.

Any user accounts you delete on the LDAP side are not deleted from Unica Platform. You should disable these accounts manually in Unica Platform. It is safer to disable these deleted user accounts rather than deleting them, because users have folder ownership privileges in Unica Campaign, and if you delete a user account that owns a folder, objects in that folder will no longer be available.

Synchronization

When Unica is configured to integrate with an LDAP server, users and groups are synchronized automatically at pre-defined intervals.

Automatic synchronization has limited functionality.

• Users deleted from the LDAP server are not deleted during automatic synchronization.

You can force a full synchronization of all users and groups by using the Synchronize function in the Users area of Unica. Alternatively, you can contact Services to request that they set a hidden configuration property that causes the automatic synchronization to perform a full synchronization.

Importing users based on groups or attributes

You can choose one of two types of filtering to select the user accounts that are imported from the LDAP server into Unica Platform.

You must choose between group based or attribute based import; multiple methods are not supported simultaneously.

Group based import

Unica Platform imports groups and their users from the directory server database through a periodic synchronization task that automatically retrieves information from the directory server. When Unica Platform imports users and groups from the server database, group memberships are not changed. To pick up these changes, you must perform a manual synchronization.

You can assign Unica privileges by mapping an LDAP group to an Unica group. This mapping allows any new users added to the mapped LDAP group to assume the privileges set for the corresponding Unica group.

A subgroup in Unica Platform does not inherit the LDAP mappings or user memberships assigned to its parents.

Details for configuring group based import are provided in the remainder of this chapter.

Attribute based import

If you do not want to create groups in your LDAP server that are specific to Unica products, you have the option to control the users who are imported by specifying attributes. To achieve this, you would do the following during the LDAP configuration process.

1. Determine the string used in your LDAP server for the attribute on which you want to filter.
2. Set the Platform | Security | LDAP synchronization | LDAP user reference attribute name property to DN.

   This indicates to Unica Platform that the synchronization is not based on a group with member references but is based on an Org Unit or an Org.

3. When you configure the LDAP reference map property, set the Filter portion of the value to the attribute on which you want to search. For the Filter, use the string you determined in step 1.

When you use attribute based synchronization, the periodic synchronization is always a full synchronization, instead of a partial synchronization, which is done for group based synchronization. For attribute based synchronization, you should set the LDAP sync interval property to a high value, or set it to 0 to turn off automatic synchronization and rely on manual full synchronization when users are added to the directory.

About LDAP and partitions

In multi-partition environments, user partition membership is determined by the group to which the user belongs, when that group is assigned to a partition. A user can belong to only one partition. Therefore, if a user is a member of more than one LDAP group, and these groups are mapped to Unica groups that are assigned to different partitions, the system must choose a single partition for that user.

You should try to avoid this situation. However, if it occurs, the partition of the Unica group most recently mapped to an LDAP group is the one that the user belongs to. To determine which LDAP group was most recently mapped, look at the LDAP group mappings displayed in the Configuration area. They are displayed in chronological order, with the most recent mapping listed last.

Support for internal and external users

Unica supports two types of user accounts and groups.

• Internal - User accounts and groups that are created within Unica using the Unica security user interface. These users are authenticated through Unica Platform.
• External - User accounts and groups that are imported into Unica through synchronization with a supported LDAP server. This synchronization occurs only if Unica has been configured to integrate with the LDAP server. These users are authenticated through the LDAP server.

You may want to have both types of users and groups if, for example, you want to give your customers access to Unica applications without adding them to your LDAP server as full corporate users.

Using this hybrid authentication model requires more maintenance than a pure LDAP authentication model does.

Special characters in login names

Only three special characters are allowed in login names: dot (.), underscore ( _ ), and hyphen (-). If any other special characters (including spaces) are present in the login name of a user you plan to import into Unica Platform from your LDAP server, you must change the login name so that the user does not encounter issues when logging out or performing administrative tasks (if the user has administration privileges).