Integrating with LDAP

Overview

You can integrate QueryPie service with LDAP server for user authentication and user and group management.

LDAP Integration and Synchronization Configuration

Navigate to Administrator > General > User Management > Authentication menu, then select LDAP in the Authentication Type field to enable configuration input for LDAP integration.

Warning: After selecting Authentication type and synchronizing users, it is not possible to change the authentication type.
Please contact us through Customer Portal for authentication method changes.

Administrator > General > User Management > Authentication > LDAP

Basic User Integration Configuration

Enter basic authentication information and attribute information for LDAP integration. For attribute information for Attribute mapping, the field name is the QueryPie User attribute name, and the field contains the Attribute name to reference in LDAP. For detailed descriptions, please refer to the items below.

Group Integration Configuration

To synchronize user group information and membership information from LDAP, activate the Use Group option and enter the required information. For detailed descriptions, please refer to the items below.

Attribute	Required	Description
Group Base DN	Required	Enter the Group Base DN value of the LDAP server. Example: `dc=example,dc=com`
Group Search Filter	Required	Enter the filter value to retrieve groups. Example: `objectclass=posixGroup`
Membership Type	Required	If group information is included in users, select `Include group information in user entries` and enter the Attribute to reference in the field below. Example: `member`, `uniqueMember`, `memberUid`, etc.
Membership Type	Required	If user information is included in groups, select `Include user information in group entries` and enter the Attribute to reference in the field below. Example: `gidNumber`
Group ID	Required	Enter the attribute value to use as the group identifier. Example: `gidNumber`

LDAP User Synchronization Configuration

To execute user information synchronization from LDAP server, activate the Use Synchronization with the Authentication System option.

Replication Frequency : Sets whether to use automatic synchronization functionality.
- Manual : Performs synchronization only manually. User information is retrieved from LDAP server only when clicking the Synchronize button on the current page.
- Scheduling : Performs synchronization periodically. The Use cron expression field below is activated.
Make New Users Inactive by Default : Selects whether to add new users in inactive status during synchronization.
- Activate this option when there are many users to synchronize or when you want to individually manage QueryPie access through LDAP authentication for users.
Use an Attribute for Privilege Revoke : Selects whether to revoke Privileges according to specific Attributes during synchronization.
- Activate this option when you want to automatically revoke DAC Privileges due to changes in specific LDAP Attributes.
- Enter the Attribute name you want to detect for activation changes in the LDAP Attribute input field.
Enable Attribute Synchronization : Selects whether to map and synchronize LDAP user attributes with QueryPie user attributes.
- Activate this option when you want to automatically link user attributes managed in LDAP with Attributes within QueryPie.
- When the option is activated, LDAP Attribute Mapping UI is displayed below, and you can specify LDAP Attributes and QueryPie Attributes to link through mapping operations.
- However, this functionality only applies to Attributes where Source Priority is set to Inherit from profile source in Profile Editor.

LDAP Attribute Mapping

To map and synchronize user attributes managed in LDAP with Attributes within QueryPie, activate the Enable Attribute Synchronization option and enter the information below.

Click the Add Row button in the top right corner to add a new mapping row, and you can specify QueryPie Attributes corresponding to LDAP Attributes for each row.

This functionality only applies to QueryPie Attributes where Source Priority is set to Inherit from profile source in Admin > General > User Management > Profile Editor.
QueryPie Attributes Username (loginId) and Primary Email (email) are entered separately during LDAP integration configuration, so these items are not exposed in the LDAP–QueryPie Attribute Mapping UI.
When deleting or changing mapping rows, you must click Save Changes for changes to be reflected in the UI, and you must additionally click Synchronize for actual synchronization with LDAP to be performed. That is, Save Changes means screen changes, and Synchronize means system reflection.

Column Name	Required	Description
Checkbox	Optional	Checkbox for selecting mapping rows. When a row is selected, a Delete button appears in the top left corner.
LDAP Attribute	Required	Enter the LDAP Attribute to link. Example: `manager`, `mobile`, etc.
QueryPie Attribute	Required	Select the QueryPie Attribute to map to. Only items set to Inherit from profile source in Profile Editor are displayed in the list, with both Display Name and Variable Name shown. Example: `Manager ID (managerId)`, `Mobile Phone (mobilePhone)`, etc.

Column Name

Required

Description

Checkbox

Optional

Checkbox for selecting mapping rows. When a row is selected, a Delete button appears in the top left corner.

LDAP Attribute

Required

Enter the LDAP Attribute to link.

Example: manager, mobile, etc.

QueryPie Attribute

Required

Select the QueryPie Attribute to map to. Only items set to Inherit from profile source in Profile Editor are displayed in the list, with both Display Name and Variable Name shown.

Example: Manager ID (managerId),
Mobile Phone (mobilePhone), etc.

After completing mapping and performing synchronization, linked Attributes can be checked in Profile Editor and User Profile.

Profile Editor
- In Admin > General > User Management > Profile Editor, linked Attributes are displayed in the following status.
  - Source Priority : Fixed to Inherit from profile source.
  - Status : Disabled in an unmodifiable state.
  - For Custom Attributes : Display Name, Description, and Status are all unmodifiable, and the checkbox is disabled and displayed in a non-deletable state.
User Profile
- In Administrator > General > User Management > Users > User Detail Page > User Profile, linked Attributes are displayed in the following status.
  - Appears in a read-only state that cannot be modified.
    - For example, if the Primary Email (email) value is linked to regan@querypie.com, it cannot be directly modified in the UI and can only be changed in LDAP.

Other Settings and Synchronization

Anonymous : Sets whether anonymous users can authenticate. (True or False)
Dry Run : Clicking the Dry Run button allows you to preview the results if synchronization is performed based on the currently entered configuration information. (Regardless of whether the currently entered information is saved)
Clicking Save Changes saves the entered configuration information to QueryPie.
Clicking the Synchronize button performs synchronization based on the currently entered configuration information. (Only activated after saving the currently entered configuration information)
- Clicking the button allows you to view the previous synchronization history.
- If there are failed items during individual synchronization, the Progress Bar color is displayed in yellow.
- Failure logs are displayed with :cross_mark: icon. Clicking the log allows you to check detailed error messages.

Information

Users and groups support one-way synchronization from LDAP → QueryPie. Synchronized users and groups cannot be modified or deleted within QueryPie.
From version 10.2.1, user synchronization has been improved to process individual users and groups.

You can check synchronized users and groups in Administrator > General > User Management > Users or Groups menu.
Now you can log in by entering LDAP authentication information in the ID and Password fields on the login page.