Skip Navigation

Migrate existing users to LDAP attributes

LDAP Authentication is based on the end user’s Mapping ID. When migrating existing users to LDAP authentication, and the mail attribute is used, the end user’s Mapping Id attribute must contain the end user’s email address from Active Directory. To migrate existing users to use LDAP attributes, complete the following tasks:
  • Configure the LDAP Attribute option in the
    BlackBerry AtHoc
    management system and enter the attribute, as described in Organization configuration.
  • Update the end Mapping ID for each user. For example, when using the LDAP mail attribute, set the Mapping ID to the value of the user's email address in Active Directory.
  • Restart the desktop app.
When the desktop app starts, it receives instructions from the server about the LDAP attribute to use. The desktop app then queries Active Directory for the value of that attribute for the local user. In order for the desktop app to query Active Directory, users must have at least read-only permission to their Active Directory. The desktop app sends the value of the attribute to the server. The server performs a user search where the Mapping ID in each user record is compared to the attribute value. If a match is found, the desktop app is connected to the user record in the system and the user can then receive alerts that are targeted to them.
If the LDAP attribute values have not been synchronized to the Mapping ID field, or if the value is not matched to an existing user in the
BlackBerry AtHoc
system, a new user is created. Starting with
BlackBerry AtHoc
server version 7.0.0.1 there is a “Create new user if an account is not found” option that is not selected by default. This is to prevent desktop apps from creating a user, and to prevent the desktop app from creating duplicate users when a user's Mapping ID has not been set correctly. Select this option to enable the desktop app to create users.
If the desktop app cannot query Active Directory, it waits until it can (Windows), or it tries to connect using the Windows domain and username authentication method (Mac). The desktop app caches the designated attribute in the registry (Windows) or in UserDefaults (Mac), and uses the cached copy if access to Active Directory fails.