How to Configure LDAP / Active Directory Authentication in Office Chat?

As part of your Office Chat Enterprise subscription, your users can be authenticated through LDAP and Active Directory. This article will step you through the process by answering:

Where can I find the LDAP configuration settings in the Admin Portal?

  1. Using the Web Client, Go to Admin Portal, then click on Integration & Under ‘Single Sign-On’ , Enable the checkbox “Active Directory/LDAP Integration”
    Office Chat LDAP AD

What access do you need to integrate your active directory / LDAP server?

  • You will need to allow incoming access from the IP address: 50.16.226.155
  • You will need to allow incoming access to LDAP port 389 and secure LDAP port 636

What do the different configuration fields mean?

  • Server Type & Account/UPN Suffix:  You have a choice between “Active Directory” and “OpenLDAP” servers. Choosing “Active Directory” enables the additional “User Setting” section where you define the account suffix (UPN Suffix) that is configured for your AD.
  • Host Name & Port:  The LDAP server and port you are connecting to.
  • Base DN:  The base distinguished name of your LDAP used for the base search.
  • Administrator DN & Password:  User authentication for a user that has search capability and is able to perform all read-only directory operations.

ldap-1

What do all the fields mean in Connection Settings of the LDAP/AD configuration Page?

Office Chat LDAP AD Connection
To go through each choice and setting one-by-one:

  • Server Type & Account Suffix:  You have a choice between “Active Directory” and “OpenLDAP” servers. Choosing “Active Directory” enables the additional “User Setting” section where you define the account suffix (UPN Suffix) that is configured for your AD.
  • Host Name & Port:  Enter the name of the server where your AD/LDAP is hosted, example: ldap.example.com. Also,  enter the port on which your directory server is listening, examples: 389 (non-SSL LDAP), 636 (SSL LDAP).
  • Base DN:  The root distinguished name (DN) to use when running queries against the directory server. Example: ou=people, dc=example, dc=com
  • Groups Base DN: is the base distinguished name of your AD used for the base search.
  • UPN Suffix: Account suffix or UPN suffix will be appended to all usernames in the Active Directory authentication process. (e.g @company.local). Don’t forget to put the @
  • Administrator DN & Password:  User authentication for a user that has search capability and is able to perform all read-only directory operations. Enter a distinguished username & password of a user that will allow Office Chat to connect to the directory server. Connecting to the directory server requires that Office Chat log in to the server with the username and password configured here.

For Step 2 of Configuration, what do I put in each of the fields?

Office Chat LDAP AD Mapping

Note: All user profile fields will be synced when the user logs in or a manual sync are performed.

  • Username:  The field name on which username lookups will be performed on. If this value is not set the default value is uid. Active directory users should try the default value of sAMAccountName.
  • Full Name:  Users’ full names.
  • Email:  Users’ emails.
  • Title:  Users’ position titles.
  • Work Landline:  The mapping for users’ work landline telephone number.
  • Desk Extension: The mapping for users’ work desk extension numbers.
  • Work Mobile:  The mapping for users’ work mobile phone numbers.
  • Home Landline:  The mapping for users’ home landline telephone numbers.
  • Fax Number:  The mapping for fax information.
  • User Object Filter:  Is used to restrict the numbers of users that are permitted to access Office Chat. In essence, the filter limits what part of the LDAP tree Office Chat syncs from. The most common usage of a search filter is to limit the entries that are users based on objectClass. For example, a reasonable search filter for a default Active Directory installation is:

(objectClass=organizationalPerson)

When combined with the default filter, the actual search executed would be:

(&(sAMAccountName={0})(objectClass=organizationalPerson))

A filter should be written for user membership. This ensures that you are not flooding your Office Chat domain with users that do not need access to your content. When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to Office Chat. For example, if my users are distinguished by having two objectClass attributes (one equal to ‘person’ and another to ‘user’), this is how I would match for it:

(&(objectClass=person)(objectClass=user))

Notice the ampersand symbol ‘&’ symbol at the start. Translated this means: search for objectClass=person AND object=user

Alternatively, (|(objectClass=person)(objectClass=user))

Translated this means: search for objectClass=person OR object=user.

The pipe symbol ‘|’ denotes ‘OR’. As this is not a special XML character, it should not need escaping.

If you know that only some of the users in your LDAP database should be known to the application, one way to get that subset is to create an LDAP department (such as ‘managementteam’), then filter off that department attribute for users. Here’s an example:

(&(objectClass=uidObject)(department=managementteam))

This way you don’t have to create any new OUs or move records around. You can simply modify department membership attributes on the user, something the LDAP administrator can do.

Where can I find references on LDAP filter syntax?

Although there are innumerable sites on the internet that cover some aspect of LDAP filter syntax, two examples are:

Customer user filters range from very simple to very complex. Here are two examples. Notice that one customer differentiates by “postalCode” and another uses various “useraccountcontrol” values.

  • (&(&(|(useraccountcontrol=512)(useraccountcontrol=544)(useraccountcontrol=66048))(mail=*.*)(postalCode=FS)))
  • (&(|(useraccountcontrol=512)(useraccountcontrol=544)(useraccountcontrol=66048)(useraccountcontrol=4194816)(useraccountcontrol=4260352))(mail=*.*))

What tools can I use to troubleshoot the LDAP filter for too few or too many users?

We use the command-line tool LDAP search. There are other command line and graphical utilities out there. Please let us know if you have a specific question about setting up your LDAP filter.

How often should I manually synchronize my LDAP configuration?

Since the changes to your LDAP users are applied every day, there’s no need to manually synchronize unless you’ve made changes to your users that you want to see in Office Chat right away.

Can I “Suspend” or “Change Users’ Passwords” in Office Chat when Authenticating through LDAP?

When LDAP is enabled, it controls all users in your domain. Suspending or changing users’ passwords will not affect LDAP users, only those guest users or network users that are not part of your LDAP.

Do LDAP settings overwrite mapped values that user may have changed in Office Chat on Sync?

LDAP, for the most part, is treated as the master record of user data when synchronizing with Office Chat. Mapped user data that users may have changed in Office Chat will be overwritten with their LDAP mapped field when an LDAP sync occurs. So fields like “User Name”, “Email”, “Title” and “Work Landline” that are Office Chat fields will be overwritten by their LDAP mappings.

How do I log in once LDAP is configured?

Users log in to Office Chat using their unique identifier (UID) and LDAP password once LDAP is configured in Office Chat. Passwords are controlled through LDAP so users and admins cannot change passwords from Office Chat but rather passwords must be changed in LDAP.

When and how frequently is AD synchronized with Office Chat?

Office Chat can be set to sync automatically with AD up to once per day or every hour. The sync happens at approximately 1:00 AM Pacific Time. To set autosync for AD:

  1. Go to the “Admin Portal” -> “Single Sign-On” -> “LDAP / AD” page.
  2. If your configuration has already been saved, at the very bottom of the page, place a check in “Auto-sync Office Chat with enterprise AD/LDAP” choose between once every or every hour and click “Save”.

 

Please take note that the hourly sync will include the following
1. User gets activated/deactivated(if setting enabled).
2. New users get created
3. New groups get created
4. Email change/samaccount change also happens

Once every 24 hours, a full sync will be performed that will include everything.

Can I restrict login based on IP addresses?

Yes, with Office Chat Enterprise plan you can set an IP range for your network to only allow employees to access Office Chat from your office network or from behind a VPN.

To help protect your organization’s data from unauthorized access, you can specify a list of IP addresses from which users can log in. Users outside of the specified login IP ranges cannot access your domain.

To restrict access on a single or on multiple IP ranges refer to the diagrams and steps below:

  1.  Go to the admin portal
  2.  Click on ‘Security’ from the left-hand navigation
  3.  Click on ‘Browser Access’ and navigate to IP range configuration.
  4. Define one or more IP ranges &  click on the “Save Settings” button to register your settings.

IP based Access Browser

 

While designating IP ranges by following above steps will work on the web, there are a few additional settings you will have to enable to configure the same IP based restriction on Office Chat Desktop Application and Office Chat Mobile applications :

  • To enable IP based access configured in the ‘Browser Access’ section of your admin portal to native desktop and Mac clients as well:
    1) Kindly go to the ‘Admin Portal’ > Click on ‘Security’ from the left-hand navigation
    2) Click on ‘Desktop Access’ and tick on ‘Enable IP based settings’ and click on the ‘Save’ Button.

IP based Access Desktop

 

  • To enable IP based access configured in the ‘Browser Access’ section of your admin portal to Mobile clients as well:
    1) Kindly go to the ‘Admin Portal’ > Click on ‘Security’ from the left-hand navigation
    2) Click on ‘Mobile Access’ and tick on ‘Enable IP based settings’ and click on the ‘Save’ Button.

IP based Access Mobile

Note: IP ranges between 192.168.0.0 – 192.168.255.255 are not accepted as these are private IP ranges and cannot be used on the internet.

How do I delete a user from Office Chat?

Office Chat domain admin can delete a user from the network.  Deleting the user will permanently delete all private chats the user has had with all other users and all groups that the user has created. Additionally, all chat messages & files posted by the user in groups which the user is a member of would be permanently deleted.

To delete a User from Office Chat network:

1. Login to your Office Chat domain from any web browser
2. Click on the “Admin” tab on the top main menu (Admin Tab is accessible to domain admins only)
3. On the Admin Portal, click on Users tab.
4. Select the checkbox next to the users you want to delete.
5. Click the “User Tools > Delete” menu
Delete A User Office Chat

Kindly check the following video, to delete a user from your Office Chat network:

 

In case you wish to maintain the chat records of such employees, we recommend deactivating the user instead of deleting the user. Deactivating the user keeps all the content posted by the user intact. This history might be useful to preserve for knowledge & audit purposes. Help article on deactivating users: https://officechat.com/help/how-do-i-deactivate-or-activate-a-user/

How do I cancel my Office Chat account? (Updated)

We’ll be extremely sorry to see you go. However, if you would still like to delete your Office Chat account follow instructions here:

  1. Login to your Office Chat account from the web.
  2. Navigate to the admin portal then click on “Billing” -> “Invoice “
  3. Click on “Please cancel my account” please ensure you state the reason why you wish to cancel along with your feedback & suggestionscancel

 

Kindly note, once your account is cancelled all your domain data will be immediately and permanently deleted. If you have a paying account you won’t be charged again after your official cancellation date.

How do I change my billing contact information? (Updated)

To change your billing contact information:

  1. Use a web browser to log into your Office Chat domain.
  2. Navigate to the admin portal
  3. Click on the “Billing” from the left navigation then “Invoice Settings”.
  4. Change the details listed here then click “Save Settings”.

Office Chat Change Billing

What is a Default Group in Office Chat?

Office Chat allows admins to mark one or more groups in the network as ‘default.’ This results in all members of your network to be added to it by default.

New members that are invited into your network in the future are also automatically added to the default group. Members can’t leave a default group. The “All Of Us” group and the new “Admin Announcements” group are examples of pre-shipped default groups in your network.

All these settings & control are available on both Office Chat Business & Enterprise Plans from the admin portal

To Mark a Group as a ‘Default’ group from the Admin Portal, kindly look at the following video:

 

 

How can I download the Invoice for my Office Chat Account

To download the Invoice for Office Chat Account:

  1. Sign in to Office Chat on the Web then navigate to the Admin portal
  2. Click on “Billing” from the left-hand navigation and then on ‘Invoice Details.’
  3. Select the period for which you need to download the Invoice for from the drop-down menu and click on ‘Go.’
  4. Click on ‘Download Invoice’ to download the Invoice.

Download Invoice

Invoices take one to three days to generate after a payment is made.

How can I restrict Users from Inviting others?

Office Chat allows you to enable/disable Users from sending Invites to others. You can control how new users get added to your network. The choices include anyone can invite, anyone can invite but the domain admin needs to approve, lastly only the domain admins can invite. This feature is available on Office Chat Enterprise plan.
Keep in mind the “Moderated” option will notify you or any domain admin of new invitation approvals from the admin portal, no notification is given if a domain admin performs the invitation.

To change the Invite settings for your Office Chat Account, kindly look at the following steps: 

  1.  Login to Admin Portal and navigate to ‘Domain’ tab on the Left-Hand side Navigation menu 
  2. Once on this page, Click on ‘Invite Settings’
  3. Here, you can choose between the following option:
  •   Allowed (Any user can invite other users in the network)
  •   Moderated (Any user can invite, but invitations will require one admin’s approval)
  •   Disallowed (Only you/administrators can invite other users in the network)

4. Once you have selected the desired option, click on ‘Save’ to confirm.

Invite Settings

 

Kindly note: These settings do not get applied to signups via Google Apps & SAML providers.

Can I Add users who do not have an Email ID?

Office Chat allows you to create accounts in your office chat network without any email address.  

This is a great way to support the following use cases:  

  • If you have employees who don’t have a company email address, and you don’t want to use their personal email address (@gmail / @yahoo, etc.) but need them to be part of the groups created in your office chat network.
  •  If you want to create office chat accounts that represent rooms, stores, reception desk, nurse station, etc. Which don’t have a real email address and perhaps different people in shifts use the rooms/front desk/reception desk, nurse station, etc. and need to communicate in groups.

 To create Office Chat Accounts for users who do not have an Email id, kindly look at the following steps: 

  1) Login to Admin Portal and navigate to ‘Users’ tab on the Left-Hand side Navigation menu 

2) Once on this page, Click on ‘Add Users’ 

3) Here look for the ‘Add using User ID’ tab. 

admin01_1509633387 

4) Under this option, you will be able to add the User’s Full name, User ID and the Initial Password 

5) Click on ‘Create Users’ button to create the user accounts. These Login ids and initial passwords can be used to login to your Office Chat Network 

How to Change the Credit Card Information?

The credit card information can be changed by the Office Chat admin for your domain from the Admin Portal. To change your credit card information:

  1. Use a web browser to log into your Office Chat domain
  2. Navigate to the admin portal
  3. Click on the “Billing” from the left navigation then on the ‘Plan’ Tab.
  4. Here click on ‘Change Payment Information’ and update the new credit card details.
  5. Click “Save” to ensure that all your changes are stored.

Billing address

billing credit card