Overview

WebADM Option Sets, or "subtree options," allow for granular control over LDAP contexts by defining specific profiles within WebADM. These Option Sets serve various purposes, including:

  • Unicity Verification Context: Ensures uniqueness within the LDAP subtree.
  • LDAP View Depth: Limits the LDAP view for delegated administrators to restrict their access to specific parts of the LDAP tree.
  • Badging Options: Configures settings related to mobile badging, such as office coordinates, network allowances, and user lockout policies.
  • AD/LDAP synchronization: This setting is required when configuring Active Directory synchronization for users and groups. The structure, including containers and organizational units, will mirror the source LDAP. The synchronization of objects will occur at the defined target subtree level.
  • User Alerts: Sets up alerts for expiring passwords, certificates, and badging activities.
  • Default LDAP Attributes: Specifies default attributes for LDAP objects within an organization.

Option Sets can also be utilized to create Organization Profiles, which define default LDAP attributes for members within that organization.

Note: All Option Sets must be stored in the container specified in the WebADM main configuration file to be accessible and read by WebADM during startup.

Multiple WebADM Option Sets can be configured for a single LDAP infrastructure. It is important to ensure that these Option Sets do not conflict with each other based on their application scope.

Create an Option Sets object

Login on the WebADM Administrator portal and click on the Admin tab, then LDAP Option Sets.

webadm

Click the Add OptionSet button, name your OptionSet object, and then click the Create Object button.

The OptionSet configuration object will be created, and you will be taken to the OptionSet configurator menu.

Configure your Option Sets settings

Found below, example for OptionSets configuration:

webadm
webadm
webadm
webadm

Settings description:

Default Settings

  • Target Subtree: The LDAP tree to which the OptionSet applies. When using the AD/LDAP & EntraID Synchronization feature, object synchronization will occur within the defined target subtree.

  • Tree Base Context: Set a forced LDAP tree view base for any administrators existing inside the target subtree.
    The tree root context will filter SQL audit logs entries based on the user DN in every entry. Note: Does not apply for super administrators.

  • LDAP Creation Defaults: Comma-separated list of default attribute values automatically filled when creating LDAP objects.
    Syntax: Attr1=Value1, Attr2=Value2...

  • Default LDAP Search Base: The base value applied for LDAP searches that match this OptionSet.

POSIX Attributes Auto-Increments

  • Minimum UID Number: When extending accounts with the POSIX objectClass, the UID value will auto-increment starting from the configured minimum value defined in this setting.

  • Minimum GID Number: When extending groups with the POSIX objectClass, the GID value will auto-increment starting from the configured minimum value defined in this setting.

Mobile Badging Settings

Below are options regarding the mobile badging features provided with OpenOTP web service.

  • Office Coordinates: GPS coordinates used to detect when a user is badging from the office. For example, 49.502105712890625,5.944442179558995. These coordinates help determine if the badging activity is occurring within the designated office location.

  • Office Networks: Defines network(s) with a specified IP mask that are considered internal office subnets. Web badging from SelfDesk is only permitted from these office networks. When a user badges in from an office network, the office's geolocation is recorded instead of the user's GPS location.

  • Badged Access Expire: Specifies the minimum duration (in hours) that user access remains valid after badging in. If not configured, client access will be permitted until the end of the current day.

  • Badged Access Hours: Defines the daily hour intervals during which user access remains active after badging in.

  • Badged Users Group: An LDAP group that is automatically populated with users who have badged in.

  • Office Users Group: An LDAP group that is automatically populated with users who have badged in from the office.

  • User Lockout:

    • Account: Disables the user’s password at the directory level when they badge out, independently of OpenOTP.
    • Network: Disables Ethernet and Wi-Fi network access for any MAC address associated with the user.
    • None: No lockout action is applied.

For OpenLDAP, the ppolicy 'Password Lockout' setting must be enabled for account lockout.
For EntraID, account lockout disables the entire user account, not just the password.

Remote Work Accounting

  • Local Country: The country which should not be considered as remote work in the badging reports.

  • Remote Quota: Maximum number of remote work days in the selected countries. Use a comma-separated list in the form 'FR:32,BE:25' to set per user country quotas.
    Per user country quota requires users to have the country 'c' LDAP attribute set.

Users Alert Settings

  • User Alerts:

    • Password: Alerts users when passwords are nearing expiration (works with ActiveDirectory).
    • Certificate: Alerts users when certificates are nearing expiration.
    • Badging: Sends daily reminders for users who forgot to badge-out the previous day and notifications when access is denied due to not being badged-in.
    • None: No alerts is sent to end-users.
  • Alert Period: Start sending alerts 1 to 30 days before expiration.

  • Alert Repeat: Re-send alert messages every 1 to 5 days.