Integrate PeopleSoft with an unsupported LDAP server (Synology LDAP)

This document describes how to integrate a PeopleSoft system with Synology LDAP server. This is kind of a weird combination as PeopleSoft is mainly used in bigger enterprises, while Synology LDAP server is a very limited directory product, which you are more likely to find in a small business. So why would we do this?

Well because we can 🙂 . It is a nice proof of concept to get it working properly and it sheds some light on how LDAP integration is setup and customized (in this case to work with Synology LDAP server).

Table of content

1 Note
2 Set up Synology LDAP server
2.1 Install Synology LDAP server
2.2 Configure Synology LDAP server
2.3 Create groups
2.4 Create a user
3 Set up LDAP integration in PeopleSoft
3.1 Create an LDAP permission list, role and user
3.2 Signon PeopleCode
3.3 Configure Directory
3.4 Cache Directory Schema
3.5 Authentication Map
3.6 User Profile Map
4 PeopleCode changes
4.1 Fix profile synchronization
4.2 Fix for logging in with disabled user

1 Note

An important note:
Synology LDAP server is not an officially supported LDAP product to integrate with. It will work, but there is no support from Oracle for this integration.

2 Set up Synology LDAP server

2.1 Install Synology LDAP server

The first step is to install Synology LDAP server via DSM. Open Package Manager, search for LDAP and install the product.

2.2 Configure Synology LDAP server

Now open Synology LDAP server and on the settings screen click the Enable LDAP Server checkbox.
We want to set this up as a provider so choose As the Provider server.
Fill in the remaining fields and click on Apply.

FieldValue
FQDNChoose a domain name. I have chosen redboxconsulting.be here, but this can by anything, for example ldap.synology.
PasswordChoose a root password
Confirm PasswordChoose a root password

Two important things get generated now, we will need these values later to configure the LDAP client (PeopleSoft in this case):

FieldValue
Base DNdc=redboxconsulting,dc=be
Bind DNuid=root,cn=users,dc=redboxconsulting,dc=be

If you look at the Manage Users and Manage Groups pages, you will see that 1 default user (admin) is created and some default groups.

2.3 Create groups

Let us create some groups. Groups in the LDAP server will eventually translate to Roles in PeopleSoft. So if you want your user to automatically get the PeopleSoft User role when logging in, you will need to create the PeopleSoft User group in the LDAP server.

Besides the PeopleSoft User group, also create the following groups:
– HR Administrator
– Workforce Admin Homepage Fluid

2.4 Create a user

Let us create a user. With this user, we will eventually be able to log in in PeopleSoft.
On the Manage Users page, click on Create:

Give the user a name, a description, an email address and provide a password for the user.
Click Next and select the 3 groups that were created earlier:

Click Next and on the next page fill in the Employee number, use KU007.

Click Next, review the data and click on Apply to create the user.

3 Set up LDAP integration in PeopleSoft

3.1 Create an LDAP permission list, role and user

The first thing to do is to create a user specifically for LDAP authentication. The Signon PeopleCode will be invoked by this user. So create the following:
1) A new Permission List named LDAP. Give full access to the USER_PROFILE component interface.

2) Create a new Role named LDAP and assign the LDAP Permission List to it.

3) Create a new User Profile named LDAP, give the user a password and assign the LDAP Role to the User Profile.

3.2 Signon PeopleCode

Next step is to enable the LDAP Signon PeopleCode and change the user we invoke the Signon PeopleCode with.
Go to: PeopleTools > Security > Security Objects > Signon PeopleCode

Under Signon, change to Invoke as and enter the LDAP user and its password.
Enable the LDAP_AUTHENTICATION and LDAP_PROFILESYNCH functions and check the Exec Auth Fail checkboxes. After that Reboot the application server.

3.3 Configure Directory

The preparation is done, now we can create the integration with the Synology LDAP server.
Go to: PeopleTools > Security > Directory > Configure Directory
Create a new directory and call it SYNOLOGY:

On the Directory Setup page fill in the following values:

FieldValue
DescriptionSynology LDAP
Directory ProductOther LDAP Directory
Default Connect DNThe Bind DN from chapter 2.2
uid=root,cn=users,dc=redboxconsulting,dc=be
PasswordThe root password from chapter 2.2
Server NameThe ip address or DNS name of the Synology LDAP server
synology.local
Port389
SSL PortLeave empty

You can skip the Additional Connect DN’s and Schema Management pages. Go to the Test Connectivity page. On this page, you should see all tests being successful.

3.4 Cache Directory Schema

Now you should cache the directory schema. Do this by running the LDAPSCHEMA application engine. Go to: PeopleTools > Security > Directory > Cache Directory Schema
If the process fails (this is a known issue) then first create the Authentication Map (see 3.5).

Create the SYNOLOGY Authentication Map. Fill in the Directory ID and click on Use Secure Socket Layer to enable it and click it again to disable it. Save the Authentication Map and rerun the Cache Directory Schema application engine. The application engine should now run successfully.

3.5 Authentication Map

The Authentication Map defines how PeopleSoft will authenticate against the Synology LDAP server. It defines where in the directory PeopleSoft can find the users. The Signon PeopleCode function LDAP_AUTHENTICATION is responsible for authentication.

To create the Authentication Map, go to:
PeopleTools > Security > Directory > Authentication Map

Fill in the following values:

FieldValue
Directory IDSYNOLOGY
Anonymous BindUnchecked
Use Secure Socket LayerUnchecked
Search BaseThis is the Base DN from chapter 2.2
dc=redboxconsulting,dc=be
Search ScopeSub
Search AttributeThis is the attribute in the directory that contains the username, for Synology LDAP this is:
uid
SeqNum1
LDAP ServerSYNOLOGY.LOCAL

3.6 User Profile Map

The User Profile Map defines how the PeopleSoft User Profile is created after successful authentication. The Signon PeopleCode function LDAP_PROFILESYNCH is responsible for creating and updating the user profile after authentication.

Create a new User Profile Map, go to:
PeopleTools > Security > Directory > User Profile Map

Fill in the following values:

FieldValue
Authentication MapSYNOLOGY
User ID Attributeuid
ID TypeEMP
ID Type AttributeemployeeNumber
Use default RoleUnchecked
Role Name< empty >
Role Attribute < empty >
Use Default Language CodeChecked
Language CodeEnglish
LangCD Attribute < empty >

On the Optional User Properties tab add the following values.

User Profile PropertyConstant ValueAttribute NameAlways Update
CurrencyCodeEURN
EmailAddressmailY
SymbolicIDSYSADM1N
UserDescriptiongecosY
NavigatorHomePermissionListHCSPNAVHPN
PrimaryPermissionListHCPPALLN
ProcessProfilePermissionListHCPPRFLN
RowSecurityPermissionListHCDPALLN

4 PeopleCode changes

Normally this concludes the setup of the LDAP integration. Though as Synology LDAP server is not an officially supported product, some PeopleCode changes are needed.

4.1 Fix profile synchronization

If you try to login with the user that we created in Synology LDAP server (redbox) now, you will notice that it does not work at all. We are getting an authorization error.

What is actually happening is this:
Authentication actually is successful. PeopleSoft communicated with Synology LDAP server and verified that the user exists and that the password is correct.
A User Profile name redbox is actually created in PeopleSoft. As you can see the User Profile exists and all the fields we expect to be populated are actually populated.

The thing that is actually missing are the roles. You can see on the Roles tab that nothing is there. Though we would expect the 3 groups that we setup in Synology LDAP server earlier there.

If you would look in the Application Server logs, you would find that the user successfully authenticated, but could not log in because the user has no roles attached to the user profile.

So why is this? Well the answer is simple. PeopleSoft does not support Synology LDAP server out of the box, but there is an easy way to fix this, with a small customization.

Open PeopleSoft Application Designer and open the FUNCLIB_LDAP record and go to the LDAPAUTH.FieldDefault PeopleCode event. Look for the function GetRolesFromLdap. This is the function that actually gets from the Synology LDAP server the groups where the users is part of.
Though as you see, only code for supported systems exist.

To make this work add the highlighted code to the function. Note that we add a WHEN for the value OTHR, this is because we set up our directory in chapter 3.3 as Other LDAP Directory.

Function GetRolesFromLdap(&dn As string, &Roles As array of string) Returns boolean;
   Local string &filter;
   Local PT_SECURITY:LDAP:AuthenticationMap &authMap;
   &authMap = &authMaps [&idxAuthMap];
   Local string &authMapID;
   
   &dn = Substitute(&dn, "\,", "\\,");
   
   &dirProd = &authMap.getDirProd();
   Evaluate &dirProd
   When "EDIR"
      &filter = "(&(objectclass=groupOfNames)(uniquemember=" | &dn | "))";
   When "MSAD"
      &filter = "(&(objectclass=group)(member=" | &dn | "))";
   When "NSDS"
      &filter = "(&(objectclass=groupOfUniqueNames)(uniquemember=" | &dn | "))";
   When "ORCL"
      &filter = "(&(objectclass=groupOfUniqueNames)(uniquemember=" | &dn | "))";
      /* SYNOLOGY_LDAP, 31.05.2021 -------------------------------------- BEGIN */
   When "OTHR"
      &filter = "(&(objectClass=posixGroup)(member=" | &dn | "))";
   End-Evaluate;
   /* SYNOLOGY_LDAP, 31.05.2021 -------------------------------------- END */
   &roleAttr = "cn";
   &ret = UserDNToRole(&dn, &filter, "", &roleAttr, &Roles);
   Return &ret;
End-Function;

Save the PeopleCode event and try to login again with the redbox user. You will see that you can now log in without problems.

If you check the User Profile of user redbox you will see that the roles are now perfectly synced with the Synology LDAP server.

Now try to add a new group in Synology LDAP server called eProfile Employee Fluid and assign the redbox user to the group.
Now log in again in PeopleSoft with the user redbox and you will see that the user has the eProfile Employee Fluid role assigned and has access to Employee Self Service functionality.

4.2 Fix for logging in with disabled user

There is one remaining issue. If you disable a user in Synology LDAP server, you are still able to log in to PeopleSoft with that user. That is not a good situation, as you want to manage your users from a central place, being the Synology LDAP server.

The redbox user is disabled, but you can still login with that user in PeopleSoft:

So how do we fix that?
Synology stores the state of the user in the attribute shadowExpire. So we should leverage that attribute to disable the PeopleSoft User Profile.

To do this, first customize the view PSDSUSERATTR_VW. Change the SQL to include the ACCTLOCK field and rebuild the view:

SELECT DISTINCT BCITEMNAME   
  FROM PSBCITEM   
 WHERE BCNAME = 'USER_PROFILE'   
   AND FIELDNAME IN ('CURRENCY_CD', 'DEFAULTNAVHP', 'EMAILID', 'EMPLID', 'MULTILANG', 'OPRCLASS', 'OPRDEFNDESC', 'PRCSPRFLCLS', 'ROWSECCLASS', 
'SYMBOLICID', 'USERIDALIAS', 'ACCTLOCK')

This allows us to select the AccountLocked property on the User Profile Map:

Add a new row with the following values:

FieldValue
User Profile PropertyAccountLocked
Use Constant ValueUnchecked
Attribute NameshadowExpire
Constant Value< empty >
Always UpdateChecked

Just adding these values still does not make it work entirely. The last thing to do is to add a piece of code to the Signon PeopleCode.
In Application Designer open the event FUNCLIB_LDAP.LDAPAUTH.FieldDefault and look for the function updateUserProfile. At the very end of this function add the highlighted piece of code:

Function updateUserProfile()
   &bDirty = False;
   &bDynamicRole = False;
   &prflProps = create PT_SECURITY:LDAP:UserProfileMap();
   getProfileMap(&prflProps);
   
   /* Get Session and Connect */
   &Session = GetSession();
   &Connect = &Session.Connect(1, "EXISTING", "", "", 0);
   
   If Not &Connect Then
      Return;
   End-If;
.
.
.
.
.
.
         When "UserDescription"
            Local string &desc = Substring(&curprop.value, 1, 30);
            If &USER_PROFILE.UserDescription <> &desc Then
               &USER_PROFILE.UserDescription = &desc;
               &bDirty = True;
            End-If;
            
         When "UserIDAlias"
            If &USER_PROFILE.UserIDAlias <> &curprop.value Then
               &USER_PROFILE.UserIDAlias = &curprop.value;
               &bDirty = True;
            End-If;
            
            /* SYNOLOGY_LDAP, 31.05.2021 -------------------------------------- BEGIN */
         When "AccountLocked"
            /* Synology uses the attribute shadowExpire to indicate if a user is enabled or disabled */
            /* shadowExpire = 1 --> AccountLocked = 1*/
            /* shadowExpire = -1 --> AccountLocked = 0*/
            Local integer &intAcctLocked;
            Evaluate &curprop.value
            When 1
               &curprop.value = 1
            When - 1
               &curprop.value = 0;
            End-Evaluate;
            
            /* Set the AccountLocked property */
            If &USER_PROFILE.AccountLocked <> &curprop.value Then
               &USER_PROFILE.AccountLocked = &curprop.value;
               &bDirty = True;
            End-If;
            /* SYNOLOGY_LDAP, 31.05.2021 -------------------------------------- END */
         End-Evaluate;
      End-If;
   End-For;
   
   &USER_PROFILE.Encrypted = 1;
   &USER_PROFILE.Opertype = 1; /* indicates external authentication */
   /*
   The logic - "Updating the failed logins" - has been removed from here. All the failed logins and 
   account lock related updates should happen only in the password controls peoplecode. Scattering
   these updates would cause descrepancies. 
   Refer Bug: Bug 16613746 - FAILED LOGINS VALUE FOR LDAP USER IS RESET DIFFERENTLY COMPARED TO DB USER
   */
   /* Save Instance of Component Interface */
   If &bDirty = True Then
      /*  ICE# 1320026000. Change PSMessagesMode back to "Both Collection and Message Box mode". This helps output more accurate error message.  */
      &Session.PSMessagesMode = 3;
      If Not &USER_PROFILE.Save() Then
         &USER_PROFILE.Cancel();
      End-If;
   End-If;
   &USER_PROFILE.Cancel();
End-Function;

Now when you log in with user redbox and the user is disabled in the Synology LDAP server, you will not be able to.

Re-enable the account in Synology LDAP server and you have access again.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.