Applicable for users with an Enterprise-Cloud or Ultimate-Cloud license.
LDAP directories are standard technology for storing user, groups, and permissions information and serving that to other applications.
As a result, you can set up LDAP in my.anydesk II and users from your organization will be able to log in with SSO using organization's ID and their company credentials. Also, you can import roles from your LDAP identity provider to my.anydesk II.
For more information about user provider types, see User Providers.
Organization Certificates
The Organization certificates section lists all certificates added to the organization. A certificate is typically stored in .pem file and used to encrypt the communication between my.anydesk II and your LDAP identity provider.
To add a certificate to your organization:
- Open my.anydesk II and go to Organization.
- In the General section, click Edit, and in the User Provider field, select LDAP.
- In the Switch active provider window, select Proceed.
- Scroll down to the Organization certificates section and click Add new certificate.
- In the Add new Organization certificate window, paste the contents of the certificate file in .pem format.
✔️ You can also drag and drop a certificate in the .pem format to this field.
- Click Add new certificate.
Configure LDAP
You need to configure your LDAP-based identity provider to create a connection to my.anydesk II.
To configure LDAP in my.anydesk II:
- Open my.anydesk II and go to Organization.
- In the General section, click Edit, and in the User Provider field, select LDAP.
- In the Switch active provider window, select Proceed.
- Scroll down to the LDAP Setup section, click Edit and provide the following information:
- RDN LDAP Attribute - type the name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Most often, this optional attribute is the same as the Username LDAP attribute. For example, for Windows Active Directory, it is common to use cn as RDN attribute when username attribute might be sAMAccountName.
- UUID LDAP Attribute - type the name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For Windows Active Directory, it should be objectGUID. If your LDAP server does not support the notion of UUID, you can use any other attribute that is unique among LDAP users in the tree. For example, uid or entryDN.
- User Object Classes - type all values of LDAP objectClass attribute for users in LDAP divided by comma. For example, inetOrgPerson,organizationalPerson. Newly created users will be synchronized to LDAP with all those object classes and existing LDAP user records can only be found if they contain all those object classes.
- Connection URL - paste a connection URL to your LDAP server.
- Users DN - type the full DN of the LDAP tree where your users are. This DN is the parent of LDAP users. For example, ou=users,dc=example,dc=com if your typical user has a DN like uid=john,ou=users,dc=example,dc=com.
- Bind DN - type the DN of the LDAP admin. This will be used by my.anydesk II to access the LDAP server.
- Bind Credential - type the password of the LDAP admin.
- User Search Filter - type the name of the LDAP filter used to search for users. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise, make sure the filter name starts with ( and ends with ), for example, (filtername).
- Batch Size - type the number of LDAP users that should be imported from LDAP to my.anydesk II per transaction.
- Periodic Full Sync - turn on the toggle to perform periodic full synchronization of LDAP users to my.anydesk II. If enabled, the Full Sync Period field must be provided.
- Full Sync Period - enter the time (in seconds) that should pass before my.anydesk II attempts to synchronize with the LDAP server again. Periodic Full Sync should be enabled.
- Periodic Changed Users Sync - turn on the toggle to perform periodic synchronization of changed or newly created LDAP users. If enabled, the Changed Sync Period field must be provided.
- Changed Sync Period - enter the time (in seconds) that should pass before my.anydesk II requests the LDAP server for changed or newly created LDAP users. Periodic Changed Users Sync should be enabled.
- Click Finish edit.
Afterward, all (potentially filtered) users from your LDAP server will be able to sign in to my.anydesk II with SSO using the organization's ID.
Import Roles
You can also import roles to my.anydesk II from your LDAP server.
To import roles:
- Open my.anydesk II and go to Organization.
- In the General section, click Edit, and in the User Provider field, select LDAP.
- In the Switch active provider window, select Proceed.
- Scroll down to the Import Roles section, click Edit and provide the following information:
- Roles DN - type the LDAP DN where roles of this tree are saved. For example, ou-roles,dc=example,dc=org or ou=finance,dc=example,dc=org.
- Role Name LDAP Attribute - type the name of the LDAP attribute that is used in role objects for the name and RDN of the role. Usually it will be cn. In this case typical role object may have DN like cn=Group1,ou=groups,dc=example,dc=org or cn=role1,ou=finance,dc=example,dc=org.
- Role Object Class - type the object class(es) of the role object. If more classes are needed, please separate them with commas. In a typical LDAP deployment, it would be groupOfNames. With Windows Active Directory, it is usually group.
- LDAP Filter - enter a custom filter to query for specific LDAP roles. Leave this empty if no additional filtering is needed and you want to retrieve all roles from LDAP. Otherwise, make sure the filter name starts with ( and ends with ), for example, (filtername).
- User Roles Retrieve Strategy - select one of the following ways of retrieving user roles:
- Load roles by 'member' attribute - roles of users will be retrieved by sending an LDAP query to retrieve all roles where 'member' is the user.
- Get roles from user 'memberOf' attribute - roles of users will be retrieved from the 'memberOf' attribute of the user or from the Member-Of LDAP Attribute.
- Membership Attribute Type - there are 3 different options that are dependent on the User Roles Retrieve Strategy:
- DN - only available with the User Roles Retrieve Strategy – Load roles by role ‘member’ attribute. LDAP role has its cn members declared in form of their full DN. For example, member:uid=john,ou=users,dc=example,dc=com.
- UID - only available with the User Roles Retrieve Strategy – Load roles by role ‘member’ attribute. LDAP role has its groupOfNa members declared in form of pure user uids. For example, memberUid:john.
- memberOf - only available with the User Roles Retrieve Strategy – Get roles by role ‘memberOf’ attribute. It specifies the name of the LDAP attribute on the LDAP user that contains the roles the user is a member of. By default, it is 'memberOf'.
- Click Finish edit.