/
Active Directory Intergration

Active Directory Intergration

Apr 30, 2025

Connecting to an Active Directory in CostOS

  1. Login to CostOS Web Console(

    )

  2. Choose User Management (

    )>LDAP Configuration

  3. Enter the values for the settings, as described below.

  4. Save the directory settings

Notes:

  • Logged user should have 'Create/edit Users' role

Server settings

Setting

Description

Setting

Description

Active

Active/Deactivated interval Synchronization

Hostname

The host name of your directory server. Examples:

  • ad.mydomain.com

  • ldap.mydomain.com

  • opends.mydomain.com

Port

The port on which your directory server is listening. Examples:

  • 389

  • 636 (for example, for SSL)

Bind Dn

The distinguished name of the user that the application will use when connecting to the directory server.

Examples:

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com

  • cn=user,dc=domain,dc=name

  • user@domain.name

By default, all users can read the uSNChanged attribute. The specific privileges required by the user to connect to LDAP are "Bind" and "Read" (user info, group info, group membership), which the user can obtain by being a member of the Active Directory's built-in administrators group.

Password

The password of the user specified above.

Base DN

The root distinguished name (DN) to use when running queries against the directory server. Examples:

  • o=example,c=com

  • cn=users,dc=ad,dc=example,dc=com

  • For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.

User Object Filter (optional)

The filter to use when searching user objects.

Example:

  • (memberOf=cn=MyGroup,cn=users,dc=example,dc=com)

Synchronisation Interval

Synchronization is the process by which the application updates its internal store of user data to agree with the data on the directory server. The application will send a request to your directory server every x minutes, where 'x' is the number specified here. The default value is10 minutes.

SSL

Check this if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting. Rad More

 

User Fetching Scope Limitation

The application uses LDAP pulling scripts to fetch users from a specific Base DN folder.
Important Limitation: Only users that exist directly under the specified Base DN will be retrieved.
Nested folders (i.e., sub-OUs or sub-containers under the Base DN) are not scanned. As a result, users located within nested structures will not be pulled unless the Base DN is adjusted accordingly.

To include nested folders, the LDAP query configuration must support recursive searches—which is currently not supported in this setup.

Synchronize Application Groups from active directory

The application supports automatic group synchronization from Active Directory. A user's membership in specific AD groups determines their roles within the application:

Ad Role Name

Application Role

Ad Role Name

Application Role

CESAdmin

Administrator

CESProjectReader

Open/Edit Projects

CESProjectWriter

Create Projects

CESDatabaseUser

User

CESParamItemWriter

Create/Edit Assemblies

CESAssemblyWriter

Create/Edit Resources

CESFunctionWriter

Create/Edit Functions

CESColumnFieldWriter

Field/Formula Customization

CESLocationFactorWriter

Location Factor Customization

CESOnlineDBUser

Online Database User

CESUserAdmin

 Create/Edit Users

CESEPS

 Create/Edit EPS

CESCosmoPublisher

COS.MO Publisher

CESGlobalPRJVariabledWriter

Create/Edit Global Project Variables Template

CESMasterLayoutWriter

Create/Edit Layouts (Master Database)

CESMediaLibraryWriter

Open/Edit Media Library (Master Database)

CESCostTeam1

CostOS Team 1

CESCostTeam2

CostOS Team 2

CESCostTeam3

CostOS Team 3

CESCostTeam4

CostOS Team 4

CESCostTeam5

CostOS Team 5

CESCostTeam6

CostOS Team 6

CESCostTeam7

CostOS Team 7

CESCostTeam8

CostOS Team 8

CESCostTeam9

CostOS Team 9

CESCostTeam10

CostOS Team 10

AD vs. Application-Assigned Groups

  • AD-Synced Groups (Read-only):
    When a user is a member of an AD group mapped to an application role, the group is automatically assigned within the application. These group memberships cannot be modified or removed from within the application—they reflect the current state of AD and are updated on sync.

  • Application-Assigned Groups (Editable):
    In addition to AD-synced groups, users can be assigned to custom or application-specific groups manually through the application interface. These groups are editable, allowing for more flexible role assignments where needed.

This hybrid model ensures centralized control via AD while allowing additional, app-specific customization

LDAP to Application User Mapping

The following table outlines how user attributes from Active Directory (LDAP) are mapped to fields in the application. This ensures consistent identity synchronization and access control.

App Field

LDAP Attribute / Logic

App Field

LDAP Attribute / Logic

Username

samAccountName

Email

mail

Full Name

cn

Enabled

Derived from userAccountControl

Related articles