In order to be able to use LDAP, the Enabled parameter check box must be checked in the LDAP Settings section of the Parameters page in the System Administration application.
Orchestra has support for managing its users from an LDAP server, the Microsoft Active Directory Server.
To use the MS Active Directory for Orchestra, you need to complete of the following steps:
1. Set up security groups and group members in Active Directory.
2. Set up Active Directory connection and user data fields in Orchestra.
3. Map Active Directory groups to Orchestra objects (roles, branch groups and branches).
Active Directory Security Groups
The Active Directory must be set up to differentiate users for the two permission categories, by defining the appropriate Active Directory Security Groups for each category.
For each Role, Branch and Branch Group in Orchestra, create a corresponding Active Directory Security Group, preferably by prefixing the group name with QM.
For example:
Orchestra role “Branch Admin” will have a corresponding Active Directory group “QMBranchManager”.
LDAP / Active Directory Server Configuration
For more information about this, please see the System Administration chapter in the Reference Manual.
Map of Active Directory Groups to Orchestra objects (Roles, Branch Groups and Branches)
In a Windows domain managed by Active Directory, the permissions (the access rights) of a user are based on what groups that specific user belongs to. For example, the staff group has some permissions and the admin group has another set of permissions.
In Orchestra, there are three kinds of user permissions that has to be defined in the Active Directory:
1. Roles: Orchestra uses Roles for defining permissions in the Orchestra applications.
2. Branches: Orchestra has many Branches, where each Branch should be separated from the others when it comes to permissions.
3. Branch Groups. In Orchestra, one or more Branches are grouped together into Branch Groups, which should have different permissions.
In order to access the Active Directory, Orchestra requires a so-called bind user. The bind user is an Active Directory user with the ability to search both the user tree and role tree for users and roles.
Orchestra will require the login name and the domain of this user, that is the LDAP field userPrincipalName.
Example: qmorchestra@somedomain.com.
Note that in most Active Directory set-ups, the Role tree and the User tree are located in the same Branch.
In the User Management application, open the LDAP / SAML tab. To create a new mapping, click the Create New Mapping button.
Name
Name of the Active Directory group that should be mapped.
Type
From the drop-down list, select the wanted type of mapping. The available choices are: Role, Branch or Branch Group.
Mapping
Depending on what choice you made under Type, the available Roles, Branches or Branch Groups are available in this drop-down list.
When done, click the Save button.
Login with LDAP Users
Once a user logs in using LDAP, that user will be synchronized to central, stored in the users table and be visible on the regular user list.
If such a user has been marked as inactive in the User tab (or if a database user with the same user name exists and is inactive), the LDAP user will not be able to log in.
Additionally, if an LDAP user logs in and the user has role mappings to roles in the system that have reached the license limit, the user will only be granted access to those modules that the user has previously had and any new roles that have not reached the license limit.
If the total number of users in the system is reached, and the LDAP user has not previously logged in, the user cannot log in.
Set language and text direction for LDAP users
To make Orchestra get the preferred language of an LDAP user from the LDAP server, follow the procedure below.
To set up a language for an LDAP user on an Active Directory server, you use the LDAP field preferredLanguage. This field is not available with the ordinary Active Directory Users and Computers editor. Instead, you have to use adsiedit.msc to edit the preferred language field.
See the Localisation chapter of the Reference Manual, found on Qmatic World, for information about language codes.
Enter the 2-character language code for the preferredLanguage, for example ar for Arabic.
You should also set a text direction (ltr or rtl).
In order to be able to use LDAP, the Enabled parameter check box must be checked in the LDAP Settings section of the Parameters page in the System Administration application. 
Note that in most Active Directory set-ups, the Role tree and the User tree are located in the same Branch.