Frequently Asked Questions about LDAP

In addition to the LDAP parameters on the Preferences > Accounts page, are there other steps required to implement LDAP in LINQ EP?

There are no additional steps required in LINQ EP; however, the LINQ EP/Active Directory server must have the appropriate ports open so that it can communicate with LINQ EP.

What happens when LDAP is turned on and an employee creates an account or logs into LINQ EP for the first time? Does the employee use their Active Directory UserID  and password to create the account? When will LINQ EP recognize and validate employee's portal account?

When LDAP is turned on, the employee must create an LINQ EP account using their LINQ EP/Active Directory username and password. If the employee uses any other username and/or password, the Create Account process will fail. LINQ EP will validate their LINQ EP/Active Directory username and password against Active Directory when the employee submits a request to create the LINQ EP account.

Is the Administrator account validated with Active Directory?

No. The Administrator user account will continue to work as it has always worked.

Must the user account from Active Directory be associated with an employee in the Alio Employee Master to complete the account start up? When the employee signs in with an Active Directory account, will the program prompt the employee to associate their Active Directory account to an Alio employee ID in order to start their portal user account?

No, the employee must create an LINQ EP account. The Create Account page prompts the employee to enter their Employee Number; this is how the employee is linked to the appropriate employee master record in Alio. The employee must also enter the following fields on the Create Account page: DOB, SSN, Employee Last and First Name, and Zip Code. The account is not created if any of this information does not match the employee's master record in Alio.  

What happens if the employee changes their password or exceeds the number of incorrect sign in attempts and is locked out of LINQ EP? Is the employee also locked out of Active Directory? If the employee's password is changed in Active Directory is it automatically changed in the portal?

LINQ EP never touches Active Directory to make changes; therefore an account in Active Directory is never locked. An employee is only locked out of LINQ EP when that employee exceeds the number of Login Attempts defined by your organization in Preferences > Accounts. If the Login Attempts parameter is disabled (equal to 0),  the employee is never locked out of LINQ EP.

You can also define how long the account will be locked, e.g., 1 hour, 2 hours, 24 hours, etc.

If the password is changed in Active Directory, the LINQ EP password that is saved in the LINQ EP database is NOT updated. However, when LDAP is enabled, the login authentication never looks at the password that is saved in the database; it validates the login information against Active Directory.

When LDAP is enabled, an employee cannot change their username or password in LINQ EP; however, an administrator with rights to modify user accounts CAN modify an LINQ EP employee account user name if the username is changed in Active Directory. The Active Directory username and LINQ EP username must match in order for the employee to log into LINQ EP.

Note: LINQ EP communicates with Active Directory only to validate an account; however Active Directory does NOT communicate with LINQ EP when an employee's Active Directory account username/password are changed.

Employees cannot reset their password when LDAP is enabled in LINQ EP. If LDAP in LINQ EP is disabled, the employees will use the password that is saved in the LINQ EP database (e.g., the initial password the employee used to create their LINQ EP account) to log into LINQ EP. The employee may not remember this password if it has changed multiple times between the time the employee's LINQ EP account was created and LDAP within LINQ EP was disabled. In this case, the user is required to answer their security questions prior to resetting their password.  If LDAP in LINQ EP is enabled again, the employee's login credentials are validated against Active Directory.

What if the employee is an administrator and already has an account that is associated with their Alio ID prior to turning on Active Directory? What is the best practice to recreate their portal account from Active Directory?

LINQ recommends implementing LDAP prior to creating any accounts in LINQ EP. However, if Active Directory is turned on after an administrator account is created in LINQ EP, you can try these options:

1. Login with the administrator account and modify each user's LINQ EP username to match that Active Directory username (you do not need to change the password that is stored in LINQ EP).

2. Log in with the administrator account and delete the user accounts. Require the users to re-create their LINQ EP account.

3. Submit a request to your LINQ EP support representative to remove all of the LINQ EP user accounts from the database. Require the users to re-create their accounts.

Is there any published information on how using LDAP works in LINQ Employee Portal?

LINQ recommends contacting your LINQ EP support representative to request additional information.