For OnPremise customers, a service called ADSync is registered upon proper installation of Integrify. You can use this service to import Active Directory users into and keep changes made to these users in Active Directory synchronized to Integrify. Here are some notes regarding the service to assist in initial configuration.
- The AD Synch Service is installed automatically with the standard Integrify installation. It however is not set to start by default, so you will have to manually start the service and/or change it's startup behavior.
- Before you initiate an initial sync, you should make sure you have already created an account within Integrify that has a corresponding AD account, and that is part of the Administrators group within Integrify.
- It is prudent to always test your configuration settings with the deleteNonADUsers="false", otherwise you can lock yourself out of Integrify. The default Admin account for Integrify is NOT protected in any way, and will be deleted by the sync if it not matched.
- For testing, it is a good idea to have an AD account setup that should be synced that is not setup in Integrify. This will allow you to quickly verify the sync is working as designed by searching for that account in Integrify after a sync process.
- It is a good practice to enable full logging during the configuration and testing process. To enable full logging, change <!--<add key="logMode" value="Full"/>--> to <add key="logMode" value="Full"/> in the file Integrify.Workflow.ADSynchService.exe.config that is in yourIntegrify5\WindowsServices folder. You will need to restart the Windows service for the change to take effect. Two log files will appear in this directory to aid in your troubleshooting process. Once you have a confirmed working setup, you can change the line back in the configuration file. Be aware, that the logs will contain the entire AD crawl and can get fairly large fairly quick.
The UserName is the driving unique value for determining if a user exists or does not exist in Integrify. If the LDAP or AD value you map to UserName changes, a new user will be created. Additionally, the old user will be marked as deleted in the database if deleteNonADUsers is set to true. This is known to happen if, for example, a user gets married and assumes their partner's last name.
- The synchs setting is interpreted as an xml doc. Therefore, any html special characters need to be set as such. For example, to use an "&" in your filter setting, you need to actually use "&" See here for html character encoding information.
Below are the configuration settings and brief descriptions of what they mean. These will need to be entered into Integrify in the Administration > System Settings > System Configuration Settings > synchs variable. Once entered there, you will need to recycle your application pool and restart The AD Synch system service:
- searchRoot - represents the LDAP path to begin your search.
- filter - represents the LDAP filter to use when searching the directory. The default filter is "(&(objectClass=user)(objectCategory=person)(mail=*)(sn=*))". If you have a rather large LDAP Directory, you will want to be as specific in your filter as possible. See http://msdn2.microsoft.com/en-us/library/system.directoryservices.directorysearcher.filter.aspx. Also you can utilize the LDP tool from Microsoft to test your filters prior to setting them in Integrify. See http://www.microsoft.com/download/en/details.aspx?DisplayLang=en&id=15326. Keep in mind when conceptualizing your filter, that wild cards are not allowed in DN attributes like distinguishedName,member, or memberOf. You must specify the full Distinguished Name in the filter. See this link for some good examples for filters: http://www.tek-tips.com/faqs.cfm?fid=5667
- groupTestMode - determines how the Allowed and Blocked Groups are processed.
- A setting of MemberOf means groups contained in the Allowed and Blocked group section are matched against a string queried from AD that lists the groups for a user. Populate the Allows/Blocked groups with the group name only. This method is not reliable for certain groups depending on how they are set up in your directory.
- A setting of IsMember means groups contained in the Allowed and Blocked group section are checked by invoking the IsMember Active Directory method. Allowed/Blocked groups should be populated with the full DN to the group.
- NOTE: Additionally, you can add a 'memberOf=' parameter into the filter attribute above. This will also need to be entered as the fully distinguished name for the group. Adding this parameter to the filter attribute has the bonus of limiting the results set being returned from AD/LDAP.
- username - if specified forces the service to authenticate using this username and the following two attributes.
- password - password for LDAP authentication
- pagesize - default is 1000000. For non-AD LDAP servers set this to 0.
- searchscope - default is Subtree. Other valid values are OneLevel and Base. This setting can be disabled by setting this to 0
- authenticationtype - represents the authentication type used for LDAP authentication. Valid entries are: Anonymous, Delegation, Encryption, FastBind, None, ReadonlyServer, Sealing, Secure, SecureSocketsLayer, ServerBind, Signing. The default authenticationtype is Secure. For Novell eDirectory, use SecureSocketsLayer
see Microsoft KB for more information about Authentication Types: http://msdn2.microsoft.com/en-us/library/system.directoryservices.authenticationtypes.aspx
BELOW IS AN EXAMPLE CONFIGURATION YOU CAN USE AS A STARTING POINT.
NOTE: Mappings below are defined below with their defaults if no mappings are defined. Those
with nothing mapped have no defaults. Only the element content or attributes should be changed, not the element or sub-element names.
<ActiveDirectory searchRoot="LDAP://OU=Unit,DC=domain,DC=com" filter="(objectClass=user)" groupTestMode="IsMember"
username="juser" password="mypassword" authenticationtype="" searchscope="0" pagesize="0">