Steps in Preparation for Synchronization – Active Directory

enaio® 11.0 »

You will need at least one prefix group with direct or indirect users in Active Directory in preparation for XSLT directory synchronization.

User data is exported from the Active Directory via a parameterized AD call. You will require the following for the call:

  • name and password of a technical AD user who at minimum has read rights for the AD data;

  • host/IP address and port of the Active Directory controller;

  • a base distinguished name (DN) as the starting point for AD user export;

Prefix Groups and Users

You need at least one prefix group in Active Directory. For a clearer overview, a prefix group should not be a member of another prefix group if there is more than one prefix group. If one prefix group is a member of another prefix group, the users are only assigned to the lower-level prefix group.

You allocate users to the prefix groups, either directly or as members of assigned groups which are not prefix groups.

User names must be unique without the domain portion of the name. prefix groups and users must be created below the base DN for the Softerra LDAP browser call.

Either the NT4 ('samAccountName' attribute) or AD ('userPrincipalName' attribute) user name is used as the user name.

The AD user name attribute is preset and 'enaio_' is entered as the prefix in the supplied config.xml configuration file.

You can use different prefixes. Please note, however, that a prefix group may not be a member of another prefix group.

Prefixes, group names, and user names are not case-sensitive.

User Name Attribute in the Configuration File

'AD' is entered as the user name attribute (userPrincipalName) in the supplied config.xml configuration file.

<setting name="UserAccountNameSource">AD</setting>

You can enter 'NT4' as the user name attribute (samAccountName):

<setting name="UserAccountNameSource">NT4</setting>

Prefix Entered in the Configuration File

'enaio_' is entered as the prefix in the supplied config.xml configuration file.

<setting name="GroupPrefix">enaio_</setting>

You can change the prefix and enter multiple prefixes.

Example:

<setting name="GroupPrefix">enaiousers_</setting>

<setting name="GroupPrefix">enaioadmins_</setting>

AD Call

Softerra LDAP Browser Call

The Softerra LDAP browser call for the AD user data has the following structure:

Copy 
laimex.exe /d DSML2 /f adexport.xml /p SUB /page 100 /r DC=test,DC=rp /s 127.0.0.1:636 /user benutzer /pwd passwort /t "(&(|(objectClass=Group)(objectClass=organizationalUnit)(objectClass=user)))" /a sAMAccountType,memberOf,objectClass,dn,objectSid,userPrincipalName,sAMAccountName,cn,userAccountControl,name,mail,sn,givenName

The technical user with name and password, the host/IP address of the Active Directory controller with port, the base DN (DC=test,DC=rp), the export file (adexport.xml), and AD attributes are specified in the call.

Default ports: 389 for LDAP and 636 for LDAPS.

Using the licensed version of the Softerra LDAP browser, Softerra LDAP Administrator, it is possible to log in automatically via the user signed in on Active Directory. The parameters for user name and password (/user user /pwd password) are not required in this scenario.

The paging parameter /page 100 is optional. The paging parameter should be enabled if the server has paging capabilities for search results and this can be used to define the page size. This is useful when exporting very large branches and when the number of exported items exceeds the limits on the server.

Base DN

The base DN is the starting point for AD user export. All data below the base DN is exported for the transformation. It is recommended that you choose an 'organizational unit' (OU) or a node of type 'Domain', below which all groups and users are created that should be available for the transformation.

Prefix groups, users, or groups created in the hierarchy outside the base DN are not exported and cannot be analyzed.

The 'distinguishedName' attribute value in the call is the base DN. You can find this value in the 'Active Directory Users and Computers' application on the 'Attribute Editor' tab in the properties dialog.

Testing AD Calls

The AD call can be tested via the command prompt or using the 'XSLT directory synchronization' action in simulation mode in enaio® administrator (see 'Simulation Mode'). It generates the adexport.xml file if the call is successful.

If the call is made via the command prompt, it must be made from the enaio® directory \clients\admin. The PATH system variable must be modified for the Softerra LDAP browser to include the path to the installation.

All user data below the base DN is exported. The exported data is not limited to prefix groups until the transformation has been performed.

Check the export file to see if all user data that you wanted to export below the base DN has been exported.

Data Security

The AD call for configuring the 'XSLT directory synchronization' action may contain the technical user's user name and password in unencrypted format. The export file includes a list of all users with user data below the base DN.

This data is not automatically deleted if the call is made via the command line or via XSLT directory synchronization in simulation mode, or if the action fails.

Take safeguard to prevent unauthorized access to the environment where this data is managed.