Skip to main content

Windows Connector

Introduction

Description

This connector implements the LDAPS protocol and it is used to connect the Sync-Server with every server that allows this communication protocol.

Managed System

This connector has been performed to connect to Active Directory system, it's a fork of our LDAP Connector with custom features.

For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our Contact form

Prerequisites

To enable LDAPS in your Active Directory, please read the following guide: SSL access to Active Directory.

It is needed a Active Directory user with full administrator access.

Download and Install

This addon is located in the Connectors section and its name is Windows (including Active Directory).

For downloadmore and install the addon you could review our generic documentationinformation about thisthe process: installation process you can visit the Addons installationGetting started page.

Agent Configuration

Basic

Generic parameters

After the installation of the addon, you may create and configure agent instances.

This addon has 5 available agents:

  • Customizable Active Directory (with triggers)
  • Customizable Active Directory (without SSL)
  • Active Directory Only Passwords
  • Remote Windows Host
  • Windows Server

To configure this Windows (including Active Directory) you could select "Customizable Active Directory (with triggers)" or "Customizable Active Directory (without SSL)" in the attribute "Type" of the generic parameters section in the agents page configuration.

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration

Custom parameters

Below there are the specific parameters for this agent implementation (both types: "Customizable Active Directory (with triggers)" / "Customizable Active Directory (without SSL)")

  • Host name of the domain controler
  • Active Directory distingished name in X500 format. e.g.: dc=soffid,dc=local
  • Administrator principal name in X500 format, relative to A.D name. e.g.: cn=Administrator,cn=Users
  • Administrator password

Parameter

Description

Hostname

Host name of the server

LDAP base DN

LDAP Base name

Principal name

User name in DN format, including base name if needed

Password

Password

Enable debug

Two options: [ Yes / No ]. When it is enabled more log traces are printed in the Synchronization Server log

Accepted certificates

Two options: [ Only trusted certificates / Any (insecure) ]

Follow referrals

Two options: [ Don't / Yes ]

Manage child domains

Two options: [ No / Yes ]

Create OUs when needed

Two options: [ No / Yes ]

Attribute mapping

Active Directory connector could manage Users and Groups by using LDAPS protocol.

Properties

To enable it, add the following properties to each object mapping:

Property

Description

rename

AD agent will always map account and group names to SAMAccount attribute. BaseDN and cn can be calculated based on user attributes. AD agent is able to move and rename AD objects. If you don't desire users or groups to be renamed or moved, an object property named "rename" with value "false" can be added to some object mappings.

searchBase

if you want to reconcile process to search accounts on a directory subtree other than AD root, put a searchBase property with de relative tree to look for.

key

the AD attribute that works as primary key. Usually it's the sAMAccountName and can be omited

createDisabledAccounts

Set to true if you want the connector to create disabled accounts in the active directory. By default, disabled accounts are not created until enabled.

For example:

WIN Connector - example 1.png

Attributes

You can map users, groups and role objects. Active Directory membership is automatically managed based on user and group mappings.

Any object mapping must have the following system attributes:

System attribute

Description

objectClass

Active Directory object class. The following values mostly used and "user", "group" or "organizationalUnit"

baseDn

Active Directory container where user or group should be created. Its value should be absolute, containing Active Directory DC parts

relativeBaseDn

Active Directory container where user or group should be created. Its value should be relative to Active Directory DC parts.

cn

Object name

There is a bunch of AD special attributes that need some special treatment:

System attribute

Description

sAMAccontName

Is automatically be mapped. It is internally mapped to role name or account name, without further customization

accountExpires

Sets the last date (in nanoseconds since 1600) in which the account will be valid. A common mapping expression is:

if ( attributes {"expirationDate"} == null)
   return 9223372036854775807L;
else
   return attributes{"expirationDate"}.getTime() * 10000L + 116445528000000000L;

samAccountType

Can be used to identify distribution lists. A value of 268435457 or 268435456 means the AD group is a distribution list group rather than a security group.

lastLogon

Attribute can be used to get the last time an account was used. Soffid attribute is named lastLogin and a right mapping could be the following one. Mind when you make a reference to lastLogon attribute, each and every domain controller is queried about this attribute, as its value is not replicated across AD controllers:

if ( lastLogon == null || lastLogon == void) return null;
Long v = Long.decode(lastLogon);
v = v / 10000000L;
v-=11644473600L;
return new Date(v*1000);
=>
lastLogin

For more information about how you may configure attribute mapping, see the following link: Soffid Attribute Mapping Reference

For example:

WIN Connector - example 2.png

Triggers

&&TODO&&Pending to be documented.

Load triggers

&&TODO&&Pending to be documented.

Account metadata

&&TODO&&Pending to be documented.

Operational

Monitoring

After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to:

  • Start Menu > Administration > Monitoring and reporting > Syscserver monitoring

Tasks

Authoritative

If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to:

  • Start Menu > Administration > Monitoring and reporting > Scheduled tasks

And you will something like "Import authoritative data from <AGENT_NAME>".

Reconcile

If your are configured the "Attribute Mapping" tab with some of our objects: "user, account, role, group or grant", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to:

  • Start Menu > Administration > Monitoring and reporting > Scheduled tasks

And you will something like "Reconcile all accounts from <AGENT_NAME>".

Synchronization

About the synchronization of the objects, there are two possible options:

  • If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend this options until the global configuration of Soffid will be tested.
  • If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration