Configuring User Synchronization With Active Directory

You can find the settings for user synchronization with Active Directory in the web interface section: Settings/Administration/User synchronization.

By default, this section does not contain configured synchronizations.

When synchronizations are configured, they appear on the Synchronizations tab sorted in the following order: punctuation marks (e.g., quotes or exclamation marks), 0–9, A–Z, a–z, А–Я, а–я. Users can sort the list by synchronization name.

If there are several synchronization sources, they can be prioritized. To do that, it is necessary to add conditions in the format of the regular expression in the Prioritization tab. You can change the order by dragging the conditions: the higher the expression, the higher its execution priority.

You can also set priority based on a specific attribute. Select it from the dropdown list or enter it manually in the corresponding field. This field is optional, does not participate in user field synchronization, and is not displayed in user profiles.

The "General" Tab

In the General tab, you can change the synchronization name.

The "Synchronization" Tab

This page displays the following parameters:

• Automatic synchronization (enabling/disabling the periodic data synchronization from AD. The interval is 15 minutes);
• Synchronize by field in the system;
• Synchronize by attribute in AD;
• Disable when disconnected in AD (allows automatic disabling of user authentication in the system);
• Disable if there is no source (allows disabling of user authentication in the system, if an AD account is deleted)
• Enable when connected in AD (allows automatic enabling of user authentication when the user is included in AD. This option only works if the "Disable when disconnected in AD" option is selected);
• Depersonalize when deleted from AD (enabling this option allows depersonalizing user data for accounts that were deleted from Active Directory);
• Synchronization time (hidden if data from AD has not been synchronized);
• Synchronize now (sends a request for immediate data synchronization).

The automatic synchronization interval with AD can be modified via a GraphQL request:

mutation {
  app_config {
    active_directory {
      update_config(sync_period: 65000) {
        sync_period
      }
    }
  }
}

sync_period — synchronization interval specified in milliseconds.

Primary Attribute Mapping

In the synchronization profile, you can configure the primary attribute mapping (the Synchronize by field in the system and Synchronize by attribute in AD fields). Primary attribute mapping solves the problem when a user can synchronize into the system from other systems.

During initial synchronization, the attribute value from AD is mapped with the field value in the user profile. If the attribute value from AD matches the value in the user field, a new user is not created during synchronization with AD, but the user is synchronized with an existing one.

Example: The user has been synchronized from the "Senior HR" system, where the value of the Personnel number field in the user profile is 1001. The primary synchronization functionality compares the attribute value from AD with the field value in the user profile. If the values match (in this example, it is 1001), a new user is not created.

The "Domain Controllers" Tab

To add new domain controllers, click the Add button in the Domain controllers tab.

When you click the Add button, a New address panel appear on the left. It shows the following parameters:

• Protocol: if you choose LDAPS, the Certificate field appears in the interface;
• Certificate:
  • the system integration with AD supports working with the Windows OS certificate store. If the necessary certificates are available in the storage of the computer where the system is installed, you do not need to download the certificate file on the configuration page;
  • in other cases, upload the file of the intermediate or root CA certificate that signs the certificates used by domain controllers for LDAPS;
• Address (controller domain or domain name);
• User name (AD login with access rights to read the catalog);
• Password (if not set up previously);
• The Change password button (if the password has been set up previously);
• Description;
• The Test connection button (a test connection to the domain is performed after saving the changes).

Confirm by clicking Add when adding a new domain controller or Save when editing the existing one. Click Cancel to discard the changes.

The "Domain Objects" Tab

On this page, you can add objects that will be synchronized from AD into the system. They can contain several other objects (departments) or finite elements (users).

Domain object input format is Distinguished Name (example: OU=UnitName,OU=Users,OU=Root,DC=some,DC=domain,DC=com). As an object, synchronizations can use an OU, or Universal Security Group. To use Universal Security Groups, enable group synchronization by running the following GraphQL mutation:

mutation {
  app_config {
    active_directory {
      update_config(
        sync_employee_group_membership_enabled: true,
        sync_nested_group_membership_enabled: true
      ) {
        sync_employee_group_member_enabled
        sync_nested_group_membership_enabled
      }
    }
  }
}

A synchronization request is made if synchronized objects are present.

The "Attributes" Tab

The Attributes tab displays a pre-configured list of basic user attributes that will be synchronized from Active Directory into the system. The following fields are shown:

• Attribute in AD
• Field in the system

This page includes the default set of core user attributes to be synced from AD to the system.

The following mapping options are available:

• Attribute in AD
• Field in system

Adding A New Attribute

You can add and configure custom attributes that will be synchronized into the system. When adding a new attribute, it is necessary to enter the following data:

1. Attribute in AD: name of the new attribute for synchronization;
2. Field in the system.