Synchronizing User Directories

Note

This feature required Enterprise Edition

Genian NAC 6.0 can use an LDAP directory as a source of user and organizational information. LDAP synchronization allows user accounts to be created locally and used for administration or policies. LDAP synchronization is commonly used with Microsoft Active Directory (AD) systems.

Creating Synchronization with AD

  1. Go to Preferences in the top panel

  2. Go to User Authentication > Data Synchronization in the left Preferences panel

  3. Click Tasks > Create

Under General

  1. For ID, type unique name.

  2. For Update Interval, select the specified time or periodic interval for this Synchronization.

  3. For Applying Policy, select Enabled for applying change after Synchronization. If there are several synchronization settings, you can set it to Disabled and enable only the last one.

  4. For Environment, Input is not required for basic synchronization tasks. However, it is used when defining variable values to be commonly referenced within a separate custom shell script executed for integration with external systems.

    Warning

    Configuration Caution: Incorrect environment variable declarations can lead to malfunctions in the integration script or system errors. Before configuration, please ensure that the variables are correctly processed within the script.

    Usage Scenario: Log Level Control Used when you want to control simple operation options such as Log Level or Retry Count during external script execution.

    export LOG_LEVEL='ERROR'

  5. For Query, Enter the SQL query to be executed immediately after information synchronization is complete. This is used when secondary processing is required based on specific conditions using the synchronized information.

    Warning

    Risk of Data Loss: This feature directly affects the database. In particular, the use of UPDATE or DELETE statements may result in irreversible data loss.

    Usage Scenario: Account Lock Processing based on Employment Status Used when you want to automatically disable the NAC account of resigned (or on-leave) employees according to the 'Employment Status' code after information synchronization.

    Prerequisites 1. Create a field to manage employment status (e.g., USER_CUSTOM08) in [Settings] > [Property Management] > [Custom Fields] > [User Custom Fields]. 2. Assign the user custom field created in step 1 to [Additional Info] under [User Information] in [Information Synchronization].

    Writing Example If the value of USER_CUSTOM08 is '001' (Resigned/On-leave, etc.), update USER_STATUS to '0' (Disabled).

    UPDATE USER
SET USER_STATUS = 0
WHERE USER_CUSTOM08 = '001';

Under Database

  1. For Type, section LDAP

  2. For Server Address, type IP Address or FQDN of Active Directory server

  3. For Server Port, type AD LDAP service port. by default LDAP port is 389. if you use LDAPS (LDAP over SSL) default port is 636.

  4. For SSL Connection, select On if you use LDAPS.

  5. For DB Username, type Bind DN of Active Directory. Normally, you can use email format like administrator@company.com

  6. For DB Password, type Bind DN user's password

Under User Information

  1. For Table Name, type base distinguished name (DN) of users. For example: CN=Users,DC=company,DC=com

  2. For Where Clause for DB, type (&(objectClass=user)(objectCategory=person)) for filtering person object.

  3. For Column Name for Username, type sAMAccountName

  4. For Column Name for Full Name, type displayName

  5. For Column Name for Department, type $distinguishedName, IF(LOCATE('OU=',$)>0,SUBSTRING($,LOCATE(',',$)+1),'')

  6. For Column Name for Memberships, type memberOf

  7. For any other extra information, you can use LDAP attribute name for each column name.

Under Department Information

  1. For Table Name, type base distinguished name (DN) of organizationUnit (OU). For example: DC=company,DC=com

  2. For Where Clause for DB, type objectClass=organizationalUnit for filtering OU object.

  3. For Sort Criteria, type @NAMEPATH for ordering based on department name.

  4. For Column Name for Department ID, type distinguishedName

  5. For Column Name for Department, type name

  6. For Column Name for Parent Dept., type $distinguishedName, SUBSTRING($,LOCATE(',',$)+1)

  7. Click Save at the bottom

Attention

Active Directory does not provide a userPassword attribute, so user passwords cannot be synchronized. Therefore, separate linkage should be set. check the LDAP (Active Directory)