Synchronizing User Directories

Note

This feature required Enterprise Edition

Genian NAC can use an LDAP directory as a source of user and organizational information. LDAP synchronization allows user accounts to be created locally and used for administration or policies. LDAP synchronization is commonly used with Microsoft Active Directory (AD) systems.

Creating Synchronization with AD

  1. Go to Preferences in the top panel
  2. Go to User Authentication > Data Synchronization in the left Preferences panel
  3. Click Tasks > Create

Under General

  1. For ID, type unique name.
  2. For Update Interval, select the specified time or periodic interval for this Synchronization.
  3. For Applying Policy, select Enabled for applying change after Synchronization. If there are several synchronization settings, you can set it to Disabled and enable only the last one.

Under Database

  1. For Type, section LDAP
  2. For Server Address, type IP Address or FQDN of Active Directory server
  3. For Server Port, type AD LDAP service port. by default LDAP port is 389. if you use LDAPS (LDAP over SSL) default port is 636.
  4. For SSL Connection, select On if you use LDAPS.
  5. For DB Username, type Bind DN of Active Directory. Normally, you can use email format like administrator@company.com
  6. For DB Password, type Bind DN user's password

Under User Information

  1. For Table Name, type base distinguished name (DN) of users. For example: CN=Users,DC=company,DC=com
  2. For Where Clause for DB, type (&(objectClass=user)(objectCategory=person)) for filtering person object.
  3. For Column Name for Username, type sAMAccountName
  4. For Column Name for Full Name, type displayName
  5. For Column Name for Department, type $distinguishedName, IF(LOCATE('OU=',$)>0,SUBSTRING($,LOCATE(',',$)+1),'')
  6. For Column Name for Memberships, type memberOf
  7. For any other extra information, you can use LDAP attribute name for each column name.

Under Department Information

  1. For Table Name, type base distinguished name (DN) of organizationUnit (OU). For example: DC=company,DC=com
  2. For Where Clause for DB, type objectClass=organizationalUnit for filtering OU object.
  3. For Sort Criteria, type @NAMEPATH for ordering based on department name.
  4. For Column Name for Department ID, type distinguishedName
  5. For Column Name for Department, type name
  6. For Column Name for Parent Dept., type $distinguishedName, SUBSTRING($,LOCATE(',',$)+1)
  7. Click Save at the bottom

Attention

Active Directory does not provide a userPassword attribute, so user passwords cannot be synchronized. Therefore, separate linkage should be set. check the LDAP (Active Directory)