I am a Zivver admin
Configure and manage Zivver
07a. Synctool LDAP sources
Introduction
LDAP sources are commonly used to create Zivver user accounts based on Microsoft Active Directory (AD) user accounts.
The synchronization is executed in one way: from AD to Zivver, not the other way around. You can determine which accounts are synchronized from AD to Zivver with filters. Filters can for example be an AD Organizational Unit (OU) or Security Group (SG).
It is not recommended to create Zivver user accounts for (suspended) AD user accounts that belong to an Exchange shared mailbox. Please visit configure Exchange sources to synchronize Exchange shared mailboxes to Zivver.
Source details
- Enter a Source name.
For example “Microsoft Active Directory” or the Active Directory forest name. - Enter a Source description.
For example the name of administrator who configured this LDAP source. - Select a Default phone number region.
This allows the Synctool to easily recognize mobile phone numbers with a country code prefix.
Connection
These settings allow the Synctool to connect to a server that hosts your Active Directory.
- Host Name
This is the Host Name of the Domain Controller, for example ad.example.org or the IP Address of that server. This is a mandatory field. - Port
This port will be used for a LDAP connection. Fill in636
and check Use implicit TLS. This is a mandatory field. - Authorized user
Fill in the username of the (service) account with read-only rights in Active Directory, mentioned in the Synctool prerequisites. Usually this must be provided along with the domain name - for examplecompany\name_service_account
. This is a mandatory field. - Password
Enter the password for the service account. This is a mandatory field. Base DN
From your Active Directory, fill in the distinguished name of the organizational unit that contains all your users. This is a mandatory field.
Pick a Base DN high up your AD forest
Users that are not in the OU entered at Base DN will not be synchronized to Zivver, despite applied filters. Contrarily, Zivver accounts will be suspended or deleted in Zivver if they do not fall under the OU entered at Base DN.- Open Active Directory Users and Computers.
- Right-click the Active Directory Organizational Unit that contains all your users (i.e. the parent OU).
- Select Attribute Editor.
In the Attribute Editor you should be able to find the distinguished name. - Copy the distinguished name.
- In the Synctool, paste the distinguished name at Base DN.
Consider choosing a Base DN high up in the AD domain hierarchy, such as
DC=company,DC=org
. Don’t worry to get too many results, you will be able to filter that out later.
Paging
Raise paging to a value more than1.000
if there is a possibility that the result set will contain more than a1.000
users.
Still not finding all users at Data Preview?
Queries of AD without paging are limited to return a maximum of the first found1.000
users. If you use paging in the Synctool, it can retrieve multiple sets of the amount configured and display it as one large set. Change the paging number if not all accounts are shown after the following steps. Gradually increase paging with steps of1.000
if you are not getting all the users you would expect. You can increase the number up to100.000
.
Read more on paging in AD.LDAP query
You can use LDAP queries to directly query on Active Directory. Leave the LDAP query field empty if you are not accustomed to using LDAP queries.
For more information visit Microsoft’s Wiki page for LDAP filters.Test Connection.
Click Test Connection to verify the Synctool can set up an LDAP connection given the configuration.
If the connection is refused this means that the Synctool can’t connect from the Synctool server to the desired AD server via LDAP with the supplied credentials. Frequent causes are:- The host name is incorrect.
The IP address is also allowed instead of the FQDN host name. - The port entered is blocked by a firewall.
Try both636
with Use implicit TLS on, as well as389
with Use implicit TLS off. - The authorized user does not read permissions on this Active Directory.
- The authorized user does or does not need the domain prior to the account name.
Trycompany\name_service_account
, as well asname_service_account
. - The password is entered incorrectly.
Try entering the password again.
- The host name is incorrect.
Users
User Field Mapping (LDAP) maps Active Directory user attributes to Zivver user attributes, so that Zivver users can be automatically generated based on input provided from Active Directory.
For each Zivver attribute (bold) in the Synctool you can select an Active Directory attribute from the drop-down menu.
You can use the default AD attributes by clicking Use MS AD Defaults to quickly fill in the best practice AD attributes.
Internal Id
- Default AD attribute:
objectGUID
Zivver uses the Internal Id to identify users. Microsoft AD’s objectGUID is a reliable identifier because the property never changes, even if the user is renamed or moved. Using Internal Id allows you to automatically change the users email address in Zivver when it is changed in Exchange.
Visit Account Mapping for more information about the Internal Id.
- Default AD attribute:
proxyAddresses(SMTP)
Zivver accounts must have an email address as username. proxyAddresses
takes the primary email address (SMTP address) from the AD attribute proxyAddresses.
If you do not want to synchronize aliases to Zivver or your organization does not use aliases, then you can also use mail
as AD attribute. To do so, click the drop-down menu and select an alternate AD attribute.
Full name
- Default AD attribute:
name
The name of a user. This name will be displayed in a Zivver notification message, therefore it is suggested to select an attribute that contains the first name and surname. Other commonly used attributes are displayName
, userPrincipalName
, givenName
. Use these alternatives if name
does not give you the name of a user.
ZivverAcountKey field
- Default AD attribute:
objectGUID
It is recommended to pick an AD attribute with a long, random, unique identifier as value for the ZivverAccountKey. If no long, random, unique identifier is available for every user in AD, then use objectGUID
instead.
Mobile phone
- Default AD attribute:
mobile
Mobile phone numbers are used to automatically configure 2FA via SMS for users that have a mobile phone configured in AD. Landline numbers should be avoided, because landline numbers often cannot receive SMS codes. This means the user cannot log in when Zivver asks for a second factor.
Is active
- Default AD attribute:
userAccountControl
The value in userAccountControl
determines whether a Zivver account is created, suspended or deleted. If an AD user is active, has an email address, name and ZivverAccountKey, a Zivver account will be created if there is no current account for that email address. It is not recommend to change userAccountControl
to a different AD attribute.
Delegates
- Default AD attribute:
MsExchDelegateListLink
Delegates get full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are mapped automatically to the MsExchDelegateListLink
attribute in AD.
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to
MsExchDelegateListLink
does not work when your organization uses Active Directory on-premise together with Exchange Online (Office 365 Hybrid). Please use an Exchange source synchronizations
Aliases
- Default AD attribute:
proxyAddresses(smtp)
Fetches SMTP addresses from the AD attribute proxyAddresses
. Other addresses such as SIP addresses and X500 addresses are ignored.
Make sure that all domains listed under SMTP addresses either have a domain that is filtered out by the Domain Filters, or are claimed in Zivver.
Groups
Group Field Mapping (LDAP) maps suspended Active Directory user accounts associated with Exchange shared mailboxes to Zivver functional account attributes, so that Zivver functional accounts can be automatically generated based the AD object associated with an Exchange shared mailbox.
This feature is a legacy feature and Zivver does not recommend using this feature. Please use Exchange source synchronizations to synchronize shared mailboxes to Zivver.
Enable Get Active Directory groups from LDAP To synchronize Active Directory mail-enabled security groups to Zivver as functional accounts.
Enable both Get Active Directory groups from LDAP and Get users with members as groups to synchronize Active Directory suspended objects to Zivver as functional accounts.
If you enable this feature, then you can’t AD objects associated with user mailboxes from this source. Add another LDAP source to synchronize AD objects associated with user mailboxes.
Internal Id
- Default AD attribute:
objectGUID
Zivver uses the Internal Id to identify objects. Microsoft AD’s objectGUID is a reliable identifier because the property never changes, even if the object is renamed or moved. Using Internal Id allows you to automatically change the email address in Zivver when it is changed in Exchange.
Visit Account Mapping for more information about the Internal Id.
- Default AD attribute:
proxyAddresses(SMTP)
Zivver accounts must have an email address as username. proxyAddresses
takes the primary email address (SMTP address) from the AD attribute proxyAddresses.
If you do not want to synchronize aliases to Zivver or your organization does not use aliases, then you can also use mail
as AD attribute. To do so, click the drop-down menu and select an alternate AD attribute.
Full name
- Default AD attribute:
displayname
The name of a user. This name will be displayed in a Zivver notification message, therefore it is suggested to select an attribute that contains the first name and surname. Other commonly used attributes are displayName
, userPrincipalName
, givenName
. Use these alternatives if name
does not give you the name of a user.
Is active
- Default AD attribute:
This field should be left empty at all times. If it says userAccountControl
, then remove it and make sure the field is left blank.
Aliases
- Default AD attribute:
proxyAddresses(smtp)
Fetches SMTP addresses from the AD attribute proxyAddresses
. Other addresses such as SIP addresses and X500 addresses are ignored.
Make sure that all domains listed under SMTP addresses either have a domain that is filtered out by the Domain Filters, or are claimed in Zivver.
Mapping of the group members
- Default AD attribute:
memberOf
Fetches the members of mail-enabled security groups from the memberOf
attribute.
Group has members
- Default AD attribute:
MsExchDelegateListLink
Delegates get full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are mapped automatically to the MsExchDelegateListLink
attribute in AD.
If users are allowed to delegate access to their mailbox themselves via Outlook, you can also use publicDelegates
as input.
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to
MsExchDelegateListLink
does not work when your organization uses Active Directory on-premise together with Exchange Online (Office 365 Hybrid). Please use an Exchange source synchronizations
Find group members recursively
This feature only works if you synchronize mail-enabled security groups that have other security groups in the memberOf
field.
Organizational Units
Organizational Units Mapping maps users and groups from your LDAP source to an organizational units (OU) in Zivver.
If your organization does not use organizational units in Zivver, leave the default None or Excel selected.
If your organization uses organizational units in Zivver, you should have access to the Organization Units tab in Zivver. If you don’t have access, either your organization doesn’t use organizational units in Zivver, or you don’t have administrator rights.
If your organization uses organizational units in Zivver, then select an option based on your configuration of OUs in the Zivver admin panel.
You can check the Organizational Unit Identifier by browsing to the Organization Units tab in Zivver, clicking on one of the OUs present and edit edit the Organizational Unit. You will see the identifier in a popup under Organization Unit Identifier.
Source Filter
Object Filter (LDAP) allow you to filter users based on a given Active Directory attribute value.
- Check Enable LDAP Source filtering.
- Choose an AD attribute from the drop-down table at Filter variable.
- Enter the filter value(s) at Filter Text.
If you want to enter more than one filter value, add each value on a separate line. - Choose between a positive filter (include) or negative filter (exclude).
You can’t include and exclude in the same filter.
View the results at Data Preview.
Example: filter on OU
- Check Apply filter on users/groups.
- Choose
distinguishedName
from the drop-down table at Filter Text. - Enter the
distinguishedName
of the organizational unit separated by a line break at Filter values.
For example if you have two OUs to filter on:
OU=Example,OU=Users,DC=company,DC=org
OU=AnotherExample,Users,DC=company,DC=org - Choose between including or excluding the results from your filter in the results.
You have configured an LDAP filter.
Example: filter on SG
- Check Apply filter on users/groups.
- Choose
MemberOf
from the drop-down table at Filter field. - Enter the
commonName
of the SG separated by a line break at Filter values.
For example if you have two SGs to filter on:
Zivver-security-group1
Zivver-security-group2 - Choose between including or excluding the results from your filter in the results.
You have configured an LDAP filter.
Merge Settings
Use Source Merge Settings to choose what Synctool should do if distinct sources (e.g. an LDAP source and Excel source) contain identical entries.
If this is the first source in the Source Overview then no merge settings are available.
- Overwrite
Objects found in the currently selected source overwrite duplicate objects from previous sources. - Ignore
Objects found in the currently selected source are overwritten by duplicate objects from previous sources. - Conflict
Prompt the admin to resolve duplicates before synchronizing.
Data Preview
Source Data Preview (LDAP) allows you to preview all user accounts and functional accounts found in your LDAP source. Take into account that the Synctool can only find accounts that reside within the configured Base DN and Source Filter.
Click Load the data now to get a preview of all user accounts and functional accounts found in your LDAP source.
Next steps
If the data preview is returned as you would expect, you can either configure another source, or go to Syncing.