07a. Synctool LDAP sources

Introduction

LDAP sources are commonly used to create Zivver user accounts based on Microsoft Active Directory (AD) user accounts.

The synchronization is executed in one way: from AD to Zivver, not the other way around. You can determine which accounts are synchronized from AD to Zivver with filters. Filters can for example be an AD Organizational Unit (OU) or Security Group (SG).

It is not recommended to create Zivver user accounts for (disabled) AD user accounts that belong to an Exchange shared mailbox. Please visit configure Exchange sources to synchronize Exchange shared mailboxes to Zivver.

Source details

  1. Enter a Source name.
    For example “Microsoft Active Directory” or the Active Directory forest name.
  2. Enter a Source description.
    For example the name of administrator who configured this LDAP source.
  3. Select a Default phone number region.
    This allows the Synctool to easily recognize mobile phone numbers with a country code prefix.

Connection

These settings allow the Synctool to connect to a server that hosts your Active Directory.

  • Host Name
    This is the Host Name of the Domain Controller, for example ad.example.org or the IP Address of that server. This is a mandatory field.
  • Port
    This port will be used for a LDAP connection. Fill in 636 and check Use implicit TLS. This is a mandatory field.
  • Authorized user
    Fill in the username of the (service) account with read-only rights in Active Directory, mentioned in the Synctool prerequisites. Usually this must be provided along with the domain name - for example company\name_service_account. This is a mandatory field.
  • Password
    Enter the password for the service account. This is a mandatory field.
  • Base DN
    From your Active Directory, fill in the distinguished name of the organizational unit that contains all your users. This is a mandatory field.

    Pick a Base DN high up your AD forest
    Users that are not in the OU entered at Base DN will not be synchronized to Zivver, despite applied filters. Contrarily, Zivver accounts will be disabled or deleted in Zivver if they do not fall under the OU entered at Base DN.
    1. Open Active Directory Users and Computers.
    2. Right-click the Active Directory Organizational Unit that contains all your users (i.e. the parent OU).
    3. Select Attribute Editor.
      In the Attribute Editor you should be able to find the distinguished name.
    4. Copy the distinguished name.
    5. In the Synctool, paste the distinguished name at Base DN.
Not finding all users at Data Preview?
Consider choosing a Base DN high up in the AD domain hierarchy, such as DC=company,DC=org. Don’t worry to get too many results, you will be able to filter that out later.
  • LDAP query
    You can use LDAP queries to directly query on Active Directory. Leave the LDAP query field empty if you are not accustomed to using LDAP queries.
    For more information visit Microsoft’s Wiki page for LDAP filters.
  • Paging
    Raise paging to a value more than 1.000 if there is a possibility that the result set will contain more than a 1.000 users.

    Still not finding all users at Data Preview?
    Queries of AD without paging are limited to return a maximum of the first found 1.000 users. If you use paging in the Synctool, it can retrieve multiple sets of the amount configured and display it as one large set. Change the paging number if not all accounts are shown after the following steps. Gradually increase paging with steps of 1.000 if you are not getting all the users you would expect. You can increase the number up to 100.000.
    Read more on paging in AD.
  • Test Connection.
    Click Test Connection to verify the Synctool can set up an LDAP connection given the configuration.
    If the connection is refused this means that the Synctool can’t connect from the Synctool server to the desired AD server via LDAP with the supplied credentials. Frequent causes are:

    • The host name is incorrect.
      The IP address is also allowed instead of the FQDN host name.
    • The port entered is blocked by a firewall.
      Try both 636 with Use implicit TLS on, as well as 389 with Use implicit TLS off.
    • The authorised user does not read permissions on this Active Directory.
    • The authorised user does or does not need the domain prior to the account name.
      Try company\name_service_account, as well as name_service_account.
    • The password is entered incorrectly.
      Try entering the password again.

Users

User Field Mapping (LDAP) maps Active Directory user attributes to Zivver user attributes, so that Zivver users can be automatically generated based on input provided from Active Directory.

For each Zivver attribute (bold) in the Synctool you can select an Active Directory attribute from the dropdown menu.

Use default Microsoft AD attributes
You can use the default AD attributes by clicking Use MS AD Defaults to quickly fill in the best practice AD attributes.

Internal Id

  • Default AD attribute: objectGUID

Zivver uses the Internal Id to identify users. Microsoft AD’s objectGUID is a reliable identifier because the property never changes, even if the user is renamed or moved. Using Internal Id allows you to automatically change the users email address in Zivver when it is changed in Exchange.

Visit User Mapping for more information about the Internal Id.

E-mail

  • Default AD attribute: proxyAddresses(SMTP)

Zivver accounts must have an email address as username. proxyAddresses(SMTP) takes the primary email address (SMTP address) from the AD attribute proxyAddresses.

If you do not want to synchronize aliases to Zivver or your organization does not use aliases, then you can also use mail as AD attribute. To do so, click the drop-down menu and select an alternate AD attribute.

Full name

  • Default AD attribute: name

The name of a user. This name will be displayed in a Zivver notification message, therefore it is suggested to select an attribute that contains the first name and surname. Other commonly used attributes are displayName, userPrincipalName, givenName. Use these alternatives if name does not give you the name of a user.

ZivverAcountKey field

  • Default AD attribute: objectGUID

It is recommended to pick an AD attribute with a long, random, unique identifier as value for the ZivverAccountKey. If no long, random, unique identifier is available for every user in AD, then use objectGUID instead.

Mobile phone

  • Default AD attribute: mobile

Mobile phone numbers are used to automatically configure 2FA via SMS for users that have a mobile phone configured in AD. Landline numbers should be avoided, because landline numbers often cannot receive SMS codes. This means the user cannot log in when Zivver asks for a second factor.

Is active

  • Default AD attribute: userAccountControl

The value in userAccountControl determines whether a Zivver account is created, disabled or deleted. If an AD user is active, has an email address, name and ZivverAccountKey, a Zivver account will be created if there is no current account for that email address. It is not recommend to change userAccountControl to a different AD attribute.

Delegates

  • Default AD attribute: MsExchDelegateListLink

Delegates get full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are mapped automatically to the MsExchDelegateListLink attribute in AD.

If users are allowed to delegate access to their mailbox themselves via Outlook, you can also use publicDelegates as input.

Delegates might not work for hybrid environments
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to MsExchDelegateListLink does not work when your organization uses Active Directory on-premise together with Exchange Online (Office 365 Hybrid). The reason for this is personal Zivver accounts are created from AD on-premise and mailbox delegations are not synchronized from Exchange Online to AD on-premise. This means that MsExchDelegateListLink only contains the mailbox delegations from before the Office 365 Hybrid scenario, when you organization had an on-premise Exchange. Added or removed mailbox delegations in Exchange Online are not automatically mapped to AD on-premise and therefore cannot be used to map mailbox delegations to Zivver because they are not updated from Exchange Online to your on-premise AD. Your organization cannot use Delegates in Zivver, unless there is another AD attribute that contains the common names of users that should have delegated access to another users’ mailbox.

You can select any other AD attribute to map delegations to, as long as it contains the AD common names of users you want to provide access to the delegated account.

The delegates must have an active Zivver account in your Zivver organization, and the domain of the email addresses must be claimed by your organization in Zivver. If the delegate does not have an active Zivver account, is not a member of your Zivver organization or has an email address under a domain that your Zivver organization has not claimed in Zivver, then the Delegates property will be ignored.

Aliases

  • Default AD attribute: proxyAddresses(smtp)

Fetches smtp addresses from the AD attribute proxyAddresses. Other addresses such as SIP addresses and X500 addresses are ignored.

Make sure that all domains listed under smtp addresses either have a domain that is filtered out by the Domain Filters, or are claimed in Zivver.

Groups

Group Field Mapping (LDAP) maps Active Directory group attributes to Zivver functional account attributes, so that Zivver functional accounts can be automatically generated based on input provided from Active Directory.

Group Field Mapping (LDAP) is not recommended
Group Field Mapping synchronizes mail-enabled security groups and distribution groups to Zivver as Zivver functional accounts.

This feature is not recommended, please contact Support if you want to use this feature.

Organizational Units

Organizational Units Mapping maps users and groups from your LDAP source to an organizational units (OU) in Zivver.

If your organization does not use organizational units in Zivver, leave the default None or Excel selected.

How do I find out if my organization uses organizational units in Zivver?
If your organization uses organizational units in Zivver, you should have access to the Organization Units tab in Zivver. If you don’t have access, either your organization doesn’t use organizational units in Zivver, or you don’t have administrator rights.

If your organization uses organizational units in Zivver, then select an option based on your configuration of OU’s in the Zivver admin panel.

How do I find out if Domain or Custom OU Identifier should be used?
You can check the Organizational Unit Identifier by browsing to the Organization Units tab in Zivver, clicking on one of the OU’s present and edit edit the Organizational Unit. You will see the identifier in a popup under Organization Unit Identifier.

Merge Settings

Use Source Merge Settings to choose what Synctool should do if distinct sources (e.g. an LDAP source and Excel source) contain identical entries.

If this is the first source in the Source Overview then no merge settings are available.

  • Overwrite
    Objects found in the currently selected source overwrite duplicate objects from previous sources.
  • Ignore
    Objects found in the currently selected source are overwritten by duplicate objects from previous sources.
  • Conflict
    Prompt the admin to resolve duplicates before synchronizing.

Source Filter

Object Filter (LDAP) allow you to filter users based on a given Active Directory attribute value.

  1. Check Enable LDAP Source filtering.
  2. Choose an AD attribute from the dropdown table at Filter variable.
  3. Enter the filter value(s) at Filter Text.
    If you want to enter more than one filter value, add each value on a separate line.
  4. Choose between a positive filter (include) or negative filter (exclude).
    You can’t include and exclude in the same filter.

View the results at Data Preview.

Example: filter on OU

  1. Check Apply filter on users/groups.
  2. Choose distinguishedName from the dropdown table at Filter Text.
  3. Enter the distinguishedName of the organizational unit separated by a line break at Filter values.
    For example if you have two OU’s to filter on:
    OU=Example,OU=Users,DC=company,DC=org
    OU=AnotherExample,Users,DC=company,DC=org
  4. Choose between including or excluding the results from your filter in the results.
    You have configured an LDAP filter.

Example: filter on SG

  1. Check Apply filter on users/groups.
  2. Choose MemberOf from the dropdown table at Filter field.
  3. Enter the commonName of the SG separated by a line break at Filter values.
    For example if you have two SG’s to filter on:
    Zivver-security-group1
    Zivver-security-group2
  4. Choose between including or excluding the results from your filter in the results.
    You have configured an LDAP filter.

Data Preview

Source Data Preview (LDAP) allows you to preview all user accounts and functional accounts found in your LDAP source. Take into account that the Synctool can only find accounts that reside within the configured Base DN and Source Filter.

Click Load the data now to get a preview of all user accounts and functional accounts found in your LDAP source.

Next steps

If the data preview is returned as you would expect, you can either configure another source, or go to Syncing.

Was this article helpful?

thumb_up thumb_down