07a. Synctool LDAP sources

Introduction

LDAP sources are commonly used to create Zivver user accounts based on Microsoft Active Directory (AD) user accounts.

The synchronization is executed in one way: from AD to Zivver, not the other way around. You can determine which accounts are synchronized from AD to Zivver with filters. Filters can for example be an AD Organizational Unit (OU) or Security Group (SG).

It is not recommended to create Zivver user accounts for (suspended) AD user accounts that belong to an Exchange shared mailbox. Please visit configure Exchange sources to synchronize Exchange shared mailboxes to Zivver.

Source details

  1. Enter a Source name.
    For example “Microsoft Active Directory” or the Active Directory forest name.
  2. Enter a Source description.
    For example the name of administrator who configured this LDAP source.
  3. Select a Default phone number region.
    This allows the Synctool to easily recognize mobile phone numbers with a country code prefix.

Connection

These settings allow the Synctool to connect to a server that hosts your Active Directory.

  • Host Name
    This is the Host Name of the Domain Controller, for example ad.example.org or the IP Address of that server. This is a mandatory field.
  • Port
    This port will be used for a LDAP connection. Fill in 636 and check Use implicit TLS. This is a mandatory field.
  • Authorized user
    Fill in the username of the (service) account with read-only rights in Active Directory, mentioned in the Synctool prerequisites. Usually this must be provided along with the domain name - for example company\name_service_account. This is a mandatory field.
  • Password
    Enter the password for the service account. This is a mandatory field.
  • Base DN
    From your Active Directory, fill in the distinguished name of the organizational unit that contains all your users. This is a mandatory field.

    Pick a Base DN high up your AD forest
    Users that are not in the OU entered at Base DN will not be synchronized to Zivver, despite applied filters. Contrarily, Zivver accounts will be suspended or deleted in Zivver if they do not fall under the OU entered at Base DN.
    1. Open Active Directory Users and Computers.
    2. Right-click the Active Directory Organizational Unit that contains all your users (i.e. the parent OU).
    3. Select Attribute Editor.
      In the Attribute Editor you should be able to find the distinguished name.
    4. Copy the distinguished name.
    5. In the Synctool, paste the distinguished name at Base DN.
Not finding all users at Data Preview?
Consider choosing a Base DN high up in the AD domain hierarchy, such as DC=company,DC=org. Don’t worry to get too many results, you will be able to filter that out later.
  • Paging
    Raise paging to a value more than 1.000 if there is a possibility that the result set will contain more than a 1.000 users.

    Still not finding all users at Data Preview?
    Queries of AD without paging are limited to return a maximum of the first found 1.000 users. If you use paging in the Synctool, it can retrieve multiple sets of the amount configured and display it as one large set. Change the paging number if not all accounts are shown after the following steps. Gradually increase paging with steps of 1.000 if you are not getting all the users you would expect. You can increase the number up to 100.000.
    Read more on paging in AD.
  • LDAP query
    You can use LDAP queries to directly query on Active Directory. Leave the LDAP query field empty if you are not accustomed to using LDAP queries.
    For more information visit Microsoft’s Wiki page for LDAP filters.

  • Test Connection.
    Click Test Connection to verify the Synctool can set up an LDAP connection given the configuration.
    If the connection is refused this means that the Synctool can’t connect from the Synctool server to the desired AD server via LDAP with the supplied credentials. Frequent causes are:

    • The host name is incorrect.
      The IP address is also allowed instead of the FQDN host name.
    • The port entered is blocked by a firewall.
      Try both 636 with Use implicit TLS on, as well as 389 with Use implicit TLS off.
    • The authorized user does not read permissions on this Active Directory.
    • The authorized user does or does not need the domain prior to the account name.
      Try company\name_service_account, as well as name_service_account.
    • The password is entered incorrectly.
      Try entering the password again.

Users

User Field Mapping (LDAP) maps Active Directory user attributes to Zivver user attributes, so that Zivver users can be automatically generated based on input provided from Active Directory.

For each Zivver attribute (bold) in the Synctool you can select an Active Directory attribute from the drop-down menu.

Use default Microsoft AD attributes
You can use the default AD attributes by clicking Use MS AD Defaults to quickly fill in the best practice AD attributes.

Internal Id

  • Default AD attribute: objectGUID

Zivver uses the Internal Id to identify users. Microsoft AD’s objectGUID is a reliable identifier because the property never changes, even if the user is renamed or moved. Using Internal Id allows you to automatically change the users email address in Zivver when it is changed in Exchange.

Visit Account Mapping for more information about the Internal Id.

E-mail

  • Default AD attribute: proxyAddresses(SMTP)

Zivver accounts must have an email address as username. proxyAddresses takes the primary email address (SMTP address) from the AD attribute proxyAddresses.

If you do not want to synchronize aliases to Zivver or your organization does not use aliases, then you can also use mail as AD attribute. To do so, click the drop-down menu and select an alternate AD attribute.

Full name

  • Default AD attribute: name

The name of a user. This name will be displayed in a Zivver notification message, therefore it is suggested to select an attribute that contains the first name and surname. Other commonly used attributes are displayName, userPrincipalName, givenName. Use these alternatives if name does not give you the name of a user.

ZivverAcountKey field

  • Default AD attribute: objectGUID

It is recommended to pick an AD attribute with a long, random, unique identifier as value for the ZivverAccountKey. If no long, random, unique identifier is available for every user in AD, then use objectGUID instead.

Mobile phone

  • Default AD attribute: mobile

Mobile phone numbers are used to automatically configure 2FA via SMS for users that have a mobile phone configured in AD. Landline numbers should be avoided, because landline numbers often cannot receive SMS codes. This means the user cannot log in when Zivver asks for a second factor.

Is active

  • Default AD attribute: userAccountControl

The value in userAccountControl determines whether a Zivver account is created, suspended or deleted. If an AD user is active, has an email address, name and ZivverAccountKey, a Zivver account will be created if there is no current account for that email address. It is not recommend to change userAccountControl to a different AD attribute.

Delegates

  • Default AD attribute: MsExchDelegateListLink

Delegates get full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are mapped automatically to the MsExchDelegateListLink attribute in AD.

Delegates will not work for hybrid Exchange environments
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to MsExchDelegateListLink does not work when your organization uses Active Directory on-premise together with Exchange Online (Office 365 Hybrid). Please use an Exchange source synchronizations

Aliases

  • Default AD attribute: proxyAddresses(smtp)

Fetches SMTP addresses from the AD attribute proxyAddresses. Other addresses such as SIP addresses and X500 addresses are ignored.

Make sure that all domains listed under SMTP addresses either have a domain that is filtered out by the Domain Filters, or are claimed in Zivver.

Groups

Group Field Mapping (LDAP) maps suspended Active Directory user accounts associated with Exchange shared mailboxes to Zivver functional account attributes, so that Zivver functional accounts can be automatically generated based the AD object associated with an Exchange shared mailbox.

Group Field Mapping (LDAP) is not recommended
This feature is a legacy feature and Zivver does not recommend using this feature. Please use Exchange source synchronizations to synchronize shared mailboxes to Zivver.

Enable Get Active Directory groups from LDAP To synchronize Active Directory mail-enabled security groups to Zivver as functional accounts.

Enable both Get Active Directory groups from LDAP and Get users with members as groups to synchronize Active Directory suspended objects to Zivver as functional accounts.

Get users with members as groups
If you enable this feature, then you can’t synchronize AD objects associated with user mailboxes from this source. Add another LDAP source to synchronize AD objects associated with user mailboxes.

Internal Id

  • Default AD attribute: objectGUID

Zivver uses the Internal Id to identify objects. Microsoft AD’s objectGUID is a reliable identifier because the property never changes, even if the object is renamed or moved. Using Internal Id allows you to automatically change the email address in Zivver when it is changed in Exchange.

Visit Account Mapping for more information about the Internal Id.

E-mail

  • Default AD attribute: proxyAddresses(SMTP)

Zivver accounts must have an email address as username. proxyAddresses takes the primary email address (SMTP address) from the AD attribute proxyAddresses.

If you do not want to synchronize aliases to Zivver or your organization does not use aliases, then you can also use mail as AD attribute. To do so, click the drop-down menu and select an alternate AD attribute.

Full name

  • Default AD attribute: displayname

The name of a user. This name will be displayed in a Zivver notification message, therefore it is suggested to select an attribute that contains the first name and surname. Other commonly used attributes are displayName, userPrincipalName, givenName. Use these alternatives if name does not give you the name of a user.

Is active

  • Default AD attribute:

This field should be left empty at all times. If it says userAccountControl, then remove it and make sure the field is left blank.

Aliases

  • Default AD attribute: proxyAddresses(smtp)

Fetches SMTP addresses from the AD attribute proxyAddresses. Other addresses such as SIP addresses and X500 addresses are ignored.

Make sure that all domains listed under SMTP addresses either have a domain that is filtered out by the Domain Filters, or are claimed in Zivver.

Mapping of the group members

  • Default AD attribute: memberOf

Fetches the members of mail-enabled security groups from the memberOf attribute.

Group has members

  • Default AD attribute: MsExchDelegateListLink

Delegates get full access to the Zivver inbox of a personal account. Full access delegations configured in Exchange are mapped automatically to the MsExchDelegateListLink attribute in AD.

If users are allowed to delegate access to their mailbox themselves via Outlook, you can also use publicDelegates as input.

Delegates will not work for hybrid Exchange environments
Auto-mapping does not work as expected in Office 365 hybrid environments. This Microsoft article explains that auto-mapping to MsExchDelegateListLink does not work when your organization uses Active Directory on-premise together with Exchange Online (Office 365 Hybrid). Please use an Exchange source synchronizations

Find group members recursively This feature only works if you synchronize mail-enabled security groups that have other security groups in the memberOf field.

Organizational Units

Organizational Units Mapping maps users and groups from your LDAP source to an organizational units (OU) in Zivver.

If your organization does not use organizational units in Zivver, leave the default None or Excel selected.

How do I find out if my organization uses organizational units in Zivver?
If your organization uses organizational units in Zivver, you should have access to the Organization Units tab in Zivver. If you don’t have access, either your organization doesn’t use organizational units in Zivver, or you don’t have administrator rights.

If your organization uses organizational units in Zivver, then select an option based on your configuration of OUs in the Zivver admin panel.

How do I find out if Domain or Custom OU Identifier should be used?
You can check the Organizational Unit Identifier by browsing to the Organization Units tab in Zivver, clicking on one of the OUs present and edit edit the Organizational Unit. You will see the identifier in a popup under Organization Unit Identifier.

Source Filter

Object Filter (LDAP) allow you to filter users based on a given Active Directory attribute value.

  1. Check Enable LDAP Source filtering.
  2. Choose an AD attribute from the drop-down table at Filter variable.
  3. Enter the filter value(s) at Filter Text.
    If you want to enter more than one filter value, add each value on a separate line.
  4. Choose between a positive filter (include) or negative filter (exclude).
    You can’t include and exclude in the same filter.

View the results at Data Preview.

Example: filter on OU

  1. Check Apply filter on users/groups.
  2. Choose distinguishedName from the drop-down table at Filter Text.
  3. Enter the distinguishedName of the organizational unit separated by a line break at Filter values.
    For example if you have two OUs to filter on:
    OU=Example,OU=Users,DC=company,DC=org
    OU=AnotherExample,Users,DC=company,DC=org
  4. Choose between including or excluding the results from your filter in the results.
    You have configured an LDAP filter.

Example: filter on SG

  1. Check Apply filter on users/groups.
  2. Choose MemberOf from the drop-down table at Filter field.
  3. Enter the commonName of the SG separated by a line break at Filter values.
    For example if you have two SGs to filter on:
    Zivver-security-group1
    Zivver-security-group2
  4. Choose between including or excluding the results from your filter in the results.
    You have configured an LDAP filter.

Merge Settings

Use Source Merge Settings to choose what Synctool should do if distinct sources (e.g. an LDAP source and Excel source) contain identical entries.

If this is the first source in the Source Overview then no merge settings are available.

  • Overwrite
    Objects found in the currently selected source overwrite duplicate objects from previous sources.
  • Ignore
    Objects found in the currently selected source are overwritten by duplicate objects from previous sources.
  • Conflict
    Prompt the admin to resolve duplicates before synchronizing.

Data Preview

Source Data Preview (LDAP) allows you to preview all user accounts and functional accounts found in your LDAP source. Take into account that the Synctool can only find accounts that reside within the configured Base DN and Source Filter.

Click Load the data now to get a preview of all user accounts and functional accounts found in your LDAP source.

Next steps

If the data preview is returned as you would expect, you can either configure another source, or go to Syncing.