Add users to SteelConnect Manager with Active Directory Sync

Categories:
Principal Article, SteelConnect, SteelConnect Manager
Solution Number:
S28016
Last Modified:
2017-05-05
Issue

In case your organization runs an Active Directory infrastructure, SteelConnect Manager can sync users from the Domain Controller to allow easy integration. The Active Directory Sync (AD Sync) feature will poll the Active Directory Domain Controller every 15 minutes. Only User accounts that contain an email address will be synchronised. The AD Sync will also synchronize the User’s mobile number attribute from Active Directory so that User accounts with this attribute can use both email address and mobile number as User Portal registration methods.

There are two possible methods for the LDAP communication between AD Sync and the Domain Controller:

Via a riverbed appliance at the site contain a Domain Controller
Via a direct Secure LDAP connection

When connecting via a riverbed appliance the AD Sync is done using a reverse SSH tunnel between the SteelConnect Manager and the specified riverbed appliance at the target Site. Alternatively, when using a Secure LDAP connection the SteelConnect Manager will attempt to make a connection via the hostname provided for the LDAP service (i.e. ldaps://FQDN).

In most cases a static DNS route to an Active Direcotry DNS server is necessary to resolve the internal SRV record _ldap._tcp.domain.local (where domain.local represents your Active Directory domain name).

Solution

To configure a static DNS route navigate in SteelConnect Manager to Network Design > Sites > DNS > DNS routing.

In the Active Directory settings in SteelConnect > Users > Directory Sync > Setup the LDAP attribute sAMAccountName has to be used as the Bind User.

Do note that only user objects with valid email addresses will be synced.

We already set a default search filter to pick up relevant accounts but of course this can also be adjusted if you have a Active Directory hierarchy that doesn’t match against the default filter. For more information on valid LDAP filters you can reference the following Technet post: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Examples of Commonly Used LDAP Filters

Do not sync hidden Microsoft Exchange mailboxes

(&(objectClass=user)(objectCategory=person) (!(msExchHideFromAddressLists=TRUE)))

Only sync enabled User Objects

(&(objectCategory=person)(objectClass=user) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Only sync enabled User Objects within a specific Group

(&(objectCategory=person)(objectClass=user)(memberOf=cn=group,cn=users,dc=domain,dc=local) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Environment

SteelConnect Manager

Attachments
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case