> Resources > Directories. The Directories
List page appears.
Add an AD Connector directory
1. Click
> Resources > Directories. The Directories
List page appears.
2. Click 
and
select Ad Connector Directory (Preview) from
the drop-down list. The General Settings page
appears.
3. Enter a Directory Name to identify your Directory.
4. Optional. In the Connection Settings section, do the following:
a. If you are outside of the domain controller, enter your directory administrator Username and Password.
Note: You can install on a non domain controller server, but then computer account must have permission to read the deleted objects container without providing credentials.
b. Select Use SSL if you want secure communication to the directory. This setting controls which protocol to use when talking to the default domain controller. While optional, it is highly recommended that you use an SSL connection.
c. To add more Directory Servers, click Add. The Directory Server dialog box appears.
Note: Explicit directory servers are optional. Only specify these if you need to manually control which domain controllers AD Connector needs to connect to and in which order of preference.
d. In the Hostname field, enter the host name the AD server. The hostname can be either a hostname or IP address.
e. In the Port field, enter the port the directory communicates on.
f. Optional: Select Use SSL if you want secure communication to the directory. While optional, it is highly recommended that you use an SSL connection.
5. Set the SearchBases and Group Filters as follows:
6. In the SearchBases & Group Filters section, specify which users and groups are synchronized. These settings are optional.
a. Optional: Enter the Root Domain Naming Context (for example, DC=AnyCorp,DC=biz). If you leave this field empty, the SearchBase uses the default naming context of the domain where the AD Connector is installed.
b. Optional. Under Group Filters, click Add.
c. In the Group Filter field enter the name of the group that you want to filter. For example, enter Sales to sync all users in the Sales Department. By default all groups are synchronized.
Note: If there are no group
filters set, all users are imported. If there is more than one group filter
set, the user must belong to one of the groups identified by the group
filters. Only enter one value per Group Filter
text box.
The Group Filter includes the main group and any subgroups and their subgroups.
For example, a group called Administrator with
a subgroup called Identity as a Service that
contains two subgroups called Auditors
and Users would filter for users in the Administrator, the Identity
as a Service subgroup and the Identity as a Service Auditor
and Users subgroups.
d. Optional: Click Add to add more group filters.
7. In the Attributes Mappings section, map directory attributes in your Active Directory to Identity as a Service attributes. You must at a minimum map the mandatory system attributes. They are flagged with an asterisk (*). You can also add custom user attributes (see Create and manage user attributes).
Note: The Security ID is an optional system attribute that uniquely identifies users in a Microsoft Windows environment. Leave this field empty.
8. In the Synchronization section, do the following:
a. In the User Object Class field, enter the object class names that define your users in your directory. For Active Directory users, the User Object Class is usually user, which is the Identity as a Service default value.
Depending on the type of directory you are configuring, valid values can include
– user
– userProxy
– user,userProxy
– user, userProxy
b. From the Group Synchronization drop-down list, select the groups that you want to add to Identity as a Service. Only groups with users synced to Identity as a Service are created. The group synchronization options include:
– All groups—All groups from users synced to Identity as a Service are added, including nested groups.
– Groups Matching Group Filter—User lookup traverses all the nested groups.
– No Groups—User lookup traverses all the nested groups. No groups are added to Identity as a Service.
c. The Group Name Attribute is entered by default. This is the name of the attribute from which Identity as a Service obtains the group name.
d. Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters.
9. Click Add. When synchronization completes, the new directory appears on the Directories List page
10. You can now add a Resource Rule to protect access to your AD Connector directory. See Create and manage resource rules.