Configure an on-premise Active Directory

You can create an on-premise directory to sync users and groups from your Active Directory to Identity as a Service.

Note: If you currently use an on-premise directory to sync users and groups from Microsoft Entra ID, Entrust recommends that you configure an Configure an Azure Directory (Preview).

The Directory Sync agent is an on-premise application that is of part of an Identity as a Service Gateway to automatically import user and group information from your Active Directory server. The directory sync agent periodically queries your AD server to ensure that new user and group information is automatically added to Identity as a Service.

When you configure an on-premise directory, you can add multiple directory servers for failover in case a directory cannot be reached.

For Enterprise Service Gateways prior to 5.3, only the first directory server in the list is used.

Attention: Once you configure a directory and associate it to a gateway through the directory sync agent, the synchronization begins immediately. If you configure a directory without Group Filter values, every user identified in your corporate directory is imported into Identity as a Service immediately after the directory setup is complete. All user groups are also imported if no Group Filters are set.

Supported Microsoft Entra ID user roles and operations

The following table shows the Active Directory user roles and supported permissions.

Domain user roles

● Domain Administrator—Users with this role can connect with IDaaS with write permissions and can perform User synchronization, Group synchronization, Password Reset, and Password change.

● Domain User—Users with this role can connect with IDaaS with read only permissions and can perform User synchronization and Group synchronization but not Password Reset and Password change.

Group synchronization

● When synchronizing users from AD, if synchronization is configured to synchronize all groups, then all users will have a group in common.

● If an administration role is configured with OWN group access then an administrator that was synchronized will have that same group in common and will be able to administer all users that were synchronized.

● If you want administrators to not have access to all synchronized users, you can do one of the following:

– Configure synchronization to synchronize only groups that match the group filter and do not include a group that is common to all users in AD in your group filter. This allows you to have an administrator role with access to OWN groups.

– Configure an administrator role that has access to DEFINED groups and do not include groups that are common to all users.

2. Click

and select On-premise Active Directory from the drop-down list. The Add Directory page appears.

In the Connection Settings section, do the following:

a. In the Directory Name field, enter a name for your directory.

b. In the Root Domain Naming Context field, enter the full DN of the AD server.

Example: DC=AnyCorp,DC=biz

c. In the Username field, enter the name used to administer your directory in LDAP format. The user name can be a fully distinguished name or UPN. For example, CN=Administrator,CN=Users,DC=AnyCorp,DC=biz or Administrator@AnyCorp.biz.

d. In the Password field, enter your directory account password.

a. Click Add to add Directory Servers. The Directory Server dialog box appears.

b. In the Hostname field, enter the host name the AD server. The hostname can be either a hostname or IP address.

c. In the Port field, enter the port the directory communicates on.

d. Optional: Select Use SSL if you want secure communication to the directory. While optional, it is highly recommended that you use an SSL connection.

Note: Identity as a Service supports the .cer and .pem SSL certificate extension types. It does not support the .p7b extension.

e. If you select Use SSL you are prompted to upload your SSL certificate.

f. Click in the box, browse to select SSL certificate, and click Open.

g. Click Add to add your directory server.

h. Repeat these steps to add additional directory servers for failover.

Note: A next to the directory server connection indicates that SSL is not being used.

To edit the Directory Server information, click the row of the server you want to edit. The Edit dialog box appears. Make your changes and click Edit.

Click to drag and drop the order of the Directory Server used for failover. For Enterprise Service Gateways prior to 5.3, only the first directory server in the list is used.

In the SearchBases & Group Filters section, specify which users and groups are synchronized. These settings are optional.

a. Optional: Enter the Root Domain Naming Context (for example, DC=AnyCorp,DC=biz). SearchBases are combined with your Root Domain Naming Context. For example, the SearchBase DC=Users would combine with the Root Domain Naming Context DC=AnyCorp,DC=biz to form DC=Users,DC=AnyCorp,DC=biz.

– If you do not specify any SearchBases then all search bases under the root context are searched for users.

– If you do specify SearchBases, then only those search bases under the root context are searched for users.

b. Click Add to add SearchBases.

When specifying a SearchBase, by default(Include subtree) is selected. When Include Subtree is selected, all subtrees under your SearchBase are searched for users. Click to exclude the subtree. When Exclude Subtree is selected, then only entries immediately in your SearchBase are searched. For example, if you have SearchBase ou= department and subtree ou= sales and subtree ou= marketing, then all users in ou= department and the subtrees ou= sales and ou= marketing are synchronized.

c. Click Add to add more SearchBases.

d. Optional. Under Group Filters, click Add.

e. In the Group Filter field enter the name of the group that you want to filter. For example, enter Sales to sync all users in the Sales Department. By default all groups are synchronized.

Note: If there are no group filters set, all users are imported. If there is more than one group filter set, the user must belong to one of the groups identified by the group filters. Only enter one value per Group Filter text box.

f. Optional: Click Add to add more group filters.

In the Attributes Mappings section, map directory attributes in your Active Directory to Identity as a Service attributes. You must at a minimum map the mandatory system attributes. They are flagged with an asterisk (*).

a. The Security ID is an optional system attribute that uniquely identifies users in a Microsoft Windows environment. The attribute is automatically assigned the value ObjectSID. Do not change this value.

b. Optional: Add or modify the attributes. (See Create and manage user attributes).

Note: Once a user is synchronized from AD, the user is read-only in Identity as a Service and an administrator cannot manually update the attribute. In addition, mandatory attributes must be populated. If there is no value, then the user will not be synchronized.

c. Optional: To configure your directory for AD LDS, enter msDS-UserAccountDisabled=True as the State attribute value. This setting specifies the required directory attribute and potential value. Entering
msDS-UserAccountDisabled=True disables the user account.

Configuring your directory for AD LDS allows for directories other than Active Directories to be used on Identity as a Service, including Entrust Identity Enterprise. It also supports directory synchronization and directory password authentication.

Note: This step is recommended for most AD LDS directories that have disabled users with the msDS-UserAccountDisabled set to True. By configuring the Identity as a Service user with the value set to True, the user is synchronized in the disabled state. Configure this setting differently if your directory settings contain a different attribute and attribute value that indicates that a user is disabled.

In the Synchronization section, do the following:

a. From the Synchronization Agent drop-down list, select the Gateway Agent used to connect to the directory and sync users.

b. In the Page Size field, enter the number of results on a page. The minimum is 10 and the maximum is 1000.

c. In the Crawl Frequency field, enter the rate at which Active Directory (AD) is queried. The maximum is 24 hours (86400000 ms).

Note: To disable crawling, set the Crawl Frequency to 0. This feature is available with Gateways 5.4 or later. For Gateways prior to 5.4, the default setting of 1 hour is used.

Tip: Click the time option, for example, hr to select to enter the Crawl Frequency rate in milliseconds, seconds, minutes, or hours.

d. In the User Object Class field, enter the object class names that define your users in your on-premise directory. For Active Directory users, the User Object Class is usually user, which is the Identity as a Service default value.

Depending on the type of directory you are configuring, valid values can include

– user

– userProxy

– user,userProxy

– user, userProxy

e. From the Group Synchronization drop-down list, select the groups that you want to add to Identity as a Service. Only groups with users synced to Identity as a Service are created. The group synchronization options include:

– All groups—All groups from users synced to Identity as a Service are added.

– Groups Matching Group Filter—Only groups matching the filter are added to Identity as a Service.

– No Groups—No groups are added to Identity as a Service.

f. The Group Name Attribute is cn by default. This is the name of the attribute from which Identity as a Service obtains the group name.

g. Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters.

When synchronization completes, the new directory appears on the Directories List page.

SI No.	Role	User Sync	Group Sync	Password Change	Password Reset
1	Global Administrator	Yes	Yes	Yes	Yes
2	User Administrator	Yes	Yes	Yes	Yes
3	Global Reader	Yes	Yes	No	No
4	Directory Reader	Yes	Yes	No	No