Active Directory Profile Sources

Using Profile Sources within Interact, it is simple to set up Interact to synchronize directly with an Active Directory within your organization. So long as the servers running Interact can access a Domain Controller within your environment via the appropriate LDAP(S) ports, then Interact can read and automatically synchronize users within your Directory overnight.

Creating an LDAP source

From within the manage profile sources page, click the Active Directory button. This will take you to the 'Create LDAP Source' page where you'll need to go through each tab and enter the details as described below.

Domain configuration

This is the name you wish to call your source, ensuring that it is easily identifiable.

Then you need fill out the Domain Details (LDAP)

  • Domain Name (pre-Windows 2000) - The User login name from the Account tab in Active Directory.
  • Base Distinguished Name - The root Distinguished Name (DN) to use when running queries against your directory server. Example:dc=interact-intranet,dc=com
  • User Distinguished Name - A Relative Distinguished Name (relative to the Base DN) which contains users to synchronise to Interact. This value is added to Base DN when searching for users. If blank, the Base DN is searched.ou=users,

🚧

Note

Interact will only synchronize users that are members of security groups (or nested groups) found in the Group DN. This field setting is used to reduce the synchronisation time well connecting to large disparate active directory structures.

  • Group Distinguished Name - A Relative Distinguished Name (relative to the Base DN) which contains users to synchronise to Interact. This value is added to Base DN when searching for groups. If blank, the Base DN is searched.ou=groups, Note: Interact does not support cross domain referrals within groups.

Server Details

Next you need to fill out the Server Details, some of which are pre populated

Server - The hostname of your directory server. Example: rodc.company.com
Port Number - Port number of the LDAP server. (pre-populated - if you wish to use SSL for the connection the Port number should be 636)
Use SSL - Specifies that the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you are unable to use a self-signed or local domain certificate. A public certificate issued by a Certificate Authority (CA) is required.
Timeout - Timeout for the LDAP connection. Default 30 seconds. (pre-populated)
Authentication Type - This option defines how to make a connection to the server and how it should match the server’s settings. It should be one of the three:

  • Anonymous: connect without passing credentials
  • Basic: connect using basic authentication
  • Negotiate: connect using Microsoft Negotiate authentication

Credentials

Next, you need to fill out the Domain Credentials

Domain - Server Domain
User - The user will need to be a member of the built-in Administrators group. The specific privileges for the LDAP user that is used to connect to LDAP are bind and read (user info, group info, group membership, update sequence number, deleted objects). The user needs reads access to all domain objects.
Password - The password of the user. It’s a best practice to ensure that the password is set not to expire.

🚧

Security Note

In order for Interact to connect to an LDAP server, the password provided cannot be one-way hashed — it must be recoverable in the context of this application. This password is stored in plain text without obfuscation. To guarantee its security, you need to ensure that other processes do not have OS-level read permissions for this application's database or configuration files.

Domain Options

Use for Fast Bind - Denotes which domain should be used for Fast Bind authentication (only one per tenant).
Active - Make LDAP source LIVE

Synchronisation

Synchronise Departments - If enabled, users automatically allocated as members of the relevant department in Interact based on the data obtained from Active Directory. Departments that do not exist in Interact are automatically created.
Synchronise Locations - If enabled, users automatically allocated as members of the relevant location in Interact based on the data obtained from Active Directory. Locations that do not exist in Interact are automatically created.
Synchronise Companies - If enabled, users automatically allocated as members of the relevant company in Interact based on the data obtained from Active Directory. Companies that do not exist in Interact are automatically created.
Synchronise Managers - If enabled, a user will be assigned the appropriate manager (providing the manager exists within Interact).

Schedule

Frequency - Frequency that the synchronisation will occur.
Time - Time of day that the synchronisation will occur.

Actions

Action on detecting Missing Users - Enable or disable support for the deletion of users within Interact if they are no longer present in any of the security groups from Active Directory. This setting is useful when administrators quarantine users within Active Directory prior to deletion.
Action on detecting Disabled Users - Enable or disable support for the deletion of users within Interact if are disabled within Active Directory.

Dates

Last Executed - This will display the Date / Time from the last synchronisation.
Last Updated - This will display the Date / Time the source was updated.

Defaults

Default Department - Please select a department you wish to be allocated if not specified in the Directory
Default Location - Please select a location you wish to be allocated if not specified in the Directory
Default Company - Please select a Company you wish to be allocated if not specified in the Directory.

Field Names

Department Field Name - The attribute field to use when loading the user’s department. Default: department.
Location Field Name - The attribute field to use when loading the user’s location.Default: physicalDeliveryOfficeName.
Company Field Name - The attribute field to use when loading the user’s company. Default: company

Lingering Object Filter

Lingering Object Filter - Specify a filter for lingering objects. A lingering object is any Active Directory object that has been deleted, but gets reanimated when a DC has not replicated the change during the domain’s tombstone lifetime period.
Enable the Lingering Object Filter - Please check if required

User / Group Details

Next you need to fill out the User / Group Details - (all are pre populated)

User Username Field - The attribute field to use when loading the username.Default: sAMAccountName.
User First Name Field - The attribute field to use when loading the user's first name.Default: givenName.
User Last Name Field - The attribute field to use when loading the user's last name.Default: sn.
User Email Field - The attribute field to use when loading the user's email.Default: email.
User Thumbnail Photo Field - This is not currenty used
User Account Control Field - The LDAP field name used to control the behaviour of the user account.
User Manager Domain Name Field - The LDAP field name used to look up manager domain names.
User Domain Name Field - The LDAP field name used to look up user domain names.
User Guid Field - The LDAP field name used to look up user GUID's.

User Title Field - The attribute field to use when loading the user’s title.Default: personalTitle.
User Initials Field - The attribute field to use when loading the user’s initials. Default: initials.
User Job Title Field - The attribute field to use when loading the user’s job title.Default: title.
User Work Phone Number Field - The attribute field to use when loading the user’s telephone.Default: telephoneNumber.
User Mobile Phone Number Field - The attribute field to use when loading the user’s mobile.Default: mobile.
User Fax Number Field - The attribute field to use when loading the user’s fax.Default: facsimileTelephoneNumber.
User Extension Number Field - The attribute field to use when loading the user’s extension.Default: extensionName.
User Address Field - The attribute field to use when loading the user’s address.Default: homePostalAddress.

Group Name Field - The field that maps a group to its common name (CN) in LDAP.
Group Member Field - The field that maps a uset to a group. This is a user attribute.
Group Description Field - The field that maps a group to its description in LDAP.
Group Domain Name Field - The field that maps a group to its domain name (DN) in LDAP.
Group Guid Field - The LDAP field name used to look up group GUID's

Search

Next, Search Options are required (All pre populated)

Page Size - Default 0
Server Time Limit - Default 0
Server Page Time Limit - Default 0
Referral Chasing - Default 0

Search Filters

User Search Filter - Default (&(objectClass=user)(objectCategory=person)(givenName=)(sn=)(!(cn=CNF:)))
Group Search Filter - Default (&(objectClass=group))
User Search Filter Scope - Base | Onelevel | Subtree - Default Subtree
Group Search Filter Scope - Base | Onelevel | Subtree - Default Subtree
Membership Search Filter Scope - Base | Onelevel | Subtree - Default Subtree

Additional Fields

If your organization makes use of custom fields within Active Directory, then you can map those fields to profile fields within Interact. Before doing so, you'll need to add the fields to Interact by navigating to Application Settings > Manage People > Manage Additional Information. For more details, see this page on Community.

Once the Additional Fields exist in Interact, you can then map custom fields from AD:

Finally, to complete the LDAP source you must click Save.