Configuring settings

Before the Active Directory connection can be activated, certain settings must be configured. It is possible to connect several Active Directories and to import their entries into octoplant.

As a prerequisite, authorization must be carried out via the operating system.

  1. Open the Synchronization tab in the menu bar and click on the Account policies button.

  2. In the Authorization tab, select either Authorization via operating system or Authorization by operating system and access management and confirm with OK.

To configure the settings for the Active Directory connection, proceed as follows:

  1. Click on the Configure button in the menu bar. The Active Directory binding dialog is displayed. A new configuration is created directly when it is initially opened. If you want to create an additional configuration while the dialog is open, select the New button in the navigation bar on the left.

  2. Image: Active Directory Binding dialog

  3. Make the necessary settings. An example configuration you can see in the screenshot above. The entries are described in detail in the tables below.

  4. Select Enable cyclic sync to activate the synchronization with the Active Directory for this configuration.

  5. The automatic and manual import from the Active Directory is finally only active, when the Activate button in the menu bar is selected. The Enable cyclic sync checkbox only enables the configuration for being activated afterwards.

  6. Confirm with Save.

  7. The settings of this configuration are saved. To add a new configuration select the New button in the navigation bar, to close the dialog select OK.

 

When configuring the Active directory connection, data supplied by the IT department, for example, is often copied from an email or a Word document. It can happen that characters are changed or added by the corresponding word processing program. This will be indicated by an error message. To prevent this, we recommend entering the data manually.

Server

We have implemented automatic authentication for Active Directory. This means that already authenticated credentials will be used if the supplied credentials, username and password, are left empty in the Active Directory binding dialog.

Element Description Example
Address Name, IP address or domain of the Active Directory servers
If the computer from which you want to connect is not included in the domain of the Active Directory server, a connection will only be possible via the name or IP address of the Active Directory server.
10.0.201.1
Port Active directory server port
Integer values ranging from 0 to 65535 are possible
The default port for encrypted connection is port 636 (default port for unencrypted connection is 389)
If a port is already being used for something else, select another one.
636
SSL encrypted Encrypted or unencrypted connection to the Active Directory server.
By default, the connection to Active Directory is made using the LDAP protocol. If the SSL Encrypted checkbox is selected, the LDAPS protocol will be used.
þ SSL encrypted
User name User name for access to the Active Directory Server
Format: <User name> or <Domain>\<user name> or <username>@<domain>
octoplant
Password User name for access to the Active Directory Server
masked display
•••••••••
DC DNS name of the domain
Information according to the Active Directory format The parts of a domain name separated by dots are divided into individual sections in the Active directory. Each section is intiated by the prefix DC (= Domain Component). The individual sections are separated from each other by commas
ie domain "vdns.tst.dom" is mapped as follows: DC=vdns, DC=tst, DC=dom
DC=vdns, DC=tst, DC=dom
DN "All Users" Distinguished Name (= DN) of the Active Directory group, within which users (and other groups), that are to be imported, are searched for.
Entries corresponding to the Active Directory Format. A distinguished name represents an object in a hierarchical directory. The distinguished name is written from the lower to the higher hierarchy levels. The object itself is introduced by the prefix CN (= Common Name). The individual parts are separated from each other by commas
For the group "Club27" in the folder “Users”, the Distinguished Name looks like this: CN=Club27, CN=Users
CN=Club27, CN=Users
DN “Administrators”

Distinguished Name (= DN) of the Active Directory group, whose users are to be imported into the Administrators group
Entries corresponding to the Active Directory Format. A distinguished name represents an object in a hierarchical directory. The distinguished name is written from the lower to the higher hierarchy levels. The object itself is introduced by the prefix CN (= Common Name). The individual parts are separated from each other by commas
For the group "Reservoir-Dogs" in the folder "Users”, the Distinguished Name looks like this: CN=Reservoir-Dogs, CN=Users.

Multiple groups are separated from each other by semicolons.

CN=Reservoir-Dogs, CN=Users, OU=SecurityGroup.

 

 

 

 

 

CN=SECS-Engineering-1,OU=test,OU=2008 R2 AD; CN=SECS-Engineering-2,OU=test 2,OU=2008 R2 AD; ...

Path specification:

Paths need to be entered in full in the Active Directory Binding dialog. If the path contains special characters, such as "+" (for example, OU=W+D), this special character must be provided with an escape sequence "\" (for example, CN=Reservoir-Dogs, OU=W\+D).

You can use the Check button to test whether the server details are correct.

Issuing Distinguished Name of Active Directory Group

In the fields DN "All Users” and DN "Administrators" the distinguished name of an Active Directory group is specified. The distinguished name can be issued via the PowerShell command Get-ADGroup <group name> executed on the Active Directory controller.

Example:

Image: Output distinguished name

Imported user attributes

Element Description Example
Name Attribute from the Active Directory, which is used as user name in octoplant
During the import, the name of a user is set according to the value of the attribute from the Active Directory.
sAMAccountName
Full name Attribute from the Active Directory, which is used as the full name in octoplant
During the import, the name of a user is set according to the value of the attribute from the Active Directory
displayName
Email Attribute from the Active Directory, which is used as the email address in octoplant.
During the import, the email address of a user is set according to the value of the attribute from the Active Directory.
mail
Telephone Attribute from the Active Directory, which is used as the telephone number in octoplant
During the import, the telephone number of a user is set according to the value of the attribute from the Active Directory.
telephoneNumber
Comment Attribute from the Active Directory, which is used as a comment in octoplant
During the import, the comment of a user is set according to the value of the attribute from the Active Directory.
description
Domain

Domain name or user attribute from the Active Directory

If the checkbox Use value of "Domain" as user attribute has been cleared, the NetBIOS name of the domain will be entered. This is the default setting.

If the checkbox Use value of "Domain" as user attribute has been selected, any user attribute can be specified from which the domain name can be read or used.

2 Special features: For the userPrincipalName and distinguishedName attributes, the first sub-domain or domain found is used as the domain name in each case.

Examples:

  • distinguishedName:
    CN=UserName, OU=Development, OU=UserAccounts,
    OU=Organisation, OU=Company, DC=subDomain,
    DC=Domain, DC=local

    Here the value of the first "DC=" is used as domain name, therefore"subDomain".

  • userPrincipalName:
    user@subdomain.domain.local

  • Here, the first value after the @ up to the first "." is used as the domain name, in other words, "subdomain".

Imported group attributes

Element Description Example
Name: Attribute from the Active Directory, which is used as user name in octoplant
During the import, the name of a group is set according to the value of the attribute from the Active Directory.
cn
Comment: Attribute from the Active Directory, which is used as group comment octoplant
During the import, the comment of a group is set according to the value of the attribute from the Active Directory.
description

Import options

Element Description
Procedure for the groups entered in the DN "All Users" field
  • Import users (do not import groups or memberships)
    Only users are imported from the AD. Groups and memberships are not imported.
  • Import users and groups and memberships
    The groups specified by users (these must be groups and not OUs) are imported into octoplant. (Users are assigned to their respective groups).
  • Import users and first level subgroups and memberships Allows to add/remove groups in AD without changing the configuration in octoplant. (Default).
Action to take if user/group already exists in octoplant:

Program behaviour, if users/groups, that are set to be imported, already exist in octoplant.

Options:

  • Overwrite this user/group in octoplant(retain rights) Users/groups already existing in octoplantare overwritten with the values of the identically named elements from the Active Directory during the import.
  • Skip this Active Directory user/group
    Users/groups already existing in octoplantare not overwritten with the values of the identically named elements from the Active Directory during the import.
Action to take if user/group no longer exists in the Active Directory:

Program behaviour, if users/groups, that are set to be imported, no longer exist in octoplant.

Options:

  • Remove write-protection and block user
    Users/groups existing in octoplant remain, but the users are locked.
  • Remove write-protection
    Users/groups existing in octoplantremain without restrictions.
  • Delete user/group
    Users/groups existing in octoplantare deleted.
Daily automatic import at: Time to start the daily automatic import (selectable are full hours).

Example configuration:

Image: Dialog Active Directory binding

By clicking on Rest to default, all entries are undone and the initial state of the configuration dialog is restored.

Additional information:

Much of the information required for the Active Directory Binding in octoplant can be found fast and easily with a tool for managing the Active Directory. For example, the Active Directory Explorer from Microsoft is such a tool. If the port is explicitly specified, the SSL connection can also be checked.

Example:

Image: Dialog Connect to Active Directory

The following screenshot shows the information needed to configure the Active Directory Binding so as to be able to import the group "Club27" from the "Users" folder via Active Directory Explorer. Information relevant to each other can be recognized by the same number.

Image: Active Directory Explorer

 

SSL encrypted connection to Active Directory server fails with the following error message. How can I resolve this problem?

 

Image: Dialog Active Directory binding

Check if the name in the certificate matches the name in the request.

In the above example, the IP address was used instead of the computer name "FS-2019" during configuration. Since only the name "FS-2019" is stored in the certificate, the displayed error occurs.

To fix the error, specify the computer name "FS-2019" in the Address field.

To FAQ list

How can I import a certificate on the octoplant server or check its availability?

 

A root certificate identifies a certification authority (CA). With this root certificate, a CA signs one or more subordinate certificates that sign the SSL certificates of the end users.

The root certificate must be imported to the server. To do this, double-click the exported certificate and file it under Trusted root certification authorities.

Image: Trusted root certification authorities

To display the certificate, press Win + R and enter certmgr.msc (or certlm.msc) in the Run dialog.

Image: Dialog Run, certmgr.msc

 

To FAQ list