Configuring settings¶
Before the Active Directory connection can be activated, certain settings must be configured. It is possible to connect several Active Directories and to import their entries into octoplant.
As a prerequisite, authorization must be carried out through the operating system.
- Open the User management module.
- Select the Synchronization tab in the menu bar and then select the Account policies button.
- In the Authorization tab, select either Authorization via operating system or Authorization by operating system and access management and confirm with OK.
To configure the settings for the Active Directory connection, proceed as follows:
- Open the User management module.
-
Select the Configure button in the menu bar. The Active Directory binding dialog is displayed. A new configuration is created directly when it is initially opened. If you want to create an additional configuration while the dialog is open, select the New button in the navigation bar on the left.
-
Make the necessary settings. An example configuration you can see in the screenshot above. The entries are described in detail in the tables below.
-
Select Enable cyclic sync to activate the synchronization with the Active Directory for this configuration.
Info
The automatic and manual import from the Active Directory is finally only active, when the Activate button in the menu bar is selected. The Enable cyclic sync checkbox only enables the configuration for being activated afterwards.
-
Confirm with Save.
- The settings of this configuration are saved. To add a new configuration select the New button in the navigation bar, to close the dialog select OK.
Info
When configuring the Active Directory connection, data supplied by the IT department, for example, is often copied from an email or a Word document. It can happen that characters are changed or added by the corresponding word processing program. This is indicated by an error message. To prevent this, it is recommended to enter the data manually.
Server¶
| Element | Description | Value | Example |
|---|---|---|---|
| Address | Name, IP address or domain of the Active Directory server. If the computer from which you want to connect is not included in the domain of the Active Directory server, a connection is only possible via the name or IP address of the Active Directory server. | Name, IP address or domain. | 10.0.201.1 |
| Port | Port of the Active Directory server. | Integer values in the range from 0 to 65535. The default port is 636 for encrypted connections. The default port for unencrypted connections is 389. If the default port is already in use elsewhere, select another one. | 636 |
| SSL encrypted | Encrypted or unencrypted connection to the Active Directory server. By default, the connection to Active Directory is made using the LDAP protocol. | If the SSL Encrypted checkbox is activated, the LDAPS protocol is used. | 🗹 SSL encrypted |
| User Name | User name for accessing the Active Directory server. Note: We have implemented automatic authentication for Active Directory. This means that already authenticated credentials will be used if the supplied credentials, username and password, are left empty in the Active Directory binding dialog. In order to be able to read users from the Active Directory, the user configured here must have the corresponding access rights in the Active Directory. | Format: {User name} or {Domain}{User name} or {User name}@{Domain}. | Administrator |
| Password | User password for accessing the Active Directory server. Masked display. Note: We have implemented automatic authentication for Active Directory. This means that already authenticated credentials will be used if the supplied credentials, username and password, are left empty in the Active Directory binding dialog. | {Password} | ••••••••• |
| DC: | DNS name of the domain. Data according to the Active Directory format. | The parts of a domain name separated by dots are divided into individual sections in the Active Directory. Each section is introduced by the prefix DC (= Domain Component). The individual sections are separated from each other by commas. | The domain vdns.tst.dom is mapped as follows: DC=vdns,DC=tst,DC=dom |
| DN "All Users": | Distinguished Name (= DN) of the Active Directory group within which to search for users (and other groups) to be imported. Specifications according to the Active Directory format. A Distinguished Name represents an object in a hierarchical directory. | The distinguished name is written from the lower to the higher hierarchy levels. The object itself is introduced by the prefix CN (= Common Name). The individual parts are separated from each other by commas. | For the Club27 group in the Users folder, the distinguished name looks like this: CN=Club27,CN=Users |
| DN "Administrators": | Distinguished Name (= DN) of the Active Directory group whose users are to be imported into the administrators group octoplant. Specifications according to the Active Directory format. A Distinguished Name represents an object in a hierarchical directory. | The Distinguished Name is written from the lower to the higher hierarchy levels. The object itself is introduced by the prefix CN (= Common Name). The individual parts are separated from each other by commas. Multiple groups are separated from each other by semicolons. | For the Reservoir-Dogs group in the Users folder, the distinguished name looks like this: CN=Reservoir-Dogs,CN=Users,OU=SecurityGroup This value will import the groups SECS-Octoplant-Engineering-1 and SECS-Octoplant-Engineering-2 and all the users within these groups: CN=SECS-Engineering-1,OU=test,OU=2008 R2 AD; CN=SECS-Engineering-2,OU=test 2,OU=2008 R2 AD; ... |
Specifying paths¶
Paths must be specified in full in the Active Directory binding dialog. If the path contains special characters, such as "+" (e.g. OU=W+D), this special character must be provided with an escape sequence "\" (e.g. CN=Reservoir-Dogs, OU=W+D).
You can use the Check button to test whether the server details are correct.
Output the Distinguished Name of the Active Directory group¶
The Distinguished Name of an Active Directory group is specified in the fields DN "All Users": and DN "Administrators":. The Distinguished Name can be output via the PowerShell command Get-ADGroup {Group name}, which is executed on the Active Directory Controller.
Example:
Imported user attributes¶
| octoplant Element | Description | Example |
|---|---|---|
| Name | Attribute from the Active Directory, which is used as user name in octoplant. During the import, the name of a user is set according to the value of the attribute from the Active Directory. | sAMAccountName |
| Full name | Attribute from the Active Directory that is used as the full name in octoplant. When importing, the full name of a user is set according to the value of the attribute from the Active Directory. | displayName |
| Attribute from the Active Directory that is used as the email address in octoplant On import, the email address of a user is set according to the value of the attribute from the Active Directory. | ||
| Telephone | Attribute from the Active Directory that is used as the telephone number in octoplant. When importing, the telephone number of a user is set according to the value of the attribute from the Active Directory. | telephoneNumber |
| Comment | Attribute from the Active Directory that is used as a comment in octoplant When importing, the comment of a user is set according to the value of the attribute from the Active Directory. | description |
| Domain | Domain name or user attribute from the Active Directory. If the Use value of "Domain" as user attribute checkbox is activated, any user attribute can be specified from which the domain name can be read or used. If the Use value of "Domain" as user attribute checkbox is cleared (default setting), the NetBIOS name of the domain will be entered. Special features: For the attributes userPrincipalName and distinguishedName, the first sub-domain or domain that is found is used as the domain name. | distinguishedName: CN=UserName,OU=Development,OU=UserAccounts,OU=Organization,OU=Company,DC=subDomain,DC=Domain,DC=localuserPrincipalName: user@subdomain.domain.local |
Imported group attributes¶
| Element | Description | Example |
|---|---|---|
| Name: | Attribute from the Active Directory that is used as the group name in octoplant. When importing, the name of a group is set according to the value of the attribute from the Active Directory. | cn |
| Comment: | Attribute from the Active Directory that is used as the group comment in octoplant. When importing, the comment of a group is set according to the value of the attribute from the Active Directory. | description |
Import options¶
| Element | Description |
|---|---|
| Action to take for the groups entered in the field DN "All Users": | Import users (do not import groups or memberships) Only users are imported from the AD. Groups and memberships are not imported. Import users and groups and memberships Groups specified by users (these must be groups and not OUs) are imported into octoplant. (Users are assigned to their respective groups). Import users and first level subgroups and memberships Allows adding/removing groups in AD without customizing the configuration in octoplant. (Default). |
| Action to take if user/group already exists in octoplant | Program behavior if users/groups to be imported already exist in octoplant. Options: Overwrite this user/group in octoplant (retain rights) Users/groups that already exist in octoplant are overwritten with the values of the elements with the same name from the Active Directory during import. Skip this Active Directory user/group existing in octoplant are not overwritten with the values of the elements with the same name from the Active Directory during import. |
| Action to take if user/group no longer exists in the Active Directory: | Program behavior if users/groups to be imported no longer exist in Active Directory. Options: Remove write-protection and block user Users/groups existing in octoplant remain, but the users are locked. Remove write-protection Users/groups existing in octoplant remain without restrictions. Delete user/group existing in octoplant are deleted. |
| Daily automatic import at: | Time for the start of the daily automatic import (full hours can be selected) |
Additional information¶
Much of the information required for the Active Directory connection can be found quickly and easily using a tool for managing the Active Directory. One such tool is the Active Directory Explorer from Microsoft. If the port is explicitly specified, the SSL connection can also be checked.
Example:
The following screenshot shows which information for the configuration of the Active Directory connection for importing the group Club27 from the Users folder can be found via the Active Directory Explorer. Related information can be recognized by the same number.
FAQ¶
The SSL-encrypted connection to the Active Directory server fails with an error message.
Check whether the name in the certificate matches the name in the request.
In the above example, the IP address was used instead of the computer name FS-2019 during configuration. Since only the name FS-2019 is stored in the certificate, the error displayed occurs.
To correct the error, enter the computer name FS-2019 in the address field.
How can I import a certificate on the octoplant server or check its availability?
A root certificate identifies a certification authority (CA). With this root certificate, a CA signs one or several subordinate certificates, which sign the SSL certificates of the end users.
The root certificate must be imported to the octoplant server. To do this, double-click on the exported certificate and store it under Trusted root certification authorities.
To display the certificate, press Win + R and enter certmgr.msc (or certlm.msc) in the Run dialog.
