Quick Active Directory and OpenLDAP User Guide

(Versions 7+)

Introduction

This guide describes creating an integrated connection to Active Directory or OpenLDAP from Password Server. Users and Groups can be imported and synchronized to be used in the Password Server application.

  1. Have Questions?  Contact Us!

Related Topics:

 

Table of Contents:

Adding a User Directory

The first step is to add a user directory entry in:

On this page, you can create a new entry by pressing:

A directory page will open with some default values initialized which will be appropriate for the type of directory you selected. These should be reviewed to ensure that they are appropriate for your situation and may be edited later if changes are required.

Most fields will display a pop-up help item when you either select the text field or mouse over the "?" icon.

Edit Directory

Name: This is a name for the directory which will be used elsewhere in Password Server to refer to this directory connection.

Connection

Authentication Type: The authentication method used when connecting to the directory server.

Alias: The directory identifying portion of a fully-qualified username (user@alias). This is used to resolve conflicts with local users or users from multiple directories.

Host: The host name or address of the directory server. This may be a specific machine name or IP or a DNS entry that resolves to directory server. This value is used to connect to the directory service.

Port: The port number to use when connecting to the directory server.

Use SSL: Connecting using TLS/SSL requires a valid TLS/SSL certificate.

Directory Credentials

Select a credential to use when connecting to the directory server for administrative operations by:

A) using system or anonymous credentials, or
B) by specifying credentials and entering an admin User Name and Password

Use the web server's credentials:

Use the following credentials:

Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN). Until it
does, use a sAMAccountName instead.

Import

All users and roles can be granted access to Password Server by adding them as members to a Security Group (recommended) and filtering on group membership. However, this is not necessary using the basic directory settings.

Auto Import: When this is checked, a user will be auto-imported into the system when they first login. Enabling this option requires that the Password Server connect to the directory server to search for users.

The system will look for users from the following directory locations:

Allow Password Changes (Enterprise+): Setting this will enable the setting of user passwords in the connected directory. This setting requires that Admin User Name and Admin Password specify a user that has permission to set passwords to work correctly.

Base Distinguished Name: This field is used as the base path from which to import users and groups. We then recommend to filter on group membership.

If the path is left empty, the root naming context for the directory will be used.

Advanced Settings

For testing or for smaller and more basic directory structures (which have users and groups in one location), it may not be necessary to use the advanced options, and to:

However, once a connection with the directory is established, it is usually recommended for performance and ease-of-use, to use the advanced settings.

Here are the options listed below...

Connecting with Basic Directory Structures

Connecting with Advanced Directory Structures

Settings

Adding values in User Relative DN and Group Relative DN will help, and will narrow the scope of the active directory.

User Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import users.

Group Relative DN: This field is used with the Base Distinguished Name to specify the path from which to import groups. For example, if your Base Distinguished Name is "OU=MainBranch,DC=srv,DC=mydomain" then:

Also Assign Roles from User's Nest Groups (v7.4.0+): Enabled by default. When enabled, users will inherit membership in AD/LDAP groups that have been imported as Roles in the same manner that membership is inherited in the directory.

Connecting with Multiple Domains and AD Forests

Password Server is capable of connecting with with multiple domains and forests and following are some options.

 

 

Search Filters

Help to narrow down the scope of the directory search for Users or Groups and may provide better manageability and performance.

Recommended User/Role Filter

For more details: see AD User Filter for Group Membership

Importing Groups & Users

First import your Groups, which will create the Groups from your directory as "Roles".

Then as your users are imported, the application will automatically assign the Roles to match the assignments in the directory. However, note that it is not necessary to do in this order.

Importing Groups

Groups can be imported by:

Importing Users

Users can be imported by:

You may then need to enter credentials to connect to the directory server with, unless default credentials were entered during directory setup.

Note: Active Directory searches return a maximum of 1000 objects (i.e. users or groups). Either filter your  
Directory connection or your Search Filters to return fewer than 1000 results, or use Ntdsutil.exe to configure a larger MaxPageSize.

Import Settings

Enter Credentials: For the import pages, various username formats are accepted, including UPN format (username@domain). Including the domain may be necessary for directories with multiple domains / forest. For more specific info, see the troubleshooting page: Unable to Bind.

Change Filters & Directory Settings: By default, the list will be filtered based on the Directory settings specified under "Adding a User Directory", and selecting Change Filters will allow the custom search options to narrow down the scope of the items in this list.

Get Groups List: Pressing this button will attempt to query and show a list of groups which are available for import.

Get Users List: Pressing this button will attempt to query and show a list of users which are available for import.

Troubleshooting:

If you are having trouble with Bind errors, the Search Results are empty, or have other Errors:

Automatic Directory Synchronization

Configure Password Server to synchronize to the User Directory from:

 

Automatic Directory Sync for MyConnection

Sync Schedule:

Health Check Schedule:

Send Email Alert on Failure:

Recipient Roles / Users:

Directory synchronization also happens at other times: for example, at user login and when admins perform manual updates. For more information continue to the section below.

User Login

Various User Name formats are accepted at login. See the possible Username Formats below.

Auto-Import users: must first login using the Web application.

For multiple users with same usernames: the user will need to qualify their username with the Alias specified in directory settings, as otherwise it may be ambiguous which user is being referenced.

Synchronization

Group membership and other directory fields will by synchronized when:

Manual synchronization: can be triggered for all directory users by an Administrator, from Manage Users & Roles, either:

Username Formats

Various username formats are accepted at login. Note that the import page also accepts UPN format.

Note: Pleasant Password Server does not currently support logging in with a User Principal Name (UPN).
Until it does, use:

  • sAMAccountName instead (username, domain\username).
  • Set the "Alias" field in your Directory settings to be the same as your domain, for example:
    • username@alias = username@domain

 

 

 

Editing Distinguished Name (Versions 7.3.7 & Earlier)

(No longer necessary in Versions 7.4.0+)

Changes to your AD/LDAP structure may cause Users and Roles in Password Server to become un-synced from their AD/LDAP counterparts. 

To correct this issue for a User, go to Users & Roles > Manage Users and click on the [Edit] link next to the name of the user that has become un-synced. 

Update the User's Distinguished Name to match your AD/LDAP, then click Save.

To correct this issue for a Role, go to Users & Roles > Manage Roles, find the Role that has become un-synced and click Actions > Set Distinguished Name

Update the Role's Distinguished Name to match your AD/LDAP, then click Save.

    Set Distinguished Name Popup