Help Center/ OneAccess/ Best Practices/ Identity Source Integration/ Integrating AD
Updated on 2024-12-30 GMT+08:00
View PDF
Share

Integrating AD

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides single sign-on (SSO) and multi-factor authentication (MFA) to help protect users from cybersecurity attacks. OneAccess allows you to import user and organization information from AD and synchronize the information in real time via LDAPv3.

This section describes how to integrate AD with OneAccess.

Configuration Process

Prerequisites

  • You have administrator permissions for the AD platform in your enterprise.
  • You have permissions to access the administrator portal.
  • Your AD platform can be connected to the OneAccess administrator portal.
  • You know how to obtain parameters of the AD platform and how to use this platform.

Adding an AD Identity Source in OneAccess

Configure parameters of the AD identity source so that OneAccess can synchronize data from it.

  1. Add an identity source in OneAccess.

    1. Log in to the administrator portal.
    2. On the top navigation bar, choose Users > Identity Sources.
    3. On the Identity Sources page, click Add Identity Source in the Operation column of the row that contains AD, enter an identity source name, and click OK.

  2. Configure the import settings.

    1. In the AD identity source list, click View Details in the row that contains the target identity source.

    2. Click the Import Settings tab, set import parameters, and click OK.
      • Basic Settings: Connection parameters of your AD server to be connected to OneAccess.
        Table 1 Basic settings

        Parameter

        Description

        * Host

        Host name or IP address of the AD server.

        *TCP Port

        TCP/IP port of the AD server. The default port is 389.

        NOTE:

        OneAccess can be accessed only over public networks. Provide the public network address of your server and enable port 389.

        SSL

        Default value: true, which indicates that SSL is used to connect the AD server.

        StartTLS

        Whether to enable startTLS for encrypted communication.

        • true: StartTLS is enabled, and SSL cannot be set to true.
        • false: Disable StartTLS.

        Certificate Verification

        Whether to verify the certificate. This parameter is valid only when SSL or StartTLS is set to true. true: Verify the certificate. false: Do not verify the certificate. The certificate must be authenticated by the public network. Self-signed certificates cannot be used.

        Protocol Version

        Default value: TLSv1.2. Recommended: TLSv1.3 and TLSv1.2.

        Principal

        Identifier used for AD server authentication. Specify an account that has read permission for the AD domain. The input parameter will contain the domain name, for example, admin@test.com and TEST\admin.

        *Password

        Password of the principal account.

        * Base Contexts

        One or more root nodes (for example, OU=huaweitest,DC=test,DC=com) in the AD tree to be considered as the beginning for synchronizing AD users.

        *UID Attribute

        Name of the AD attribute mapped to the UID attribute.

        * Account Object Class

        One or more object classes to be used when a new user object is created in the AD tree. If you enter multiple object classes, each item occupies a line. Do not use commas (,) or semicolons (;) to separate multiple object classes. Some object classes may require you to specify all object classes in the class hierarchy.
      • Optional settings: Whether to synchronize passwords, password attributes to be synchronized, account and organization object classes. Modify these settings if a synchronization error occurs. For certain parameters, you may retain the default settings.
        Table 2 Optional settings

        Parameter

        Description

        Domain

        If a domain name exists, it should be excluded from the reclaimed username. If there are multiple domain names, separate them with commas (,). The default username excludes the domain name.

        Account Username Attribute

        Saves one or more attributes of an account username. During authentication, these attributes are used to search for the AD entry of the username to be authenticated.

        Organization Object Class

        One or more object classes that will be used when a new organization object is created in the AD tree. If you enter multiple object classes, each item occupies a line. Do not use commas (,) or semicolons (;) to separate multiple object classes. Some object classes may require you to specify all object classes in the class hierarchy.

        Organization Name Attribute

        Stores one or more attributes of the organization name. During authentication, these attributes are used to search for the AD entry of the organization name to be authenticated.

        Failover Servers

        Lists all servers that will be used for failover when the preferred server fails. If the preferred server fails, JNDI will connect to the next available server in the list. Lists all servers in the "ldap://ldap.example.com:389/" format (compliant with the standard AD v3 URL described in RFC 2255). Only the host and port parts of the URL are relevant in this setting.

        Password Attribute

        Name of the AD attribute used to store passwords. When the password of a user is changed, a new password will be set for this attribute.

        AD Filter

        Optional AD filter used to control the accounts returned from AD resources. If no filter is specified, only accounts containing all specified object classes are returned.

        Password Hash Algorithm

        Algorithm used by the identity system to hash passwords. Currently, SSHA, SHA, SMD5, and MD5 are supported. A null value indicates that the system does not hash the password. Unless the LDAP server performs hashing (Netscape Directory Server and iPlanet Directory Server perform hashing), this will result in plaintext passwords being stored in AD.

        Preferentially process the change of the resource password policy after reset

        If this resource is specified in the login module (i.e., this resource is the passing verification target) and the password policy of the resource is configured to change after reset, users who have reset the resource account password for management purpose need to change the password after successful verification.

        Use VLV Controls

        Specifies whether to forcibly use the VLV control on the standard AD control. The default value is false.

        VLV Sort Attribute

        Sorting attribute used for VLV indexes on resources.

        Read Schema

        If the value is TRUE, the connector reads the schema from the server. If FALSE, the connector provides a default schema based on the object class in the configuration. To use the extended object class, this attribute must be set to TRUE.

        Basic Contexts to Synchronize

        One or more starting points in the AD tree that are used to determine whether changes should be synchronized. If this attribute is not set, the base context attribute is used to synchronize changes.

        Object Class to Synchronize

        Object class to be synchronized. The change log is for all objects; it filters updates based on the listed object classes. You should not list the superclasses of an object class unless you want to synchronize the object with any superclass value. For example, if only the "inetOrgPerson" object should be synchronized, but the superclasses ("person", "organizationalperson", and "top") of "inetOrgPerson" should be filtered out, only "inetOrgPerson" should be listed here. All objects in AD are derived subclasses of "top". Therefore, "top" should never be listed. Otherwise, no object can be filtered.

        Attribute to Synchronize

        Name of the attribute to be synchronized. When this option is set, if updates in the change log do not update any named attributes, these updates are ignored. For example, if only "department" is listed, only changes that affect "department" are processed and all other updates are ignored. If you leave it blank (default setting), all changes are processed.

        AD Filter for Accounts to Synchronize

        Optional AD filter used during object synchronization. Because the change log applies to all objects, this filter updates only the objects that meet the specified filter criteria. If a filter is specified, the object is synchronized only when the object meets the filter conditions and contains the synchronized object class.

        Change Log Block Size

        Number of change log entries obtained by each query.

        Change Number Attribute

        Change the number attribute.

        Filter with Or Instead of And

        Typically, the filter used to obtain change log entries is to retrieve change entries over a period of time based on the AND condition. If this attribute is set, the OR condition will be used as the filter for the required number of changes.

        Remove Log Entry Object Class from Filter

        If this attribute is set (default), the filter used to obtain change log entries will not contain the "changeLogEntry" object class because the change log should not contain entries of other object classes.

        Password Attribute to Synchronize

        Name of the password attribute to be synchronized.

        Status Management Class

        Used to manage the enabling/disabling status. If no class is specified, identity status management cannot be performed.

        Whether to search for passwords

        Indicates whether to retrieve the user password during search. Default value: No.

        DN attribute

        DN attribute name of an item. The default value is entryDN.

        AD Filter

        An optional AD filter that controls the groups returned from AD resources. If no filter is specified, only groups containing all specified object classes are returned.

        Read Timeout (ms)

        Time for waiting for a response. If no response is received within the specified time, the read attempt is aborted. If the value is 0 or less than 0, there is no limit.

        Connection Timeout (ms)

        Waiting time for opening a new server connection. The value 0 indicates that the TCP network timeout will be used, which may be several minutes. If the value is less than 0, there is no limit.

        Account DN Prefix

        The default value is cn. You can also set it to another attribute name used as the DN prefix, such as uid.
      • Advanced Settings: Policies for mapping higher-level organizations, organizations, and users.
        Table 3 Advanced settings

        Parameter

        Description

        Enable timer for recycling

        You can set whether to enable scheduled reclamation. If scheduled reclamation is enabled, the reclamation task is executed at a specified time every day.

        Timer frequency

        Fixed: one day

        NOTE:

        Displayed when scheduled reclamation is enabled.

        Select a recycling start time

        You can set the reclamation start time in the drop-down list box.

        NOTE:

        This parameter needs to be set only when scheduled reclamation is enabled.

        Organization

        Parent organization in OneAccess to which organizations will be synchronized from AD. A new top-level organization will be automatically created if this parameter is not set.

        Organization Matching

        Mapping between the enterprise AD and OneAccess organizations. This policy is used when OneAccess synchronizes organizations from the enterprise AD. For example, OneAccess has an organization attribute Code and your AD has a similar attribute Organization Code. Organizations in your AD will be mapped to OneAccess, and their codes in the AD will be identified as organization codes in OneAccess.

        Create Organization

        Enabled by default, indicating that OneAccess will automatically create organizations that do not match any organizations in OneAccess. To ensure data integrity, enable this option.

        Update Organization

        Enabled by default, indicating that organizations in OneAccess that match those synchronized from the identity source will be updated. To ensure data accuracy, keep this option enabled.

        Delete Organization

        After organization data is synchronized from the AD to OneAccess, if you want to delete organizations from the AD, OneAccess compares the number of deleted organizations with the configured deletion threshold. If the ratio of the number of deleted organizations to the total number of data records synchronized last time is greater than the threshold, the deletion fails; if the ratio of the number of deleted organizations to the total number of data records synchronized last time is less than the threshold, the deletion is successful.

        User Matching

        Mapping between an AD user and a OneAccess user. Used when OneAccess synchronizes users from the enterprise AD. For example, OneAccess has a user attribute User ID and your AD has a similar attribute Employee ID. Users in your AD will be mapped to OneAccess, and their employee IDs in the AD will be identified as user IDs in OneAccess.

        Create User

        Enabled by default, indicating that OneAccess will automatically create users who do not match any users in OneAccess. To ensure data integrity, enable this option.

        Update User

        Enabled by default, indicating that users in OneAccess that match those synchronized from the identity source will be updated. To ensure data accuracy, keep this option enabled.

        Delete User

        After AD user data is successfully synchronized to OneAccess, if you want to delete a user from AD, OneAccess compares the number of deleted users with the configured deletion threshold. If the ratio of the number of deleted users to the total number of users synchronized last time is greater than the threshold, the deletion fails; if the ratio of the number of deleted users to the total number of data records synchronized last time is less than the threshold, the deletion is successful.

        Disable User Threshold Adjustment

        The default value is 20%. This is a customizable protection mechanism provided by the platform. When the number of data records disabled or deleted by the upstream identity source application exceeds the threshold, the platform will not disable or delete the data synchronously after receiving the instruction.

  3. (Optional) Set the object models.

    Click the Object Models tab on the identity source details page. Then add, modify, or delete users and organization attributes and mapping rules.
    Table 4 Object model

    Parameter

    Description

    User

    Attributes

    User attributes in the AD identity source.

    Mappings

    Data conversion rules for synchronizing user data from AD to OneAccess. Script-based conversion is supported.

    Organization Object

    Attributes

    Organization attributes in the AD identity source.

    Mappings

    Data conversion rules for synchronizing organization data from AD to OneAccess. Script-based conversion is supported.
    • Add an attribute.
      1. On the Attribute tab page, click Add. The Add Attribute dialog box is displayed.

      2. Select the optional attributes of the identity source, and enter the display tag and description.
      3. Select a type. When Type is set to Text, you need to set Format.
      4. Set whether the attribute is mandatory and click OK. The attribute is added.
    • Set the mapping rule.

      On the Mapping Definition tab page, click Modify. Set the conversion mode, script expression mode, execution mode, and system user for the mapping rule.

Verifying Synchronization of AD Data

  • Synchronization via import
    1. In the AD identity source list, click View Details in the row that contains the target identity source. Click the Synchronization tab, and click Execute. OneAccess synchronizes user and organization data from the AD identity source, and generates operation records.
    2. Click View Details in the row that contains the target record to view details.
      Figure 1 Viewing details
    3. View the synchronized users and organizations on the Organizations and Users page.
      Figure 2 Viewing synchronized data
  • Scheduled synchronization: If you have configured the time for scheduled synchronization in the Advanced Settings section of the Import Settings tab page, view the records on the Scheduled Synchronization page.