LDAP and Active Directory Integration

Owned by Kari Mattsson
2017-06-15
8 min read

Configuring LDAP and Active Directory connectivity enables importing user (device owner) accounts and their associated devices from an LDAP/ADDS service. The integration can also handle user authentication.

The settings are made in Configuration→LDAP/ADDS view. They need to be made for the organisation specifically.

Introduction

The basic features and benefits of the LDAP/ADDS integration are as follows:

  • The LDAP/ADDS server needs to be configured for each organisation
  • An organisation can have both normal users (device owners) and users imported from a LDAP/ADDS service
  • The EMM service always imports both the accounts and devices from the LDAP/ADDS service
  • The EMM service imports the accounts and devices using configured templates
    • The templates are selected based on LDAP/ADDS account's group membership.

Accounts are imported when:

  • a user logs in (on-demand import)
  • a manager performs manual LDAP/ADDS synchronisation
  • scheduled LDAP/ADDS synchronisation takes place.

Users are authenticated either

  • using a random password (generated when account is imported for the first time)
  • by delegating authentication to the configured LDAP/ADDS server.

Prerequisites and recommendations

  • The EMM service connects to the LDAP/ADDS server using the LDAP protocol. This usually means that either port 389/tcp or 636/tcp must be open (dependending whether ssl encryption is used or not).
  • The LDAP/ADDS server can be in DMZ or accessible via VPN tunnel (or through other secure network solution).
  • The EMM service requires read-only access to LDAP/ADDS.
  • If anonymous read-only access is not allowed, the EMM service requires bind username and password.
  • Only the EMM server needs network access to the LDAP/ADDS server. Managed devices do not need to connect to LDAP/ADDS server directly. Below is an image that describes the network connectivity requirements.

Testing environment

It is strongly recommended that you set up a testing environment for LDAP/ADDS integration before configuring any production environments. You should create 10-20 accounts and 2-4 groups to the ADDS server for testing purposes. After creating accounts and groups, log in to the EMM service portal as manager or vendor/master, and proceed with the configuration as described in this article.

Connection Settings

To enable LDAP/ADDS integration, you first need to configure the connection settings. Log in to the EMM service web portal and select Configuration→LDAP/ADDS from the main menu.

Connection settings are configured in the Connection tab. Click Enabled checkbox to activate LDAP/ADDS integration. Below is an image that shows example connection settings.

The screenshot above shows example parameters for a test AD service set up in a local network.

The configuration options are as follows:

LDAP type:

The EMM service supports two different types of LDAP directory servers:

Active Directory Domain Services (AD DS)

Select this if you are using Microsoft ADDS server.

Lightweight Directory Access Protocol (LDAP)

Select this for any other (generic or custom) LDAP server.

Primary server

Hostname of the primary LDAP/ADDS server (at least one server needs to be specified).

Secondary server

Hostname of the secondary LDAP/ADDS server.

Port

The TCP port used for connecting to the primary or secondary server. The port usually depends on the security scheme, as described below. The same port number is used regardless of which server is used.

Security

Security scheme for connection. The supported values are:

NONE

No encryption used.

SSL

Use SSL encryption (usually when Port is 636)

TLS

Use TLS encryption (usually when Port is 389)

AD domain

Active directory domain

Authentication required

Select this if anonymous read-only access is not allowed.

Username

Bind DN to use when the EMM server connects to the LDAP/ADDS server.

Password

Password that matches the bind DN.

Test connection

Use this button to test LDAP/ADDS connection settings (strongly recommended to use after changing connection settings).

Account Import Settings

In the Account import tab, you can configure which accounts will be imported or synchronised from the LDAP/ADDS server to the EMM service, and which account template will be used.

Additionally, you can configure mappings from LDAP attributes to account properties if you selected generic/custom as LDAP type in the Connection settings.

The basic settings are as follows:

Account template (mandatory)

Select which account template will be used when importing accounts from the LDAP/ADDS server.

Account base DN (mandatory)

Search accounts from LDAP/ADDS server that are under the given base DN. Click Browse... to navigate the LDAP tree and select the base DN.

Account search filter (optional)

The LDAP filter to use when searching for accounts. (The default value is usually correct, at least for ADDS.)

Account search scope (optional)

Account search depth under the base DN. (The default value, Subtree, is usually correct.)

LDAP account attribute mappings can only be configured if you select generic/custom as LDAP type. There are no generic guidelines for attribute mappings, you should consult mySync DM helpdesk if plan to configure these.

Note

Note that the Account base DN and Account search filter only define what accounts to consider when importing or synchronising. The actual selection of accounts will be further limited by group mappings, as defined in the Group mapping tab. Only accounts that match both search criteria and group mappings will be imported.

Group mapping settings

Select Group mapping  tab to configure how devices will be created for imported accounts based on their group membership in LDAP/ADDS server. Account can be member of one or more LDAP/ADDS groups. Each (template mapped) group membership will trigger device creation for account (thus, account will have at least one device, possible more). Each group is mapped to one device template that will be used when creating the device. Additionally, each mapped group will be imported to mySync as device group and all created devices will be member of these groups, just like accounts are members of corresponding groups in LDAP/ADDS server.


  • Group base DN: Search groups from LDAP/ADDS server that are below this base DN (mandatory). Press "Browse..." button to navigate LDAP tree and select correct base DN.
  • Group search filter: Use custom LDAP filter when searching for group (optional, default value is usually correct, at least for ADDS).
  • Group search scope:  Group search depth below base DN (default value, Subtree, is usually correct).
  • LDAP group attribute mappings can only be configured if you select generic/custom as LDAP type. There are no generic guidelines for attribute mappings, you should consult mySync DM helpdesk if plan to configure these.

There are three possible group membership policies that apply for all created accounts and devices. Only one of these policies can be active at any time. Group membership policies define what is done when account's membership from LDAP/ADDS group is removed. Available policies are:

  1. Removing user from LDAP/ADDS group also removes device(s) and the user.
  2. Removing user from LDAP/ADDS group performs decommission to user's device(s) before removing them.
  3. Removing user from LDAP/ADDS group only deactivates user and device(s).

Last configuration option is group-to-device template mapping. Press Add button to create new mapping and select desired Device template and ADDS group in the dialog that opens. This mapping will cause a device to be created (using selected template) for all imported/synchronised accounts that are members of selected LDAP/ADDS group.

For example, in image below, mapping is created between device template Android template and ADDS group Android-group. This mapping will trigger two actions when import/synchronisation takes place:

  1. New device group called Android-group is created.
  2. New device will be created for all imported accounts that are members of ADDS group called Android-group.

Authentication & synchronisation settings

Select Authentication & synchronisation tab configure when accounts and devices will be imported to mySync DM and how to authenticate managed devices. Selecting correct authentication policy before any devices are provisioned is extremely important. Changing authentication policy later will almost surely break authentication for all managed devices (as they are using ADDS password and current policy uses internal authentication, or vice-versa).

There are two different authentication policies provided:

  1. Internal; Random password will be generated for all imported accounts and managed devices will be authenticated using mySync DM internal authentication system. Ie. users can not use their ADDS password. This policy has the benefit that all normal device provisioning methods can be used because mySync DM server knows all user passwords.
  2. LDAP/ADDS; Delegate all authentication to the configured  LDAP/ADDS server. All imported users must use their ADDS password. This policy has the downside that not all device provisioning methods  can be used (iOS provisioning works but others don't) because mySync DM server is unaware of users' passwords. Exception to this rule is that if the user has logged in to the system at least once, all provisioning methods are available (because after the first authentication, password will be stored to mySync DM database).

Press Manual synchronisation button to execute synchronisation immediately. New dialog opens (see image below) that shows the synchronisation progress (after pressing Start button). This will import all accounts and devices from LDAP/ADDS to mySync DM server that match the configured import settings.

Using manual synchronisation is optional, accounts will be created on-demand when users try to authenticate to the system for the first time.

LDAP/ADDS synchronisation can be scheduled to happen automatically between certain interval period. Exact time of day for scheduled synchronisation will be randomly selected between 03:00 am. and 06:00 am. Press Enable scheduled synchronisation to activate this feature. LDAP/ADDS configuration can not be modified while scheduled synchronisation is active. Disable it, if you need to modify configuration or execute manual synchronisation.

Please note that when using ADDS as LDAP type, incremental synchronisation is not supported due to technical restrictions (ADDS does not update lastModified attribute when memberOf value is changed, thus modified entries since last synchronisation can not be reliably searched). Due to this restriction, synchronisation can be heavy on resources if there are thousands of accounts and therefore the minimum possible interval for scheduled synchronisation is 24 hours for ADDS and 10 minutes for custom/generic LDAP (support for reliable modifyTimestamp attribute implied).

Event log

Select Event log tab to view all LDAP/ADDS import related event log items. By default, synchronisation start and end events for the past week are shown. This is usually enough information if you just need to see the import summary (number of new, updated and deleted accounts/devices). Use From and To fields to adjust the timescale.

Check Show detailed log if you need to see all the synchronisation details, like what users, devices or groups were created, updated or deleted.

Filter by label

There are no items with the selected labels at this time.