Configuring Custom Active Directory Integration
Custom active directory integration allows you to specify one or more active directory servers. By specifying multiple active directory servers, you can add users to Blueprint from multiple forests.
For example, you can specify the same bind user for multiple active directory servers, but define a different LDAP URL for each server so it points to different domains.
Configuration Requirements
You acquire the following information from your active directory administrator before you can configure custom active directory integration:
- BIND user SamAccountName (not the common name, as per RC2010).
- BIND user password.
- AD server name (the actual server name) + fully qualified domain name.
- Domain component names (that is, the full DNS name of the domain is, for example, "dc=MyDomain,dc=com").
To configure custom active directory integration:
- Open the Instance Administration Console.
- Click Active Directory Settings.
- Select the Enable Active Directory Integration option.
- Select the Use custom Active Directory integration option.
- Click the Add button.
- Specify the active directory information on the rightmost side of the screen:
- Setting Name: Choose a name for this active directory server so you can easily identify it in the list.
- Bind User: Defines the user name of a user that has access to read from the active directory server. This user name must be the SamAccountName of the Bind User (not the common name, as per RC2010).
- Bind Password: Defines the password of the Bind User.
- Active Directory Authentication URL: Defines the authentication URL of the active directory server. Example: LDAP://bpsdc-neo.blueprint.toronto/DC=blueprint,DC=Toronto
- Optionally select the Synchronize Active Directory groups and users option to ensure user details and group membership in Blueprint reflect changes in Active Directory.
If synchronization is enabled, configure the Frequency and time the operation will begin.
Synchronization for the weekly and monthly options occur on the first day of the week or month, respectively. - If you need to add an active directory server at any time, you can click the active directory server on the leftmost side of the screen and then click the Remove button.
Trusted domains syncing restrictions
Administrators should note the following behaviors when syncing Windows users and groups that contain external domains.
- When syncing groups, all group information and user memberships are updated, no matter what domain the users belong to.
- When syncing users, all user information and group memberships from the same domain are updated. Group memberships from external domains are not updated.