Documente Academic
Documente Profesional
Documente Cultură
Communication Server
Active directory synchronization :
installation and administration
September, 2009
TC1312
FEATURE LIST
This module provides the interoperability between Active Directorys Microsoft domains and
ECS LDAP directory. It is used to import users from Active Directory to LDAP.
Administration features
- Synchronization of users account with a Windows active directory server. All users are
imported from active directory. Thus the ECS administrator does not need to create the ECS
users account.
- Automatic daily synchronization
- Possibility to work in mixed mode with some users created in the ECS directory only
- Exclusion of some accounts from the synchronization
- Visibility of deactivated accounts in active directory
Users features
- All ECS services are available for the ESC users (Virtual desktop, Email, FTP, mobility,
FAX )
- The users passwords management is deactivated in the ECS. The passwords are managed in
active directory
PRE-REQUISITE
ECS
Applicable ECS releases : 4.0, 4.0.1, 4.1
Pre-required patches :
- P-5665 : Make ldap restart synchronous
- P-6008 : Closing patch of Service pack 2 (Installation reference : S-0002)
- P-5870 : Add the hidden domain name capability for the mail system
- P-5680 : Technical improvements in the directory
- P-6321 : Directory fix with external POP account logins containing -
- P-6238 : New feature : Add control on user,superadmin and root passwords
- P-6525 : replace LDAP ldbm backend by berkley DB
Please consult the ECS support web site for more information regarding the pre-requisites.
Windows server
The windows server must be used as primary domain controller. The supported release of
windows server are :
- Microsoft Windows 2000 standard server (either on other versions)
- Microsoft Windows 2003 standard server (either on other versions)
- Microsoft Windows 2008 standard server (either on other versions)
Note : Windows 2008 standard server doesnt support encrypted connection due too a Microsoft
issue. Microsoft provide a hot fix KB957072 http://support.microsoft.com/kb/957072/.
INSTALLATION
The Active directory synchronization moddule is delivered as a patch available on the update server.
Patch reference : P-6218
Installation procedure :
1- Check the pre-required patches are installed
2- Go to the menu Appliance / Update / Update from the web / Manual update then enter the
reference: P-6218
CAUTION : The pre-required patch P-6525 will request to reboot the server. This reboot after
P-6525 or P-6218 installation is absolutely mandatory.
See below a sample of network architecture allowing the implementation of the synchronization
service.
Configuration
Once the patch is installed, go to the menu Directory > Synchronization with an external directory
(Active Directory) to configure the module. (See fig. 2 below).
Fill the form available in the Configuration tab then click on OK :
- IP address or name of the external directory
- DN of the link account : This field corresponds to the DN of the link account; this account
must enable the information contained in the directory to be read. Example of DN: cn=link
link,cn=Users,dc=domain,dc=loc
- Link account password
Fig. 2
This operation generates a ldap (port 389) or ldaps (port 636) connection to the active directory
server depending on the use of a secure connection or not. If the parameters sent by the ECS are
corrects, the active directory server will return the users list.
At this stage, the administrator can exclude some users from the synchronization (See exclusion tab).
Note : In case of ldaps synchronization to the active directory server, the ECS will ask to superadmin
to authenticate again.
The base from which the synchronization will be done has the following form :
dc=domain,dc=domain_extension
Example with an active directory domain named domain.loc : dc=domain,dc=loc
This information can be retrieved from the active directory server with an ldap browser. Here is an
example of use of the ldap browser from the windows server :
1- Start / Run /ldp.exe
2- Connection : Enter the information to connect in LDAP to the server (See screenshot below)
3- Bind : Authenticate as an existing user in the active directory domain (See screenshot below)
Synchronization
Once the users list is retrieved from the active directory server, the administrator can pass the service
status to on in order to activate the service.
Then click on the Synchronize button at the bottom of th frame in order to launch the fisrt
synchronization.
This operation will retrieve the users information from active directory and create the users in the
ECS base group. The retrieved information are :
- User login
- User first name
- User last name
- Phone number
- Mobile phone number
- Email addresses
Once the first synchronization is done, you can activate the daily synchronization process which will
repeat the operation described above.
Deactivated account
This list presents the user accounts that have been deleted or deactivated in the external directory.
They have been deactivated on the server. They will be active again if the account is reactivated or
recreated in the external directory. They are available in this interface so that they can be deleted by
the administrator.
USER CONNECTION
The user authenticates to the ECS services by using his usual active directory login/password. The
first time, The ECS forwards the authentication request to the active directory server and save locally
the encrypted password if the user is successfully authenticated. The following requests will be
answered directly by the ECS until the users password is changed. In this case, we go back to the
first time case.
The ECS policy for authorized characters in login is much more restrictive than in active directory as
the authorized characters are [a..z],[0..9],[-],[_]!. An automatic conversion of special characters
between active directory and ECS directory login when the user is created in the ECS directory. The
administrator will see in the ECS directory that some special characters are converted because not
authorized in the ECS policy.
Here are the conversion rules :
Special characters @
Replacement characters a aeiouyAEIOUYaeiouAEIOUaeiouyAEIOUaeiouAEIOUaA oOscCanoANO
Passwords management
The following restrictions must be applied to the passwords management.
The policy of Active Directory must be compliant with the policy of the ECS.
Be careful to update your Active Directory policies on passwords to [ a-z A-Z 0-9 _ / \ & ~ " # '
{ } ( ) [ ] < > ` @ = ? ; : ! + . , % $ * - ] !).
Restrictions
The number of users which can be imported cannot exceed the maximum number of users licensed.
The personal information for those users does not allow anymore changing the password and phones
information.
KNOWN BUGS