Active Directory / LDAP User Sync

AD/LDAP Sync Overview

The Active Directory (AD) / LDAP (Lightweight Directory Access Protocol) auto-discovery tool can perform a one-way sync of your Active Directory and/or LDAP group members to Device42. You can choose to have discovered users added as either end users or administrators. AD syncs can be scheduled to ensure user data in Device42 stays up-to-date automatically. Changes to user accounts made in Device42, however, will not be sent to the AD/LDAP [the sync is one-way].

Configure an Active Directory / LDAP User Discovery Job

1) The AD/LDAP sync tool can be found at Discovery>>AD/LDAP Users.

Add AD LDAP user sync job

2) Enter any name for the auto-discovery job.

Then choose ‘End Users’ or ‘Administrators’ from the drop-down to choose the type of Device42 user to create from the AD/LDAP users / group members that are discovered.

Enter the exact Group Distinguished Name and authentication information. Check the ‘Recursively search nested groups’ if you want the sync to recursively traverse any sub-domains found.

3) If End Users was chosen as the user type, you may optionally choose which AD/LDAP attributes should be used to import contact, location, and notes if desired. Go ahead an run the discovery job, and/or configure a schedule – Similar to all other auto-discovery jobs, you can create a schedule to keep your Device42 users in sync with AD automatically!

Example of how to get a Group DN in Active Directory

Under the group properties with “advanced features” enabled in Active Directory Users and Computers – you can go to the attribute editor and copy the distinguishedName as shown in the image above.

Choose members and groups for administrators (for permission)

Choose members and groups for administrators (for permission)

This section applies only if you choose Type = Administrators…

In the above screenshot, the Users are the list of AD users that were displayed as a result of the choices on the first screen.

The Groups are not AD groups. They are Device42 groups.

You should select the Users that you want to be device42 administrators and move them to the right side of the Users dialog.

You should select one or more device42 groups for these users and move them to the right side of the Groups dialog.

Then, when you click the “Add…” button, the selected users will become Device42 administrators and will receive the permissions of the selected groups.

As shown above, saved DN’s are available for future use.

AD / LDAP Discovery Job Options

AD LDAP Options

Add username in lowercase: converts all characters to lowercase when adding discovered users to D42
Recursively search nested groups: By default, a group that is a member of another group’s users will not be added. Select this check box to do so.
Ignore existing Administrators: Uncheck if you’d like administrators to continue to inherit permissions from multiple LDAP sync jobs.
Clear any existing Administrator Permissions Groups: Check to remove all group memberships from existing admins before adding newly discovered memberships.