Chat now with support
Chat with Support

Identity Manager 8.0.1 - Administration Guide for Connecting to Active Directory

Managing Active Directory Environments Setting up Active Directory Synchronization Base Data for Managing Active Directory Active Directory Domains Active Directory User Accounts Active Directory Contacts Active Directory groups Active Directory Security IDs Active Directory Container Structures Active Directory computer Active Directory Printers Active Directory Locations Reports about Active Directory Objects Appendix: Configuration Parameters for Managing Active Directory Appendix: Default Project Template for Active Directory Appendix: Authentication Modules for Logging into the One Identity Manager

Users and Permissions for Synchronizing with Active Directory

Users and Permissions for Synchronizing with Active Directory

The following users are involved in synchronizing One Identity Manager with Active Directory.

Table 2: Users for Synchronization
User Permissions
User for accessing Active Directory You must provide a user account with the following permissions for full synchronization of Active Directory objects with the supplied One Identity Manager default configuration.
  • Member of the Active Directory group "Domain administrators"

Note: The One Identity Manager Service user account should be a subdomain member in the group "Enterprise Admins" in a hierarchical domain structure.

A sensible minimum configuration, which differs effectively in terms of permissions from a member of the group "Domain administrators", cannot be recommended.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited).

The user account must belong to the group "Domain Users".

The user account must have the extended access right "Log on as a service".

The user account requires access rights to the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)

Setting Remote Access Service (RAS) properties requires Remote Procedure Calls (RPC) which are executed in the context of the One Identity Manager Service user account. To read or write these properties, the One Identity Manager Service user account must have the necessary permissions.

User for accessing the One Identity Manager database

The default system user "Synchronization" is available to run synchronization over an application server.

Necessary Access Rights Explained

The synchronization base object in Active Directory requires the following access rights:

  • Read
  • Write

If the base object is the domain object, these access rights are required for reading and setting domain properties like, for example, password guidelines.

The following access rights are required for working unrestricted below the base object:

  • Create All Child Objects
  • Delete All Child Objects

The following access rights are required to be able to edit certain properties of a user object, which result in modifications to an Active Directory object (for example, "Password cannot be changed"):

  • Read Permissions
  • Modify Permissions

Prerequisite for further privileges:

  • Modify Owner

Normally only group administrators have this privilege. If the One Identity Manager Service user account is not a member of this group or any equivalent group, it must put in a position to cope with accounts without any permissions.

The following access rights are required because all an object's values can, in principle, be modified through the One Identity Manager:

  • Read All Properties
  • Write All Properties
  • All Extended Rights
  • Delete

Essentially user account functionality is partially stored as an entry in the permissions list (DACL) of an Active Directory object. It is necessary that the One Identity Manager Service user account can modify this DACL. Example for properties maintained through the DACL are "UserCanNotChangePassword" on the user account or "AllowWriteMembers" on the group.

Modifying a DACL assumes a wide range of permissions. If you use a user account to modify a DACL, which does not have "full control" access to the corresponding Active Directory object, the changes are only accepted under the following conditions.

  • The user account is object owner.

    – OR –

  • The user account is member of the same primary group as the object owner. This is normally the group "Domain administrators".

Otherwise the modifications are rejected. It is possible to initiate a change of ownership if "Take Ownership" access is assigned to the user account and thus to change the DACL. However, this falsifies the permissions state of the Active Directory object and is not recommended.

Furthermore, you require domain administrator permissions to use the delete and restore functions of the Active Directory recycling bin and for dealing with specially protected user account and groups.

Tips for "Read Only" Access Permissions

Basically, the part of the synchronization with Active Directory that loads the Active Directory objects into the One Identity Manager database, also works when the access rights are read-only and no write access is available.

The following problems may occur:

  • In order to incorporate a user account with read-only access into a group, which may not be the user account’s primary group, One Identity Manager Service must have at least write access for the group object.
  • An error condition can occur between the One Identity Manager database and Active Directory data when parts of Active Directory that are read-only are added or modified by the One Identity Manager administration tools or imported objects. These cases can be excluded with the suitable menu navigation in the administration tools, One Identity Manager object access rights and by taking appropriate precautions when importing.
Note on the One Identity Manager Active Directory Edition

In the One Identity Manager Active Directory Edition, you require full read-access and permissions for creating, changing and deleting groups.

Communications Port and Firewall Configuration

Communications Port and Firewall Configuration

One Identity Manager is made up of several components that can be executed in different network segments. In addition, One Identity Manager requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall.

The following ports are required:

Table 3: Communications port
Default port Description

SQL Server: 1433

Oracle: 1521

Port for communicating with the database.

1880

Port for the HTTP based protocol of the One Identity Manager Service.

2880

Port for access tests with the Synchronization Editor.

80

Port for accessing web applications.

88

Kerberos authentication system. (if Kerberos authentication is implemented).

135 Microsoft EPMAP (End Point Mapper) (also DCE/RPC Locator Service)
137 NetBIOS Name Service
139 NetBIOS Session Service
389 Lightweight Directory Access Protocol (LDAP Standard). Target system server communications port.
445 Microsoft-DS Active Directory, Windows shares. Required for synchronization (TCP/UDP)
53 Domain Name System (DNS), mainly through UDP. Required for access to the Active Directory total structure.
88 Kerberos authentication system. Required for access to the Active Directory total structure.

636

Lightweight Directory Access Protocol using TLS/SSL (LDAP S). Required for access to the Active Directory total structure.

3268

Global catalog. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings.

3269

Global catalog over SSL. Required for searching in the global catalog. Either port 3268 or 3269 should be open depending on the connection settings.

Setting Up the Synchronization Server

To set up synchronization with an Active Directory environment a server has to be available that has the following software installed on it:

  • Windows operating system

    Following versions are supported:

    • Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
    • Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
  • Microsoft .NET Framework Version 4.5.2 or later

    NOTE: Microsoft .NET Framework version 4.6 is not supported.

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer
  • One Identity Manager Service, Active Directory connector
    • Install One Identity Manager components with the installation wizard.
      1. Select the option Select installation modules with existing database.
      2. Select the machine role Server | Job server | Active Directory.

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database, are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.

NOTE: If several target system environments of the same type are synchronized under the same synchronization server, it is useful to set up a job server for each target system on performance grounds. This avoids unnecessary swapping of connection to target systems because a job server only has to process tasks of the same type (re-use of existing connections).

Use the Server Installer to install the One Identity Manager Service. This program executes the following steps.

  • Setting up a Job server.
  • Specifying machine roles and server function for the Job server.
  • Remote installation of One Identity Manager Service components corresponding to the machine roles.
  • Configures the One Identity Manager Service.
  • Starts the One Identity Manager Service.

NOTE: The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To install and configure the One Identity Manager Service remotely on a server

  1. Start the program Server Installer on your administrative workstation.
  2. Enter valid data for connecting to One Identity Manager on the Database connection page and click Next.
  3. Specify on which server you want to install the One Identity Manager Service on the Server properties page.
    1. Select a job server in the Server menu.

      - OR -

      Click Add to add a new job server.

    2. Enter the following data for the Job server.
      Table 4: Job Servers Properties
      Property Description
      Server Name of the Job servers.
      Queue

      Name of queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the job queue using exactly this queue name. The queue identifier is entered in the One Identity Manager Service configuration file.

      Full server name

      Full name of the server in DNS syntax.

      Example:

      <name of server>.<fully qualified domain name>

      NOTE: Use the Advanced option to edit other Job server properties. You can use the Designer to change properties at a later date.
  4. Specify which job server roles to include in One Identity Manager on the Machine role page. Installation packages to be installed on the Job server are found depending on the selected machine role.

    Select at least the following roles:

    • Active Directory
  5. Specify the server's functions in One Identity Manager on the Server functions page. One Identity Manager processes are handled depending on the server function.

    The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here.

    Select the following server functions:

    • Active Directory connector
  6. Check the One Identity Manager Service configuration on the Service settings page.

    NOTE: The initial service configuration is already predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see One Identity Manager Configuration Guide.
  7. To configure remote installations, click Next.
  8. Confirm the security prompt with Yes.
  9. Select the directory with the install files on the Select installation source page.
  10. Select the file with the private key on the page Select private key file.

    NOTE: This page is only displayed when the database is encrypted.
  11. Enter the service's installation data on the Service access page.
    Table 5: Installation Data
    Data Description
    Computer Server on which to install and start the service from.

    To select a server

    • Enter the server name.

      - OR -

    • Select a entry from the list.
    Service account One Identity Manager Service user account data.

    To enter a user account for the One Identity Manager Service

    • Set the option Local system account.

      This starts the One Identity Manager Service under the account "NT AUTHORITY\SYSTEM".

      - OR -

    • Enter user account, password and password confirmation.
    Installation account Data for the administrative user account to install the service.

    To enter an administrative user account for installation

      Enable Advanced
    • .
    • Enable the option Current user.

      This uses the user account of the current user.

      - OR -

    • Enter user account, password and password confirmation.
  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: The is entered with the name "One Identity Manager Service" in the server's service administration.

Creating a Synchronization Project for initial Synchronization of an Active Directory Domain

Creating a Synchronization Project for initial Synchronization of an Active Directory Domain

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and Active Directory. The following describes the steps for initial configuration of a synchronization project. For more detailed information about setting up synchronization, see the One Identity Manager Target System Synchronization Reference Guide.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the Synchronization Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

Have the following information available for setting up a synchronization project.

Important: The domain controller and the domain must be resolved by DNS query for successful authentication. If the DNS cannot be resolved, the target system connection is refused.

Table 6: Information Required for Setting up a Synchronization Project
Data Explanation

Full domain name

Full domain name.

Example:

Docu.Testlab.dd

User account and password for domain login

User account and password for domain login. This user account is used to access the domain. Make a user account available with sufficient permissions. For more information, see Users and Permissions for Synchronizing with Active Directory.

DNS name of the domain controller.

Full name of the domain controller for connecting to the synchronization server to provide access to Active Directory objects.

Example:

Server.Doku.Testlab.dd

Communications port on the domain controller

Communications port on the domain controller. LDAP default communications port is 389.

Authentication type

You can only connect to a target system if the correct type of authentication is selected. Authentication type "Secure" is taken as default.

For more information about authentication types, see the MSDN Library.

Synchronization server for Active Directory

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database, are processed by the synchronization server.

The One Identity Manager Service must be installed on the synchronization server with the Active Directory connector.

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

Table 7: Additional Properties for the Job Server
Property Value
Server Function

Active Directory connector

Machine role Server/Jobserver/Active Directory

For more information, see Setting Up the Synchronization Server.

One Identity Manager Database Connection Data

SQL Server:

  • Database server
  • Database
  • Database user and password
  • Specifies whether Windows authentication is used.

    This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Oracle:

  • Species whether access is direct or through the Oracle client

    Which connection data is required, depends on how this option is set.

  • Database server
  • Oracle instance port
  • Service name
  • Oracle database user and password
  • Data source (TNS alias name from TNSNames.ora)
Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with target system to do this. Sometimes direct access from the workstation on which the Synchronization Editor is installed is not possible, because of the firewall configuration, for example, or because the workstation does not fulfill the necessary hardware and software requirements. If direct access to the workstation is not possible, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started
  • RemoteConnectPlugin is installed
  • Active Directory connector is installed
  • Target system specific components are installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration (with respect to the installed software) as the synchronization server. Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The following sequence describes how you configure a synchronization project if the Synchronization Editor is both:
  • In default mode
  • Started from the launchpad

Additional settings can be made if the project wizard is run in expert mode or is started directly from the Synchronization Editor. Follow the project wizard instructions through these steps.

To set up initial synchronization project for an Active Directory domain.

  1. Start the Launchpad and log on to the One Identity Manager database.

    NOTE: If synchronization is executed by an application server, connect the database through the application server.
  2. Select the entry Active Directory target system type. Click Run.

    This starts the Synchronization Editor's project wizard.

  1. Specify how the One Identity Manager can access the target system on the System access page.
    • If you have access from the workstation from which you started the Synchronization Editor, do not set anything.
    • If you do not have access from the workstation from which you started the Synchronization Editor, you can set up a remote connection.

      In this case, set the option Connect using remote connection server and select, under Job server, the server you want to use for the connection.

  1. Specify the Active Directory domain to synchronize on the Domain selection page.
    • Select the domain in the Domain list or enter the full domain name.
  2. Enter the user account for accessing the domain on the Credentials page. This user account is used to synchronize Active Directory objects.
    1. Enter the user account and password for logging into the target system.
    2. Click Test in Verify credentials to test the domain connection.
  3. Enter the domain controller for synchronization on the Configure connection options page and set the connection options.
    • Enter the authentication type for logging into the target system in Binding options. Authentication type "Secure" is taken as default.
    • Specify the domain controller in Enter or select domain controller.
      1. Select an existing domain controller from the Domain controller list or enter the name of the domain controller in full.
      2. Enter the communications port on the domain controller in Port. LDAP default communications port is 389.
      3. Specify whether to use a secure connection with the option Use SSL.
      4. Click Test to test the connection. The system tries to connect to the domain controller.
  4. Specify additional synchronization settings on the Connector features page. Enter the following settings.
    Table 8: Additional Settings
    Property Description
    Restore objects from the recycle bin if an object with the same distinguished name or GUID is added. Specifies whether deleted Active Directory objects are taken into account on inserting. Set this option if, when adding an object, the system first checks whether the object is in the Active Directory recycling bin and must be restored.
    Allow read and write access to Remote Access Service (RAS) properties. Specifies whether Remote Access Service (RAS) properties are synchronized. If the option is not set, default values are taken for synchronization. However, no properties are written or read. You can set these options are a later date.
    Allow read and write access to the terminal services properties. Specifies whether Remote Access Service (RAS) are synchronized. If the option is not set, default values are taken for synchronization. However, no properties are written or read. You can set these options are a later date.

    Note: Loading terminal server and RAS properties slows synchronization under certain circumstances.

  1. Verify the One Identity Manager database connection data on the One Identity Manager connection page. The data is loaded from the connected database. Reenter the password.

    NOTE: Reenter all the connection data if you are not working with an encrypted One Identity Manager database and no synchronization project has been saved yet in the database. This page is not shown if a synchronization project already exists.
  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.
  1. Specify how system access should work on the page Restrict target system access. You have the following options:
    Table 9: Specifying Target System Access
    Option Meaning

    Read-only access to target system.

    Specifies whether a synchronization workflow should be set up to initially load the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of "One Identity Manager".
    • Processing methods in the synchronization steps are only defined in synchronization direction "One Identity Manager".

    Changes are also made to the target system.

    Specifies whether a provisioning workflow should be set up in addition to the synchronization workflow to initially load the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization in the direction of the "target system"
    • Processing methods are only defined in the synchronization steps in synchronization direction "target system".
    • Synchronization steps are only created for such schema classes whose schema types have write access.
  2. Select the synchronization server to execute synchronization on the Synchronization server page.

    If the synchronization server is not declare as a job server in the One Identity Manager database yet, you can add a new job server.

    • Click to add a new job server.
    • Enter a name for the job server and the full server name conforming to DNS syntax.
    • Click OK.

      The synchronization server is declared as job server for the target system in the One Identity Manager database.

      NOTE: Ensure that this server is set up as the synchronization server after saving the synchronization project.
  1. Click Finish to complete the project wizard.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved and enabled immediately.

    NOTE: If the synchronization project is not going to be executed immediately, disable the option Activate and save the new synchronization project automatically.

    In this case, save the synchronization project manually before closing the Synchronization Editor.

    NOTE: The target system connection data is saved in a variable set, which you can change in the Synchronization Editor under Configuration | Variables if necessary.

To configure the content of the synchronization log

  1. To configure the synchronization log for target system connection, select the category Configuration | Target system.
  2. To configure the synchronization log for the database connection, select the category Configuration | One Identity Manager connection.
  3. Select General view and click Configure....
  4. Select the Synchronization log view and set Create synchronization log.
  5. Enable the data to be logged.

    NOTE: Certain content create a lot of log data.

    The synchronization log should only contain the data necessary for error analysis and other evaluations.

  6. Click OK.

To synchronize on a regular basis

  1. Select the category Configuration | Start up configurations.
  2. Select a start up configuration in the document view and click Edit schedule....
  3. Edit the schedule properties.
  4. To enable the schedule, click Activate.
  5. Click OK.

To start initial synchronization manually

  1. Select the category Configuration | Start up configurations.
  2. Select a start up configuration in the document view and click Execute.
  3. Confirm the security prompt with Yes.

NOTE: Following synchronization, employees are automatically created for user accounts in the default installation. If there are no account definitions for the domain at the time of synchronization, user accounts are linked to employees. However, account definitions are not assigned. The user accounts are, therefore, in a "Linked" state.

To select user accounts through account definitions

  1. Create an account definition.
  2. Assign an account definition to the domain.
  3. Assign the account definition and manage level to the user accounts in a "linked" state.
    1. Select the category Active Directory | User accounts | Linked but not configured | <Domain>.

      - OR -

      Select the category Active Directory | Contacts | Linked but not configured | <Domain>.

    2. Select the task Assign account definition to linked accounts.
Related Topics
Related Documents