Enable LDAP Directory Sync for Active Directory

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on Aug 29, 2018
Version 22Show Document
  • View in full screen mode

If you have an On Premises Active Directory, you can use LDAP directory synchronization to automatically add and manage your users and groups. This removes the administrative overhead of performing these tasks manually. Opening a connection between us and your Active Directory, also allows your end users to use their primary email address and Active Directory password to sign-in to Mimecast applications.

 

What You'll Need

 

  • An inbound connection from the Mimecast IP Range to your domain controller.
  • A user account with read permissions to Active Directory.
  • A Mimecast Administrator account with edit permissions to the following menu items:
    • Services | Directory Synchronization
    • Services | Applications

We recommend all inbound connections to your environment are secure.

Preparing Your Environment

 

  1. Ensure your firewall is configured to pass LDAP(S) requests from us to your domain controller.
  2. Create a user with read permissions to your Active Directory.

    We recommend the user's password is set never to expire, to prevent service interruptions. 

Creating the Mimecast Directory Connection

 

  1. Log on to the Administration Console.
  2. Select the Administration toolbar menu item.
  3. Select the Services | Directory Synchronization menu item.
  4. Select the New Directory Connector button.
  5. Complete the dialog as follows:

    Field / OptionDescription
    DescriptionEnter a description to help identify the directory connector.
    Server TypeSelect the "Active Directory LDAP" option.
    Hostname / IP AddressEnter the hostname or IP address to be used when the primary host is unavailable. See the Mimecast Gateway page for further details.
    Encrypt ConnectionSelect whether the connection should be encrypted using LDAP.
    Encryption Mode

    If the "Encrypt Connection" option is checked, specify one of the following encryption modes:

    ModeDescription
    Strict - Trust EnforcedThis mode requires a certificate issued by a Mimecast trusted public root certification authority, and a key length greater than 1024 bits to be installed on your domain controller.
    RelaxedThis mode must be used if your certificate is self-signed, has a key length of less than 1024 bits, or has an incomplete trust chain.
    Connection PortSpecify the port we should use to connect to your Active Directory (e.g. 636 for secure connections, and 389 for un-secured connections).
    Distinguished Name

    Specify the distinguished name and password of the user we should use to connect to your Active Directory. See the "Determining the Distinguished Name" section below for further detail.

    Root Distinguished NameSpecify the root distinguished name for your Active Directory domain (e.g. DC=domain,DC=local) to be used as a connection filter. If you only want to expose part of your Active Directory to us, enter a Root DN higher in your directory tree (e.g. OU=New York,DC=domain,DC=local).
    Acknowledge Disabled Accounts in Active Directory

    If selected, user accounts disabled in Active Directory are also disabled in Mimecast.

    Optional Email Domains Filter

    Optionally list the domains the directory connector synchronizes with. These can be specified where:

    • There are multiple directory connectors with each dedicated to specific domains.
    • The account is part of an Advanced Account Administration setup.

    Entries must be comma separated, and no spaces can be used.

  6. Select the Save and Exit button.

 

Determining the Distinguished Name

 

The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. To determine the DN of your user:

  1. Open a command prompt on your Domain Controller.
  2. Type the following command:

dsquery user –name mimecast_account
(where mimecast_account is the user account name).

 

The output looks like the example below. Exclude the quotation marks when adding the Distinguished Name to the directory connection (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).

Dsquery_results.png

 

Validating Your Configuration

 

To validate your settings:

  1. Log on to the Administration Console.
  2. Select the Administration toolbar menu item.
  3. Select the Services | Directory Synchronization menu item.
  4. Select the Directory Connection you want to test.
  5. Select the Test Connection button.

 

A series of tests are performed, and a results summary is displayed as described below:

  • Resolves the hostname to IP address (if hostname is entered).
  • Pings the connection.
  • Connects to the IP address on LDAP TCP port 389 (or the custom port entered).
  • Tests the retrieval of one email address in each of the internal domains you have registered with us. A result of "no results" can be considered a success and indicates the connection was successful.
  • Checks to see if there's a certificate and displays the results:
    • If the certificate isn't supported, or the certificate is not present, certificate details aren't displayed.
    • If the certificate is supported, we extract the CN of the certificate as well as the expiration date. Details for all chained certificates are displayed.
  • If an alternate IP address exists for the directory connection, the same tests above are conducted on the backup IP address.

The LDAP Connection test works even if the directory connector hasn't been saved. An administrator can select Test prior to saving your connector.

Finalizing the Integration

 

To complete the directory integration, activate the automatic synchronization and enable users to log in using their Active Directory passwords:

  1. Log on to the Administration Console.
  2. Select the Administration toolbar menu item.
  3. Select the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. Select the Default Authentication Profile.
  6. Select the LDAP Directory Connector (Active Directory and Domino) option in the Domain Authentication Mechanisms drop down.
  7. Select the Save and Exit button.

 

Next Steps

 

Once these steps are complete, we'll synchronize with your Active Directory automatically three times daily at 8am, 1pm, and 11pm. To validate your scheduled synchronizations are completing successfully, view the status of a directory connection using the Services | Directory Synchronization Administration Console menu item. To test the connection immediately, and run a synchronization at any time, select the Synchronize LDAP Data button on the Services | Directory Synchronization page.

 

Customers with Multiple Domains

 

Parent Child Domains

 

If you operate with a parent, child domain organization, there are two ways to synchronize your domains. The choice you make depends on the number of Active Directory users and groups.

  • If you have less than a few thousand objects across your domains, it should be sufficient to use one LDAP connection. Just ensure the hostname points to a domain controller running the Global Catalog role, and that you use the Global Catalog port (e.g. 3269 secured or 3268 unsecured).
    If using the Global Catalog port, note that while Global Groups will be synchronized, group members won't because the member attribute isn't present in the Global Catalogue.
  • If you have tens of thousands of objects across your domains, consider creating a connection for each of your child domains to optimize performance. To do this repeat the steps above for each of your domains, using the Root Distinguished Name option to apply filters for each child domain on each connection.

 

Exchange Resource Domains

 

If you operate with an Exchange Resource domain, you'll have the same user objects in both of your domains, with the object enabled in one domain and disabled in another. You'll likely have resources in both domains you want to synchronize with us (e.g. additional distribution or security groups). In this scenario you should follow these steps:

  1. Create a directory connection for each of your domains by following the steps in the sections above.
  2. For the connection to the domain where your users are enabled, use the Acknowledge Disabled Accounts in Active Directory option so that legitimately disabled users are also disabled in Mimecast.
  3. For the connection to the domain where your users are disabled by design, don't use the Acknowledge Disabled Accounts in Active Directory option. This ensures Mimecast users don't unexpectedly become disabled.

 

Multiple Root Domains

 

If you operate with multiple different Active Directory domains (e.g. you recently acquired another company and inherited their domain, or your company has different Active Directory domains for global offices) you should create a directory connection for each of your domains following the steps outlined in the sections above.

5 people found this helpful

Attachments

    Outcomes