Enable LDAP Directory Sync for Active Directory

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on May 26, 2017
Version 19Show Document
  • View in full screen mode

 

If you have an on premises Active Directory, you can use the LDAP Directory Sync feature to automatically add and manage your users and groups. This removes the administrative overhead of performing these tasks manually. Opening a connection between Mimecast and your Active Directory this way, also allows your end users to use their primary email address and Active Directory password to sign-in to Mimecast applications.

 

What You'll Need

 

  • An inbound connection from the Mimecast IP Range to your Domain Controller.
  • A user account with read permissions to Active Directory.
  • A Mimecast Administrator account with edit permissions to the following menu items:
    • Administration Services | Directory Synchronization
    • Administration | Services | Applications

Mimecast strongly recommends that all inbound connections to your environment are secure.

Preparing Your Environment

 

  1. Ensure that your firewall is configured to pass LDAP(S) requests from Mimecast to your Domain Controller.
  2. Create a user that Mimecast will use to connect to your Active Directory.

    The user requires read permissions to Active Directory. To prevent interruptions to your service, we suggest that the password for this account is set to never expire, and is not set to change on first logon.

Creating the Mimecast Directory Connection

 

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | Directory Synchronization menu item. A list of directory connections is displayed.
  4. Click the New Directory Connector button.
  5. Complete the dialog as follows:

    Field / OptionDescription
    DescriptionProvide a description to help identify the directory connector.
    Server TypeLeave this set to the "Active Directory LDAP" option.
    Hostname / IP AddressEnter either the hostname or IP address to be used when the primary host is unavailable. See the Mimecast Gateway page for further details.
    Encrypt ConnectionSelect whether the connection should be encrypted using LDAP.
    Encryption Mode

    If the "Encrypt Connection" option is checked, specify one of the following encryption modes:

     

    ModeDescription
    Strict - Trust EnforcedThis mode requires a certificate issued by a Mimecast trusted public root certification authority, and a key length greater than 1024 bits to be installed on your Domain Controller.
    RelaxedThis mode must be used if your certificate is self signed, has a key length of less than 1024 bits, or has an incomplete trust chain.
    Connection PortSpecify the port Mimecast should use to connect to your Active Directory. Typically this will be 636 for secure connections and 389 for un-secured connections.
    Distinguished Name

    Specify the Distinguished Name of the user Mimecast should use to connect to your Active Directory, and the Active Directory password for this user. See the Determining the Distinguished Name section below for further detail.

    Root Distinguished NameSpecify the Root Distinguished Name for your Active Directory domain (e.g. DC=domain,DC=local) to be used as a filter on the connection. If you only want to expose part of your Active Directory to Mimecast, enter a Root DN higher in your directory tree (e.g. OU=New York,DC=domain,DC=local).
    Acknowledge Disabled Accounts in Active Directory

    If selected user accounts disabled in Active Directory are also disabled in Mimecast.

    Optional Email Domains Filter

    Optionally list the domains the Directory Connector will synchronize with. These can be specified where:

    • There are multiple Directory Connectors, and where each Connector is dedicated to certain domains.
    • The account is part of an Advanced Account Administration setup.

    Entries must be comma separated. No spaces should be used.

  6. Click the Save and Exit button to save the connection details.

 

Determining the Distinguished Name

 

The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. In order to determine the DN of your user:

  1. Open a command prompt on your Domain Controller.
  2. Type the following command:

dsquery user –name mimecast_account
(where mimecast_account is the user account name).

 

The output will be similar to the example below. Be sure to exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).

 

Dsquery_results.png

 

Testing your Configuration

 

Once your configuration is complete it is possible to run a series of tests to validate your settings:

  1. Select the Administration | Services | Directory Synchronization menu item.
  2. Select the Directory Connection you would like to test.
  3. Click the Test Connection button.
  4. A series of tests will be started. A summary of the results is provided on screen as described below:
    • Resolves the hostname to IP address (if hostname is entered).
    • Pings the connection.
    • Connects to the IP address on LDAP TCP port 389 (or the custom port you have entered).
    • Tests the retrieval of one email address in each of the domains you have registered with Mimecast as an Internal Domain. A result of "no results" can be considered a success and indicates that the connection was successful.
    • Checks to see if there is a certificate and displays the results:
      • If the certificate is not supported, or the certificate is not present, certificate details will not be displayed.
      • If the certificate is supported, Mimecast extracts the CN of the certificate as well as the expiration date. Details for all chained certificates are displayed.
    • If an alternate IP address exists for the Directory Connection, the same tests above are conducted on the backup IP address.

The LDAP Connection test will work even if the Directory Connector has not been saved.  As an Administrator you can select Test prior to saving your Connector.

Finalizing the Integration

 

To complete the Directory Integration, activate the automatic synchronization, and enable users to login using Active Directory passwords:

  1. Select the Administration | Services | Applications menu item.
  2. Click on the Authentication Profiles button.
  3. Click on the Default Authentication Profile to enable you to change it.
  4. Select the LDAP Directory Connector (Active Directory and Domino) option in the Domain Authentication Mechanisms drop down.
  5. Click the Save and Exit button.

 

Next Steps

 

Once these steps are complete, Mimecast will synchronize with your Active Directory automatically 3 times per day at 8am, 1pm, and 11pm. To validate that your scheduled sync's are completing successfully, you can view the status of a Directory Connection in the Administration | Services | Directory Synchronization list view page of the Administration Console. To test the connection immediately, and run an on demand sync at any time, click the Synchronize LDAP Data button on the Administration Services | Directory Synchronization page.

 

Advanced: Guidance for Customers with Multiple Domains

 

Parent Child Domains

 

If you operate with a parent, child domain organization you have a couple of ways to sync all of your domains, the choice that you make should depend on the number of users and groups in your Active Directory.

  • If you have up to a few thousand objects across all of your domains it should be sufficient to use one LDAP connection, ensuring that the hostname used points to a Domain Controller that is running the Global Catalog role, and that you use the Global Catalog port, typically 3269 secured or 3268 unsecured.
    When using the Global Catalog port please note that while Global Groups will be synchronized, group members will not. This is because the member attribute is not present in the Global Catalogue.
  • If you have tens of thousands of objects across all of your domains consider creating a connection for each of your child domains to optimize performance.

 

To do this repeat the steps above for each of your domains, using the Root Distinguished Name option to apply filters for each child domain on each connection.

 

Exchange Resource Domains

 

If you operate with an Exchange Resource domain, by design you will have the same user objects in both of your domains, with the object enabled in one domain and disabled in another. It is likely that you will have resources in both domains that you want to sync with Mimecast, for example, additional distribution or security groups. In this scenario you should follow these steps:

  1. Create a Mimecast Directory Connection for each of your domains by following the steps in the sections above.
  2. For the connection to the domain where your users are enabled use the Acknowledge Disabled Accounts in Active Directory option so that legitimately disabled users are also disabled in Mimecast.
  3. For the connection to the domain where your users are disabled by design do not use the Acknowledge Disabled Accounts in Active Directory option. This will ensure that Mimecast users do not unexpectedly become disabled.

 

Multiple Root Domains

 

If you operate with multiple different Active Directory domains, for example, your organization has recently acquired another company and inherited their domain, or your company has different Active Directory domains for global offices you should create a Mimecast Directory Connection for each of your domains following the steps outlined in the sections above.

The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. In order to determine the DN of your user:

Open a command prompt on your Domain Controller, and type the following command:

dsquery user –name mimecast_account

Replace mimecast_account with the name of the user account that you want to find the DN of.

The output will be similar to the example below. Be sure to exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration.

 

Dsquery_results.png

4 people found this helpful

Attachments

    Outcomes