If you have an On Premises or Hybrid Active Directory, you can use LDAP directory synchronization to automatically manage your users and groups. This has the following benefits:
- The administrative overhead of performing these tasks is removed.
- Your end users can use their primary email address and Active Directory password to sign in to Mimecast applications.
What You'll Need
- Access to your domain controller server.
- Permissions to create user accounts on your Active Directory.
- Access to your network's public firewall.
The following prerequisite tasks must be performed before synchronizing your directory:
- Ensure there is a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
- Create a user account that we can use to query your Active Directory, taking note of it's distinguished name and password. To prevent interruptions to your service, set the user account to:
- Have read access to the parts of your directory that require synchronization.
- Have a password that doesn't expire.
- Not require a password change on first log in.
- Configure your firewall to accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed in the Connect Application page.
Determining the Distinguished Name
Enabling LDAP Directory Synchronization for Active Directory
With all the prerequisite tasks completed, you can start to enable LDAP directory synchronization for Active Directory:
- Click the Start button in the bottom right hand corner of the LDAP section. The Enter Your Directory Connection Details page is displayed.
- Specify your Active Directory connection details to create a Mimecast directory connector:
Field Description Primary Host Enter your Active Directory's hostname or public IP address. Alternate Host Enter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. This is optional, but is recommended to ensure there is no break in service. Connection Port Enter the port number for the connection. User Distinguished Name Enter the user account's distinguished name (e.g. CN=Mimecast). Password Enter the user account's password. Root Distinguished Name Enter the domain's root distinguished name (e.g DC=domain,DC=local).
- Click the Synchronize button. A summary page is displayed with your directory synchronization details.
Once these steps are complete, we'll automatically synchronize with your Active Directory at 8am, 1pm, and 11pm daily using your Mimecast region's timezone.
To validate that the synchronizations are completing successfully:
- Log on on the Administration Console.
- Click the Services | Directory Sync menu item.
Directory Synchronization Timings
We will automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in the GMT timezone. For the North America region, the timing is in the EST timezone. The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account.
Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:
- Size of your Active Directory
- Number of changes
- Server load