Connect Application: Enabling LDAP Directory Synchronization for Active Directory

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.Yo2IBgvWqr on Dec 5, 2017
Version 14Show Document
  • View in full screen mode

Applies To...

 

This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.

 

Overview

 

If you have an On Premise or Hybrid Active Directory, you can use LDAP directory synchronization to automatically manage your users and groups. This has the following benefits:

  • The administrative overhead of performing these tasks is removed.
  • End users can use their primary email address and Active Directory password to sign in to Mimecast applications.

 

To synchronize your directory using LDAP, you'll need to complete the following tasks:

  1. Prepare your environment. This is a prerequisite external task.
  2. Create a Directory Connector in the Connect Application.
  3. Verify the synchronization in the Mimecast Administration Console.

 

What You'll Need

 

  • Permission to create user accounts in your Active Directory.
  • Access to your domain controller server.
  • Access to your network's public firewall.

Prerequisite Tasks

 

The following prerequisite tasks must be performed before synchronizing your directory:

  1. Ensure there is a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
  2. Create a user account that we can use to query your Active Directory, taking note of its distinguished name and password. To prevent interruptions to your service, set the user account to:
    • Have read access to the parts of your directory that require synchronization.
    • Have a password that doesn't expire.
    • Not require a password change on the first log on.
  3. Configure your firewall to always accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed on the Connect Application page.

 

Determining the Distinguished Name

 

The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. 

 

To determine the Domain Name of your user:

  1. Open a command prompt on your Domain Controller.
  2. Type the following command:

    dsquery user –name <mimecast_account>
    (where <mimecast_account> is the user account name).

 

The output is similar to the example below. Ensure you exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).

Dsquery_results.png

 

Creating a Mimecast Directory Connector

 

With the prerequisite tasks completed, you can enable LDAP Directory Synchronization by creating a Mimecast Directory Connector in the Connect Application.

 

To create a Mimecast Directory Connector:

  1. Navigate to the Platform | Synchronize Your Directory menu item.
  2. Click the Start button in the bottom right-hand corner of the Task Steps for LDAP section. 
  3. Check that all steps have been followed in the Preparing Your Environment section above, and when you are ready, click Next.
  4. The Create a Mimecast Directory Connector page is displayed. Enter your Active Directory connection details as below:

    FieldMandatory / Not MandatoryDescription
    Primary HostMandatoryEnter your Active Directory's hostname or public IP address.
    Secondary HostNot MandatoryEnter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. While this is optional, it is recommended to ensure there are no breaks in service.
    Encryption ModeMandatory

    Select the encryption mode from the drop-down menu:

    • Strict - CA-signed certificates only
    • Relaxed - self-signed certificates allowed
    • None (not recommended)
    Connection PortMandatoryEnter the port number for the connection.
    User Account Distinguished NameMandatoryEnter the user account's distinguished name (e.g. CN=Mimecast).
    User Account PasswordMandatoryEnter the user account's password.
    Domain Root Distinguished NameMandatoryEnter the domain's root distinguished name (e.g DC=domain,DC=local).
  5. Click the Synchronize button. A summary page is displayed with your directory synchronization details.

 

Once these steps are complete, we'll automatically synchronize with your Active Directory at 8am, 1pm, and 11pm daily using your Mimecast region's timezone.

 

Verifying the Synchronization

 

To verify that the synchronizations are completing successfully:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Services | Directory Synchronization menu item. The configurations will display.

 

Directory Synchronization Timings

 

We will automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in GMT. For the North America region, the timing is EST. The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account.

 

Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:

  • Size of your Active Directory
  • Number of changes
  • Server load

Attachments

    Outcomes