If you've a G Suite, On Premise, or Hybrid Active Directory, you can use LDAP directory synchronization to automatically manage your users and groups. This has the following benefits:
- The administrative overhead of performing these tasks is removed.
- End users can use their primary email address and Active Directory password to sign in to Mimecast applications.
We'll automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in GMT. For the North America region, the timing is EST. The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account. Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:
- Size of your Active Directory
- Number of changes
- Server load
- Permission to create user accounts in your Active Directory.
- Access to your domain controller server.
- Access to your network's public firewall.
To synchronize your directory using LDAP, you'll need to complete the following tasks:
- Prepare your environment. This is a prerequisite external task.
- Create a Directory Connector in the Connect Application.
- Verify the synchronization in the Mimecast Administration Console.
If using G Suite, ensure that your Active Directory is synchronized with G Suite Directory using Google Cloud Directory Sync (GCDS).
The following prerequisite tasks must be performed before synchronizing your directory:
- Ensure there's a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
- Create a user account we can use to query your Active Directory, taking note of it's distinguished name and password. To prevent interruptions to your service, set the user account to:
- Have read access to the parts of your directory that require synchronization.
- Have a password that doesn't expire.
- Not require a password change on the first log on.
- Configure your firewall to always accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed on the Connect Application page.
Determining the Distinguished Name
The Distinguished Name (DN) attribute refers to a user account and it's position in the Active Directory tree hierarchy. To determine the domain name of your user:
- Open a command prompt on your Domain Controller.
- Type the following command:
dsquery user –name <mimecast_account>
(where <mimecast_account> is the user account name).
The output is similar to the example below. Ensure you exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).
Creating a Mimecast Directory Connector
You can enable LDAP Directory Synchronization by creating a Mimecast Directory Connector in the Connect Application.To create a Mimecast Directory Connector:
- Navigate to the Platform | Synchronize Your Directory menu item.
- Click on the Start button in the bottom right-hand corner of the "Task Steps for LDAP" section.
- Ensure all steps in the "Prerequisite Tasks" section above have been followed.
- When you're ready, click on the Next button. The Create a Mimecast Directory Connector page is displayed.
- Enter your Active Directory connection details as below:
Field Mandatory / Not Mandatory Description Primary Host Mandatory Enter your Active Directory's hostname or public IP address. Secondary Host Not Mandatory Enter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. This is optional but recommended to ensure there are no breaks in service. Encryption Mode Mandatory
Select the encryption mode from the drop-down menu:
- Strict: CA-signed certificates only.
- Relaxed: Self-signed certificates allowed.
- None: Not recommended.
Connection Port Mandatory Specify the port Mimecast should use to connect to your Active Directory. Typically this is 636 for secure connections or 389 for unsecured connections. User Account Distinguished Name Mandatory Enter the user account's distinguished name (e.g. CN=Mimecast). User Account Password Mandatory Enter the user account's password. Domain Root Distinguished Name Mandatory Enter the domain's root distinguished name (e.g DC=domain,DC=local).
- Click the Synchronize button. A summary page is displayed with your directory synchronization details.
Verifying the Synchronization
To verify that the synchronizations are completing successfully:
- Log on to the Mimecast Administration Console.
- Click on the Services | Directory Synchronization menu item. The configurations will display.