Connect Application: Enabling LDAP Directory Synchronization for Active Directory

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.Yo2IBgvWqr on Oct 10, 2017
Version 13Show Document
  • View in full screen mode

Applies To...


This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.




If you have an On Premises or Hybrid Active Directory, you can use LDAP directory synchronization to automatically manage your users and groups. This has the following benefits:

  • The administrative overhead of performing these tasks is removed.
  • Your end users can use their primary email address and Active Directory password to sign in to Mimecast applications.


What You'll Need


  • Access to your domain controller server.
  • Permissions to create user accounts on your Active Directory.
  • Access to your network's public firewall.


Prerequisite Tasks


The following prerequisite tasks must be performed before synchronizing your directory:

  1. Ensure there is a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
  2. Create a user account that we can use to query your Active Directory, taking note of it's distinguished name and password. To prevent interruptions to your service, set the user account to:
    • Have read access to the parts of your directory that require synchronization.
    • Have a password that doesn't expire.
    • Not require a password change on first log in.
  3. Configure your firewall to accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed in the Connect Application page.


Determining the Distinguished Name 


The Distinguished Name (DN) attribute refers to a user account and its position in the Active Directory tree hierarchy. In order to determine the DN of your user:

  1. Open a command prompt on your Domain Controller.
  2. Type the following command:

    dsquery user –name mimecast_account
    (where mimecast_account is the user account name).


The output will be similar to the example below. Be sure to exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).




Enabling LDAP Directory Synchronization for Active Directory


With all the prerequisite tasks completed, you can start to enable LDAP directory synchronization for Active Directory:

  1. Click the Start button in the bottom right hand corner of the LDAP section. The Enter Your Directory Connection Details page is displayed.
  2. Specify your Active Directory connection details to create a Mimecast directory connector:

    Primary HostEnter your Active Directory's hostname or public IP address.
    Alternate HostEnter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. This is optional, but is recommended to ensure there is no break in service.
    Connection PortEnter the port number for the connection.
    User Distinguished NameEnter the user account's distinguished name (e.g. CN=Mimecast).
    PasswordEnter the user account's password.
    Root Distinguished NameEnter the domain's root distinguished name (e.g DC=domain,DC=local).
  3. Click the Synchronize button. A summary page is displayed with your directory synchronization details.


Once these steps are complete, we'll automatically synchronize with your Active Directory at 8am, 1pm, and 11pm daily using your Mimecast region's timezone.


Validating Synchronizations


To validate that the synchronizations are completing successfully:

  1. Log on on the Administration Console.
  2. Click the Services | Directory Sync menu item.


Directory Synchronization Timings


We will automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is  held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in the GMT timezone. For the North America region, the timing is in the EST timezone. The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account.


Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:

  • Size of your Active Directory
  • Number of changes
  • Server load