Connect Application: Enabling LDAP Directory Synchronization for Active Directory

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.oxriBaJeN4 Employee on Jul 20, 2018
Version 16Show Document
  • View in full screen mode

Applies To...

 

This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.

 

Overview

 

If you've a G Suite, On Premise, or Hybrid Active Directory, you can use LDAP directory synchronization to automatically manage your users and groups. This has the following benefits:

  • The administrative overhead of performing these tasks is removed.
  • End users can use their primary email address and Active Directory password to sign in to Mimecast applications.

 

We'll automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in GMT. For the North America region, the timing is EST. The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account. Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:

  • Size of your Active Directory
  • Number of changes
  • Server load

 

Walkthrough

 

You'll need:

  • Permission to create user accounts in your Active Directory.
  • Access to your domain controller server.
  • Access to your network's public firewall.

 

To synchronize your directory using LDAP, you'll need to complete the following tasks:

  1. Prepare your environment. This is a prerequisite external task.
  2. Create a Directory Connector in the Connect Application.
  3. Verify the synchronization in the Mimecast Administration Console.

If using G Suite, ensure that your Active Directory is synchronized with G Suite Directory using Google Cloud Directory Sync (GCDS).

Prerequisite Tasks

 

The following prerequisite tasks must be performed before synchronizing your directory:

  1. Ensure there's a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
  2. Create a user account we can use to query your Active Directory, taking note of it's distinguished name and password. To prevent interruptions to your service, set the user account to:
    • Have read access to the parts of your directory that require synchronization.
    • Have a password that doesn't expire.
    • Not require a password change on the first log on.
  3. Configure your firewall to always accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed on the Connect Application page.

 

Determining the Distinguished Name

 

The Distinguished Name (DN) attribute refers to a user account and it's position in the Active Directory tree hierarchy. To determine the domain name of your user:

  1. Open a command prompt on your Domain Controller.
  2. Type the following command:

dsquery user –name <mimecast_account>
(where <mimecast_account> is the user account name).

 

The output is similar to the example below. Ensure you exclude the quotation marks when adding the Distinguished Name to the Mimecast configuration (e.g. CN=Mimecast,OU=Users,OU=London,DC=domain,DC=local).

Dsquery_results.png

 

Creating a Mimecast Directory Connector

 

You can enable LDAP Directory Synchronization by creating a Mimecast Directory Connector in the Connect Application.To create a Mimecast Directory Connector:

  1. Navigate to the Platform | Synchronize Your Directory menu item.
  2. Click on the Start button in the bottom right-hand corner of the "Task Steps for LDAP" section. 
  3. Ensure all steps in the "Prerequisite Tasks" section above have been followed.
  4. When you're ready, click on the Next button. The Create a Mimecast Directory Connector page is displayed.
  5. Enter your Active Directory connection details as below:

    FieldMandatory / Not MandatoryDescription
    Primary HostMandatoryEnter your Active Directory's hostname or public IP address.
    Secondary HostNot MandatoryEnter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. This is optional but recommended to ensure there are no breaks in service.
    Encryption ModeMandatory

    Select the encryption mode from the drop-down menu:

    • Strict: CA-signed certificates only.
    • Relaxed: Self-signed certificates allowed.
    • None: Not recommended.
    Connection PortMandatorySpecify the port Mimecast should use to connect to your Active Directory. Typically this is 636 for secure connections or 389 for unsecured connections.
    User Account Distinguished NameMandatoryEnter the user account's distinguished name (e.g. CN=Mimecast).
    User Account PasswordMandatoryEnter the user account's password.
    Domain Root Distinguished NameMandatoryEnter the domain's root distinguished name (e.g DC=domain,DC=local).
  6. Click the Synchronize button. A summary page is displayed with your directory synchronization details.

 

Verifying the Synchronization

 

To verify that the synchronizations are completing successfully:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Services | Directory Synchronization menu item. The configurations will display.

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes