If you have an On Premise or Hybrid Active Directory, you can use LDAP directory synchronization to automatically manage your users and groups. This has the following benefits:
- The administrative overhead of performing these tasks is removed.
- End users can use their primary email address and Active Directory password to sign in to Mimecast applications.
To synchronize your directory using LDAP, you'll need to complete the following tasks:
- Prepare your environment. This is a prerequisite external task.
- Create a Directory Connector in the Connect Application.
- Verify the synchronization in the Mimecast Administration Console.
What You'll Need
- Permission to create user accounts in your Active Directory.
- Access to your domain controller server.
- Access to your network's public firewall.
The following prerequisite tasks must be performed before synchronizing your directory:
- Ensure there is a valid SSL certificate, signed by a recognized Certificate Authority (CA), installed on your domain controller. This is only required when configuring LDAPS, not LDAP.
- Create a user account that we can use to query your Active Directory, taking note of its distinguished name and password. To prevent interruptions to your service, set the user account to:
- Have read access to the parts of your directory that require synchronization.
- Have a password that doesn't expire.
- Not require a password change on the first log on.
- Configure your firewall to always accept LDAPS connections from our IP ranges, and to route these through to your domain controller. Our IP ranges are displayed on the Connect Application page.
Determining the Distinguished Name
Creating a Mimecast Directory Connector
With the prerequisite tasks completed, you can enable LDAP Directory Synchronization by creating a Mimecast Directory Connector in the Connect Application.
To create a Mimecast Directory Connector:
- Navigate to the Platform | Synchronize Your Directory menu item.
- Click the Start button in the bottom right-hand corner of the Task Steps for LDAP section.
- Check that all steps have been followed in the Preparing Your Environment section above, and when you are ready, click Next.
- The Create a Mimecast Directory Connector page is displayed. Enter your Active Directory connection details as below:
Field Mandatory / Not Mandatory Description Primary Host Mandatory Enter your Active Directory's hostname or public IP address. Secondary Host Not Mandatory Enter an alternate hostname or public IP address for your Active Directory, to be used when the primary host is unavailable. While this is optional, it is recommended to ensure there are no breaks in service. Encryption Mode Mandatory
Select the encryption mode from the drop-down menu:
- Strict - CA-signed certificates only
- Relaxed - self-signed certificates allowed
- None (not recommended)
Connection Port Mandatory Enter the port number for the connection. User Account Distinguished Name Mandatory Enter the user account's distinguished name (e.g. CN=Mimecast). User Account Password Mandatory Enter the user account's password. Domain Root Distinguished Name Mandatory Enter the domain's root distinguished name (e.g DC=domain,DC=local).
- Click the Synchronize button. A summary page is displayed with your directory synchronization details.
Once these steps are complete, we'll automatically synchronize with your Active Directory at 8am, 1pm, and 11pm daily using your Mimecast region's timezone.
Verifying the Synchronization
To verify that the synchronizations are completing successfully:
- Log on to the Mimecast Administration Console.
- Click on the Services | Directory Synchronization menu item. The configurations will display.
Directory Synchronization Timings
We will automatically trigger a synchronization of your Active Directory at 8am, 1pm, and 11pm daily. These timings are taken from the region where your account is held (e.g. Europe, North America, South Africa, Australia). For the Europe region, the timing is in GMT. For the North America region, the timing is EST. The synchronization timings will not be in your timezone if you are located in a different region than your Mimecast account.
Whilst a synchronization is automatically triggered at set times, there are a number of factors that control when you can see its results. These include the:
- Size of your Active Directory
- Number of changes
- Server load