Follow

AD Sync: Configuration Requirements

Prior to configuring the sync, your AD should be configured with the user groups for Zapp distribution.

 

There are two ways to configure the groups’ structure. Each type uses a different query.

 

You should choose the option that best reflects current structure of the groups in the organization’s AD. If the organization commonly utilizes nesting in existing groups, new Capriza-specific groups should be created (Option 1). In the case that nesting is not used in the current group structure, it is safe to use the current groups for the sync with a single “Nesting” group used to control the sync.  

 

 

Option 1: Capriza-Specific Groups
 

Prior to configuring the sync, your AD should be configured with the groups of users for Zapp distribution. More specifically, you should configure these groups such that there is one “master” group containing all of the Capriza enabled users, plus any other groups for more granular Zapp distribution (e.g. managers, controllers, etc.). Do not nest these groups- each group should contain a set of users. The sync will ignore any groups inside of these Capriza groups.

 

Note that the naming convention is also significant. The AD Sync tool will query for all Capriza groups using a wildcard search, so it is recommended that all Capriza groups to be synchronized begin with the same string, like "capriza_".

 

Option_1.png

An example for Option 1 query is:

 

(|(&(objectClass=user)(memberof=CN=<CAPRIZA_ALL>,OU=CUSTOMER_ORG_SPEC>))((objectCategory
=group)(CN=CAPRIZA_*)))

 

Where:

  • CAPRIZA_GROUP_NAME ­ is the name of a group pointing to all users that will interact with Zapps.
  • CUSTOMER_ORG_SPEC ­ OU is a string describing org unit location.

  • CAPRIZA_* ­ is a substring that matches all groups that customer can use for distributing their Zapps.


Option 2 - Utilize Existing Groups

 

This option is best in cases where existing groups can be synced in whole and existing groups are flat without nested groups inside them.

 

For this type of synchronization, only one new group should be introduced named “Capriza_Nesting.” Then, all groups that should be synced be added to that group as nested group (one level of nesting only.)

 

Option_2.png

 

A user can be included in more than one group

 

The “Capriza_Nesting” group itself will not be synced.

 

An example for Option 2 query is:

 

(|(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=<Capriza_Nesting_Group_Name>,
OU=SomeOU,DC=SomeDomain,DC=com))(&(objectCategory=group)(memberof:1.2.840.113556.1.4.1941
:=CN<Capriza_Nesting_Group_Name>,OU=SomeOU,DC=SomeDomain,DC=com)))

 

 

AD Sync Parameters

 

During the installation call, you will need to provide the following information to your Capriza contact:

  1. LDAP URL, e.g.  ldap://domain.com
  2. LDAP user DN, for a service account that can query AD
  3. LDAP user’s password or a file that will have a password, for the same service account. If a file is provided, the full path of the file's location is required.
  4. LDAP search base query, e.g.  DC=domain,DC=com
  5. The AD attribute name for the email address, typically "mail".
  6. A standard ldapsearch style query for fetching user emails together with
    associated groups. (Please see the above examples).

Note: Users that are synced via this tool will also be removed from Capriza if they no longer appear in the source.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.