AD/LDAP Synchronization

Question

What mechanisms do the iMaster NCE-Campus use to trigger data synchronization from an external data source?

Answer

Question

How do I use the AD/LDAP tool to check the organizational structure of the AD/LDAP server, base DNs, OUs, groups, and user attributes?

Answer

Download Apache Directory Studio, JXplorer, or Active Directory Explorer. The following example describes how to connect Apache Directory Studio 1.5.3.v20100330 and JXplorer V3.3.1 to the AD server.

• Connect Apache Directory Studio to the AD server.
  1. After the Apache Directory Studio is installed, open Apache Directory Studio. Choose File > New.
  2. Select LDAP Connection and click Next.

  3. Enter the connection name, IP address of the AD/LDAP server, port number, and encryption method. Click Next.

  4. Enter the DN/account and password and click Check Authentication. After the authentication succeeds, click Finish.

  5. The following figure is displayed after the connection succeeds.

• Connect JXplorer to the AD server.
  1. After JXplorer is installed, open JXplorer. Choose File > Connect.

  2. Enter the IP address of the AD/LDAP server, base DN, user account, and password. Click OK.

  3. The following figure is displayed after the connection succeeds.

Question

When configuring the AD server as a third-party data source for the iMaster NCE-Campus, I need to enter an AD domain name. How do I obtain an AD domain name?

Answer

Log in to the operating system of the AD server using the administrator account. Choose Start > Administrative Tools > Active Directory Users and Computers.

The root node name is an AD domain name in the format of example.com. For example, yzz.com is an AD domain name as shown in the following figure.

Question

When configuring the AD/LDAP server as a third-party data source for the iMaster NCE-Campus, I need to enter the base DN. How do I obtain the base DN?

Answer

The base DN indicates the root node DN. You are advised to query the base DN using Apache Directory Studio or JXplorer. For details, see How Do I Use the AD/LDAP Server Check Tools?.

Connect Apache Directory Studio to the AD/LDAP server and query the root node DN. In Figure 6-7, the base DN in the AD server is DC=yzz,DC=com.

Figure 6-7 Querying the base DN

If Apache Directory Studio or JXplorer is not installed, you can log in to the AD/LDAP server and run commands to query the base DN. The following figure shows how to run a command to query the base DN in the AD server.

C:\Users\Administrator>dsquery ou forestroot -limit 0 | more

"OU=Domain Controllers,DC=yzz,DC=com" 

"OU=ou1,DC=yzz,DC=com" 

"OU=qita,OU=ou1,DC=yzz,DC=com" 

"OU=yanfa1,OU=ou1,DC=yzz,DC=com" 

"OU=xinde,OU=yanfa1,OU=ou1,DC=yzz,DC=com" 

"OU=depart_liqin,DC=yzz,DC=com" 

"OU=ad182_dep1,DC=yzz,DC=com" 

"OU=ad162_dep2,DC=yzz,DC=com" 

"OU=dep1_AD1,OU=ad182_dep1,DC=yzz,DC=com" 

"OU=dep1_AD2,OU=ad182_dep1,DC=yzz,DC=com" 

"OU=dep2_AD2,OU=dep1_AD2,OU=ad182_dep1,DC=yzz,DC=com" 

"OU=dep1_AD3,OU=ad182_dep1,DC=yzz,DC=com" 

"OU=dep1_AD4,OU=ad182_dep1,DC=yzz,DC=com" 

"OU=dep2_AD4,OU=dep1_AD4,OU=ad182_dep1,DC=yzz,DC=com" 

"OU=depart_liqin01,DC=yzz,DC=com" 

"OU=moshi2,DC=yzz,DC=com" 

"OU=moshi3,DC=yzz,DC=com" 

"OU=moshi5,DC=yzz,DC=com" 

"OU=moshi5_AD1,OU=moshi5,DC=yzz,DC=com" 

"OU=ZK1,DC=yzz,DC=com" 

"OU=zk2,DC=yzz,DC=com"

Question

When configuring the AD/LDAP server as a third-party data source for the iMaster NCE-Campus, I need to enter the account and password to perform synchronization. How do I create an account?

Answer

The account and password are used to synchronize data from the AD/LDAP server to the iMaster NCE-Campus. You can use an existing AD/LDAP account or create an account to perform synchronization.

• Create an account on the AD server.
  1. Log in to the operating system of the AD server using the administrator account.
  2. Choose Start > Administrative Tools > Active Directory Users and Computers.
  3. Right-click the base DN and choose New > User.

  4. Perform the following steps to set the account and password.

Question

When configuring AD/LDAP synchronization, I need to set the mapping relationship between attributes of OUs/groups and users on the AD/LDAP server and user groups and accounts on the iMaster NCE-Campus. How do I obtain attributes of OUs/groups and users from the AD/LDAP server?

Answer

Generally, you do not need to set the mapping relationship between the AD/LDAP server and iMaster NCE-Campus. The default mapping relationship on the iMaster NCE-Campus is applicable to common scenarios. If the default mapping relationship cannot meet requirements, you need to obtain attributes of OUs/groups and users from the AD/LDAP server and then manually set the mapping relationship.

1. Connect Apache Directory Studio, JXplorer or Active Directory Explorer to the AD/LDAP server. For details, see How Do I Use the AD/LDAP Server Check Tools?. The following takes Apache Directory Studio as an example.
2. Check attributes of OUs and users.

The objectClass attribute may have multiple values whose levels descend from left to right.

For example, as shown in the following figure, the top levels of OUs' and users' attributes are both top, so you cannot distinguish an OU from a user through objectClass=top. You can only identify an OU through objectClass=organizationalUnit and a user through objectClass=person or objectClass=organizationalPerson.

Procedure

1. Delete the RADIUS server from the old domain.
   1. Right-click Computer and choose Properties.
   2. Click Advanced system settings and select Computer Name.
   3. Click Change.
   4. Enter a work group name and click OK.
   5. Enter the new domain account and password and confirm to add the RADIUS server to the new domain.
   6. Restart the operating system.

2. Add the RADIUS server to the new domain.
   1. Log in to the operating system using the Administrator account.
   2. Right-click Computer and choose Properties.
   3. Click Advanced system settings and select Computer Name.
   4. Click Change.
   5. Enter the complete domain name and click OK.
   6. Enter the new domain account and password and confirm to add the RADIUS server to the new domain.
   7. Restart the operating system.

3. Delete information about the old Microsoft AD domain controller on the Service Manager.
   1. Log in to the Service Manager.
   2. Choose Admission > Admission Resources > External Data Source > AD/LDAP Synchronization Synchronization and select the old Microsoft AD domain controller. Click Delete to delete information about the old Microsoft AD domain controller.

4. Synchronize user groups and accounts from the new Microsoft AD domain controller to the Service Manager.

Question

What are the requirements for user groups and users to be synchronized from the AD/LDAP server to the iMaster NCE-Campus?

Answer

If the user group, user, or account of an external authentication source contains any of the previous special characters, the corresponding information is not synchronized to the iMaster NCE-Campus.

• User groups and accounts do not support special characters, including equal sign (=) and double quotation mark (").
• Users do not support special characters, including equal sign (=) and double quotation mark (").

If the user groups, terminal users, or accounts, containing special characters, of external authentication sources, should be synchronized to the iMaster NCE-Campus, you must rename them and delete the special characters before implementing the synchronization operation.

Question

How do I configure the data source for AD/LDAP synchronization on the iMaster NCE-Campus after a synchronized user group is configured as the primary group?

Answer

1. Choose Admission > Admission Resources > External Data Source > AD/LDAP Synchronization and set interconnection parameters.
2. Set Select Synchronization Mode to Synchronized by conditions.
3. On the Configure Synchronization Scope tab, configure the synchronization scope.
   Table 6-9 Description of synchronization scope parameters

   Parameter	Value	Description
   Name	sample	-
   Target user group	ROOT	After AD/LDAP users are synchronized to the iMaster NCE-Campus, they are stored in this user group.
   OU	-	Specifies the source OU of synchronized users. If this parameter is not specified, all the users meeting the conditions in the base DN are synchronized.
   Attribute	primaryGroupID	-
   Relationship	is	-
   Value	835721	Specifies the value of the primaryGroupID parameter. You can query information about the primaryGroupID parameter including its value in AD Explorer based on the OU to which synchronized users belong.
   Filter Conditions	(primaryGroupID=835721)	-

Question

How do I configure AD/LDAP data synchronization on the iMaster NCE-Campus when the number of users in the data source exceeds the upper limit but the number of synchronized users does not exceed the upper limit?

Answer

1. Choose Admission > Admission Resources > External Data Source > AD/LDAP Synchronization and enter interconnection parameters.
2. Set Select Synchronization Mode to Mode 1 (Synchronized by OU).
3. Under Synchronization Settings, set Scheduled synchronization.

Question

When the AD/LDAP synchronization data source is added to the iMaster NCE-Campus, SSL is enabled by default. However, the AD server does not support SSL. Therefore, you need to enable SSL on the AD server.

Answer

1. Choose Start > Administrative Tools > Server Manager. Open the server manager.
2. Choose tools > Internet Information Services (IIS) Manager in the upper right corner of the server manager. Open the Internet Information Services (IIS) Manager.
3. Choose %Server% > Sites > Default Web Site. Replace %Server% with the actual path.

4. Right-click Default Web Site and select Bindings.
5. Click Add on Site Bindings to add site binding.
6. Choose the https type and click Select. Select the SSL certificate bound when using https mode.

7. Click OK.