The Active Directory Connector synchronises users, groups and Organisational Units from Microsoft Active Directory or OpenDS to Collaborate and Publisher. This is part of the HighQ Appliance.
The AD Connector allows you to integrate with your current AD setup which then allows you to manage user access via your domain rather than through Collaborate. If you have a group of users that are all brand new to Collaborate or to the organisation, you can add these users quickly in AD and use the sync to grant them access to Collaborate.
Also if you have a group of users that are no longer part of your company you can then set these users to archived (within your AD) and this will then restrict the user's access in Collaborate.
When HighQ Appliance is first deployed, it is pre-configured as specified with your HighQ account manager; all purchased modules will be enabled and fully configured.
See Configure HighQ Appliance for instructions on how to access HighQ Appliance.
Configuring an Active Directory connector
If you have purchased the Active Directory (AD) connector, the HighQ professional services team will assist with the configuration. If you need to verify or change the configuration of the connector, open the Module Management section.
A list of configured modules is shown:
Archive or add a module
If you need to Archive (disable), or switch a connector back to Active, click the Edit icon in the Module Management screen, change the status and click Save.
If you need to create a new Active Directory module click Add Module:
Select the name of the Directory connector to check or configure (your instance may have more than one AD connector).
The module configuration window opens, Sync Schedule is displayed by default.
Normally you do not need to make any changes to the sync schedule. Simply select a configuration option from the side menu.
Configuration options
After you have opened the module, configuration options are displayed on the left:
Check driver configuration
Select Driver configuration. The latest version of the External driver is selected, and either the latest Collaborate or Publisher Internal driver is selected.
Check the driver version and that the driver matches the type of site to which it connects, Collaborate or Publisher.
If you have changed the driver, or need to update the driver, click Update driver.
Collaborate configuration
The Collaborate Configuration screen allows you to update the application URL, security keys and optional or system settings.
If the Publisher driver is selected, this section is replaced with 'Publisher configuration'. The configuration process is identical.
- Collaborate application URL - the collaborate URL and instance name; e.g. https://colaborate_url/instance_name
- Collaborate authentication key - the authentication key, as configured by HighQ support on the Collaborate instance ('API plain key')
- Collaborate encryption key - the authentication key, as configured by HighQ support on the Collaborate instance ('API secret key')
- Enable user profile update - if this is selected, user profile fields can be updated after the initial synchronisation
- Proxy configuration - select if an internal proxy is required
- Custom authorization - this option is available only for Publisher - select if custom authorization is required
All these settings are pre-configured by HighQ professional services, and should not be changed unless necessary. HighQ support can generate a new API secret key if this is required.
Click Save & Test heartbeat to apply changes and test for a valid response.
Optional settings
Click Optional settings to configure:
- Collaborate REST API URL - the URL for the REST API and version; e.g. 'api/1/'
- Collaborate authentication type - the authentication used to connect to Collaborate, in all cases this is set to 'Basic'
- Directory API call delay - the delay (in ms) between two consecutive API calls
Click Save & Test heartbeat to apply changes and test for a valid response.
System settings
In System settings, configure the basic system settings of your Active Directory connector, such as log file name, maximum log size, log level, etc.
Click System settings to configure:
- File name - the location and file name of the log file; click Download log to download a copy of the log
- Maximum log size (MB) - the log will not exceed the size entered here; the default is 200 MB, maximum 1024 MB
- Log level - select the detail saved to the log (ALL, DEBUG, INFO, WARN or ERROR); The default is INFO
- Delete historical purge data - remove data older than the selected period; reports are not generated for data older than this; the default is Six months
- Synchronise user telephone number as separated codes - select if telephone numbers are separated into country code, area code and phone number, the default is False
- Synchronise user profile image - synchronise profile pictures if the Active Directory 'thumbnailPhoto' is mapped correctly in User Mapping; the default is False
- Synchronise user profile image with pixels - the height and width (as 'height:width') of the profile image; the default is 350:350. Images that are too small are not synchronised
- Synchronise user profile image with Thread Pool size - define the size of batches used to synchronise profile images; the default is 10
- Synchronise user profile image with MD5 hash-value comparison - compare MD5 hash values of old and new profile images; the default is False
Click Save & Test heartbeat to apply changes and test for a valid response.
AD configuration
Active Directory is fully configured by HighQ professional services when deployed; however, if your AD configuration changes, you may need to make some changes in Appliance.
Click AD Configuration:
External driver settings
- Host/Server name - enter the host name or IP address, and the port of your LDAP server
- Secure SSL - select this checkbox to use an SSL connection to connect to the Directory server (off by default)
- Authentication type - this is the authentication method for your LDAP server. If your LDAP server allows an anonymous connection and you want to connect anonymously, click Anonymous. Otherwise, click Simple
- Authorized user - use this username to connect to the LDAP (directory) server. Please use the suggested format.
To get your username, please follow these steps:
-
Navigate to your directory connector – Users OU
-
Right-click User > Properties > Attribute editor and locate 'distinguishedName'; copy this value
- Password - connect to the LDAP (Directory) server using the supplied password
- Proxy configuration - enter proxy server information. You can select any previously added proxy details [
Add a proxy in Proxy configuration from the home page.
Optional settings
- Connection timeout (seconds) - this is the time to wait before opening new server connections to the directory server. The default value is 180 seconds
- Page size - this is the page size to be used when iterating search results from your server. The default value is 10
- Incremental Sync - this checkbox is selected by default. When incremental sync is disabled, it fetches all records from the LDAP (server). When incremental sync is enabled, it fetches only new, updated or deleted records from the server
- Read timeout (seconds) - if the directory provider does not send a response within the specified period, the read attempt will be aborted
- Threshold limit for archive users - if the quantity of archived users exceeds this limit, they are not synchronised. The default value is 5%, the value can be between 1 and 100
- If you change the threshold limit and select One time change, will revert after execution, the defined limit only applied to the next sync. After the next sync, it is set back to the default value (5%)
- Revert to default threshold limit - this is visible if you set a permanent threshold by deselecting One time change. Select to set the threshold limit back to 5% until a different threshold limit is set
The threshold limit is applied for users only and not for groups, e.g. if you have ten users and the threshold limit is set to 10% it will allow you to delete one user.
- Archive users removed from OU - Users removed from an organizational unit are archived. If this is not selected removed users are deleted
- Archive users removed from group - Users removed from a group are archived. If this is not selected removed users are deleted
- Sync users from nested groups into parent system level group - Users are synced into a system level group, this ignores nested groups in the original database
- External organisation - select an organisation to sync users with an External role; i.e. not Internal or Basic users.
User configuration
User configuration allows you to map Active Directory fields to Publisher or Collaborate files with user and group mapping:
- Search OU/group - This will search the names of all OU/groups and list all returned results. You can also specifically distinguish a name to search for a specific OU. For example: [OU=TestOU,DC=ADTEST,DC=COM]test
- Organization unit selection - You can add or remove organisation units or groups for synchronisation. Select the organisation units from the left panel, select the checkbox and click Add link. Within the right panel, select the checkbox of the organisation unit or groups, where the users and groups you want to synchronize exist and click Save.
- Synchronize users only - When this checkbox is selected, it will only synchronize the users of the selected OU/groups.
- Role - shows the selected user role; all users in the group are defined as this account type.
- Sync all child OU/groups - When this checkbox is selected, users and groups of the selected OU/group up to n level, will be synchronized.
As of October 2022, the AD connector can define the user role during the sync process; Internal, External or Basic. Select the role type in the drop-down menu before you click Add.
It is possible to update roles from Internal to Basic or Basic to Internal. External roles cannot be changed to Internal or Basic, equally Internal or Basic roles cannot be changed to External.
Synchronization filters
Filters allow you to include or exclude users:
- Synchronization filter – include rule - The filter rules allow you to synchronise the configuration from a specific location within the directory tree. If the directory tree is large and has a lot of data, then this interface allows you to synchronise users from a specific location. Click Add organisation unit and select the organisation from the drop down menu. You can click Add query to specify a new query.
- Synchronization filter – exclude rule - The exclusion rules can be used to filter out users from the directory tree selected as the base configuration. Click Add organisation unit and select the organisation from the drop down menu and click Apply filter rules.
- Click Add Organization Unit to set a filter or query:
- Click Add Filter to set parameters for the filter:
User and group mapping
This allows you to map the user or group directory service attributes to Collaborate/Publisher attributes.
Click either User mapping or Group mapping:
Internal and external driver mapping uses default values, but they can be changed if required.
If mappings are changed, you must save the configuration setting and the mapping page.
Sync schedule
Scheduling action
After configuring synchronisation, you can schedule actions that synchronise users and group(s) from the directory to Collaborate/Publisher. Actions can be scheduled to run on daily, hourly or a custom time basis.
A custom schedule requires valid crone expression. The Force Sync option allows you to run the scheduler immediately.
- Daily schedule: Schedule daily
- Hourly schedule: Schedule at every 3 hours
- Custom schedule: Schedule at every 10 min
- Select Disable to remove any schedule.
- Select Preview to display the number of users and groups that will be inserted, updated and deleted:
Select Click here to create a detailed Preview Report, which shows which users or groups will be inserted, updated and deleted.
Scheduler report
The scheduler report tracks actions performed by the module.
If necessary, you can filter actions by date range.
A total report, a success record and a failed record are generated. Click Download Report to download the report as an .xls file.
Users and Groups
Users
This section provides a list of all synchronised users:
User details
Click the user GUID to see user details. Select Member of to see a list of the groups that contain the user.
Groups
This section provides a list of all synchronised groups:
Click the group GUID to see group details. Select Members to see a list of the users in the group.